Good morning everyone. This morning when I came in my boss said that he doesn't have access to the R: drive, which is a samba share to a folder called RP. I looked in /etc/group and his username was not in there. He's had access to this group for years, since before I was at the company. Yesterday I added a new employee to two other groups, saved the change and exited, and I took out an old username out of a few groups but I did not touch my boss's username at all. Is there any kind of trace log that shows changes to a group or to /etc/group that tracks / logs all individual changes that I can trace back to what might have happened that's turned on in the system, to show changes to /etc/group, or does that only get captured through an outside backup?
Chris
Hi Chris,
You didn't tell us how you've managed the users/groups. Usually this is tracked in /var/log/secure like so:
Mar 2 09:57:42 dhcp-157 groupadd[23761]: group added to /etc/group: name=apache, GID=48 Mar 2 09:57:42 dhcp-157 groupadd[23761]: group added to /etc/gshadow: name=apache Mar 2 09:57:42 dhcp-157 groupadd[23761]: new group: name=apache, GID=48 Mar 2 09:57:42 dhcp-157 useradd[23769]: new user: name=apache, UID=48, GID=48, home=/usr/share/httpd, shell=/sbin/nologin
Regards, Simon