In AIX there are a number of ways to check up on who has touched your server. If something has been done and you aren’t sure who has been poking around, this will help you figure out.
**NOTE: this is made much simpler by disabling root SSH capabilities. If you have not done this, please not that it is recommended to disallow SSH directly for root user as this will mask who has been logging into the system (as well as cause other security holes)
$ who -> This will tell you who is currently logged into the system, from where and when they logged on
$ last -> This will give you a list of previous logins, the source and time, both in and out
$ who /etc/security/failedlogin -> List all of the failed logins with the same details as above
$ history -1000 -> If you use shared user ids, or you believe someone using root did something, simply check the history using “history -”number_of_lines”
I will include a script to view the history of users. Check back soon.
I hope this problem determination guide helps you keep track of users logged in and tracing back who did what