SUMMARY: slam vs init 5

From: Kain, Becki (B.) (
Date: Mon May 08 2000 - 16:27:07 CDT

My question:
I have this sort of forensics issue to deal with. I need to prove that a
set of 2.6 boxes were slammed instead of being properly shut down. I have
tried looking at the last output, but I'm looking for any other ideas on how
I'd show this, beyond a doubt.

thanks to all who helped!
James Coby []
Wallie Leung []
Lee, Annette [] - (and yes, a healthy dose of sys admin
outrage is good once in a while :-) )
Brown, Melissa []
Mike Evans []
Rick Francis []
Jay Lessert []
Drexx Laggui []
Viet_Q_Hoang []
Salehi, Michael E []

This question is really a stumper. There is no sig 15 sent to
/var/adm/messages, at least not all the time. I was not around to see if an
fsck was needed or not at the boot up. This was an after the fact
investigation. I will turn savecore on and buy "PANIC! UNIX System Crash
Dump Analysis Handbook". Any files that would have been in the lost+found
would have been relinked on the reboot. Using ksh for a /.sh_history or
enabling the BSM module was suggested. Looking in the sulog was also
suggested. When I viewed last on my test machine, I couldn't seem to get it
reboot without showing that root had been logged in, even on a slam. I'm
not certain what's up with that. In the end, there was no way to prove what
had really happened to the boxes.

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:07 CDT