On one of our servers, yum history reports:
[tschmidt@sl-was01p ~]$ sudo yum history
Loaded plugins: product-id, search-disabled-repos, security, subscription-
: manager
ID | Login user | Date and time | Action(s) | Altered
-------------------------------------------------------------------------------
30 | <dlewandowski> | 2016-10-07 11:18 | E, I, U | 38 EE
29 | <dlewandowski> | 2016-09-16 16:13 | Erase | 3
[...]
But the reported login user swears he wasn't near the machine (physically or logically) anywhere near that time, and last seems to support this:
[tschmidt@sl-was01p ~]$ last|grep dle
dlewando pts/0 al-dlewandowski. Tue Oct 11 09:01 - 09:23 (00:22)
dlewando pts/0 al-dlewandowski. Tue Oct 11 08:37 - 08:40 (00:02)
dlewando pts/1 al-dlewandowski. Tue Oct 4 11:04 - 11:09 (00:04)
dlewando pts/0 al-dlewandowski. Tue Oct 4 10:50 - 11:11 (00:21)
Syslog doesn't report any sudo activity from or to that user around the yum activity in question, either.
I'd like to find out why yum history reports that apparently incorrect user. Where does it pull that information from? The username does not appear anywhere in /var/log/yum.log.
Yum commands record the user that logged into the machine (login name). You can see your current session’s login name with
logname.su(with or withoutsudo) will start a new shell, but will not change the login name.If you run
yum history stats {TRANSACTION ID}, it will tell you the location of the SQLite database file where the yum transaction data is stored. You can open this file with sqlite3 to find out all sorts of information. A table calledtrans_beghas a field calledloginuid.