Important Files and Directories


Important Files and Directories

This section details the most common files used to administer the system. Also refer to "" on page .

~/.bash_profile

Contains an individual user's login shell initialization script. The shell executes the commands in this file in the same environment as the shell each time a user logs in. The file must be located in a user's home directory.

The default Red Hat .bash_profile file executes the commands in ~/.bashrc. You can use .bash_profile to specify a terminal type (for vi, terminal emulators, and other programs), run stty to establish the terminal characteristics, set up aliases, and perform other housekeeping functions when a user logs in.

A simple .bash_profile file specifying a vt100 terminal and CONTROL-H as the erase key follows:

$ cat .bash_profile
export TERM=vt100
stty erase '^h'

~/.bashrc

Contains an individual user's interactive, nonlogin shell initialization script. The shell executes the commands in this file in the same environment as the (new) shell each time a user creates a new interactive shell. The .bashrc script differs from .bash_profile in that it is executed each time a new shell is spawned, not just when a user logs in. The default Red Hat .bash_profile file executes the commands in ~/.bashrc so that these commands are executed when a user logs in. For more information refer to "" on page .

/dev/null

Also called a bit bucket, output sent to this file disappears. The /dev/null file is a device file and must be created with mknod. Input that you redirect to come from this file appears as nulls, creating an empty file. You can create an empty file named nothing by giving the following command:

$ cat /dev/null > nothing

or

$ cp /dev/null nothing

or, without explicitly using /dev/null,

$ > nothing

This last command redirects the output of a null command to the file with the same result as the previous commands. You can use any of these commands to truncate an existing file to zero length without changing its permissions. You can also use /dev/null to get rid of output that you do not want:

$ grep portable * 2>/dev/null

This command looks for the string portable in all files in the working directory. Any output to standard error (page ), such as permission or directory errors, is discarded, while output to standard output appears on the screen.

/dev/pts

The /dev/pts pseudofilesystem is a hook into the Linux kernel; it is part of the pseudoterminal support. Pseudoterminals are used by remote login programs, such as ssh and telnet, and xterm as well as by other graphical terminal emulators. The following sequence of commands demonstrates that the user is logged in on /dev/pts/1. After using who am i to verify the line the user is logged in on and using ls to show that this line exists, the user redirects the output of an echo command to /dev/pts/1, whereupon the output appears on the user's screen:

$ who am i
alex     pts/1    2006-02-16 12:30 (bravo.example.com)
$ ls /dev/pts
0  1  2  3  4
$ echo Hi there > /dev/pts/1
Hi there

/dev/random and /dev/urandom

These files are interfaces to the kernel's random number generator. You can use either one with dd to create a file filled with pseudorandom bytes.

$ dd if=/dev/urandom of=randfile2 bs=1 count=100
100+0 records in
100+0 records out
100 bytes (100 B) copied, 0.001241 seconds, 80.6 kB/s

The preceding command reads from /dev/urandom and writes to the file named randfile. The block size is 1 and the count is 100 so randfile is 100 bytes long. For bytes that are more random, you can read from /dev/random. See the urandom and random man pages for more information.

Optional

Wiping a file

You can use a similar technique to wipe data from a file before deleting it, making it almost impossible to recover data from the deleted file. You might want to wipe a file for security reasons.

In the following example, ls shows the size of the file named secret. With a block size of 1 and a count corresponding to the number of bytes in secret, dd wipes the file. The conv=notrunc argument ensures that dd writes over the data in the file and not another place on the disk.

$ ls -l secret
rwrwr 1 sam sam 3496 Jan 25 21:48 secret
$ dd if=/dev/urandom of=secret bs=1 count=3496 conv=notrunc
3496+0 records in
3496+0 records out
3496 bytes (3.5 kB) copied, 0.029557 seconds, 118 kB/s
$ rm secret

For added security, run sync to flush the disk buffers after running dd, and repeat the two commands several times before deleting the file.


/dev/zero

Input you take from this file contains an infinite string of zeros (numerical zeros, not ASCII zeros). You can fill a file (such as a swap file, page ) or overwrite a file with zeros with a command such as the following:

$ dd if=/dev/zero of=zeros bs=1024 count=10
10+0 records in
10+0 records out
10240 bytes (10 kB) copied, 0.000195 seconds, 52.5 MB/s
$ od c zeros
0000000  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0
*
0024000

The od utility shows the contents of the new file.

When you try to do with /dev/zero what you can do with /dev/null, you fill the partition you are working in:

$ cp /dev/zero bigzero
cp: writing 'bigzero': No space left on device
$ rm bigzero

/etc/aliases

Used by the mail delivery system (typically sendmail) to hold aliases for users. Edit this file to suit local needs. For more information refer to "" on page .

/etc/at.allow, /etc/at.deny, /etc/cron.allow, and /etc/cron.deny

By default, users can use the at and crontab utilities. The at.allow file lists the users who are allowed to use at. The cron.allow file works in the same manner for crontab. The at.deny and cron.deny files specify users who are not permitted to use the corresponding utilities. As CentOS Linux is configured, an empty at.deny file and the absence of an at.allow file allows anyone to use at; the absence of cron.allow and cron.deny files allows anyone to use crontab. To prevent anyone except Superuser from using at, remove the at.allow and at.deny files. To prevent anyone except Superuser from using crontab, create a cron.allow file with the single entry root. For more info on crontab, refer to "" on page .

/etc/dumpdates

Contains information about the last execution of dump. For each filesystem, it stores the time of the last dump at a given dump level. The dump utility uses this information to determine which files to back up when executing at a particular dump level. Refer to "" on page and the dump man page for more information. Following is a sample /etc/dumpdates file from a system with four filesystems and a backup schedule that uses three dump levels:

/dev/hda1                5 Thu Apr 20 03:53:55 2006
/dev/hda8                2 Sun Apr 16 08:25:24 2006
/dev/hda9                2 Sun Apr 16 08:57:32 2006
/dev/hda10               2 Sun Apr 16 08:58:06 2006
/dev/hda1                2 Sun Apr 16 09:02:27 2006
/dev/hda1                0 Sun Mar 19 22:08:35 2006
/dev/hda8                0 Sun Mar 19 22:33:40 2006
/dev/hda9                0 Sun Mar 19 22:35:22 2006
/dev/hda10               0 Sun Mar 19 22:43:45 2006

The first column contains the device name of the dumped filesystem. The second column contains the dump level and the date of the dump.

/etc/fstab

filesystem (mount) table Contains a list of all mountable devices as specified by the system administrator. Programs do not write to this file but only read from it. Refer to "" on page .

/etc/group

Groups allow users to share files or programs without giving all system users access to those files or programs. This scheme is useful when several users are working with files that are not public. The /etc/group file associates one or more user names with each group (number). Refer to "" on page for another way to control file access.

An entry in the /etc/group file has four fields arranged in the following format:


group-name:password:group-ID:login-name-list

The group-name is the name of the group. The is an optional encrypted password. This field frequently contains an x, indicating that group passwords are not used. The group-ID is a number, with 1499 reserved for system accounts. The login-name-list is a comma-separated list of users who belong to the group. If an entry is too long to fit on one line, end the line with a backslash (\), which quotes the following RETURN, and continue the entry on the next line. A sample entry from a group file follows. The group is named pubs, has no password, and has a group ID of 503:

pubs:x:503:alex,jenny,scott,hls,barbara

You can use the groups utility to display the groups that a user belongs to:

$ groups alex
alex : alex pubs

Each user has a primary group, which is the group that user is assigned in the /etc/passwd file. By default, CentOS Linux has user private groups: Each user's primary group has the same name as the user. In addition, a user can belong to other groups, depending on which login-name-lists the user appears on in the /etc/group file. In effect, you simultaneously belong both to your primary group and to any groups you are assigned to in /etc/group. When you attempt to access a file you do not own, the operating system checks whether you are a member of the group that has access to the file. If you are, you are subject to the group access permissions for the file. If you are not a member of the group that has access to the file and you do not own the file, you are subject to the public access permissions for the file.

When you create a new file, it is assigned to the group associated with the directory the file is being written into, assuming that you belong to that group. If you do not belong to the group that has access to the directory, the file is assigned to your primary group.

Refer to page for information on using system-config-users to work with groups.

/etc/hosts

The /etc/hosts file stores the name, IP address, and optional aliases of the other systems that the local system knows about. At the very least, this file must have the hostname and IP address that you have chosen for the local system and a special entry for localhost. This entry supports the loopback service, which allows the local system to talk to itself (for example, for RPC services). The IP address of the loopback service is always 127.0.0.1. Following is a simple /etc/hosts file for the system named rose with an IP address of 192.168.0.10:

$ cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1       rose localhost.localdomain localhost
192.168.0.1     bravo.example.com       bravo
192.168.0.4     mp3server
192.168.0.5     workstation
192.168.0.10    rose
...

If you are not using NIS or DNS to look up hostnames (called hostname resolution), you must include in /etc/hosts all systems that you want the local system to be able to contact. The hosts entry in the /etc/nsswitch.conf file (page ) controls the order in which hostname resolution services are checked.

/etc/inittab

initialization table Controls how the init process behaves. Each line in inittab contains four colon-separated fields:


id:runlevel:action:process

The id uniquely identifies an entry in the inittab file. The is the system runlevel(s) at which process is executed. The runlevel consists of zero or more characters chosen from 0123456S. If more than one runlevel is listed, the associated process is executed at each of the specified runlevels. When you do not specify a runlevel, init executes process at all runlevels. When the system changes runlevels, the processes specified by all entries in inittab that do not include the new runlevel are sent the SIGTERM signal to allow them to terminate gracefully. After 5 seconds, these processes are killed with SIGKILL if they are still running. The process is any bash command line.

The action is one of the following keywords: respawn, wait, once, boot, bootwait, ondemand, powerfail, powerwait, powerokwait, powerfailnow, ctrlaltdel, kbrequest, off, ondemand, initdefault, or sysinit. This keyword controls how the process is treated when it is executed. The most commonly used keywords are wait and respawn.

The wait keyword instructs init to start the process and wait for it to terminate. All subsequent scans of inittab ignore this wait entry. Because a wait entry is started only once (on entering runlevel) and is not executed again while the system remains at , it is often used to redirect init output to the console.

The respawn entry tells init to start the process if it does not exist but not to wait for it to terminate. If the process does exist, init moves on to the next entry in inittab. The init utility continues to rescan inittab, looking for processes that have died. When a process dies, a respawn entry causes init to restart it.

The initdefault entry tells init which runlevel to bring the system to when it boots (see on page ). Without this information, init prompts for a runlevel on the system console. The value of the initdefault entry is set when you configure the system or when you edit inittab directly. By default, CentOS Linux sets initdefault to 5, which causes the system to come up in graphical multiuser mode.

Caution: Use caution when you edit inittab

Be careful when you edit inittab manually. Always make a backup copy in the same directory before you edit this file. If you make a mistake, you may not be able to boot the system. If you cannot boot the system, refer to "" on page .

Each virtual console (page ) has in inittab a mingetty entry that includes a unique terminal identifier (such as tty1, which is short for /dev/tty1). You can add or remove mingetty lines to add or remove virtual consoles. Remember to leave a virtual console for each X window that you want to run. Following is the mingetty entry for /dev/tty2:

2:2345:respawn:/sbin/mingetty tty2

The id on a mingetty line corresponds to the tty number.

All of the actions are documented in the inittab man page. For more information refer to "" on page .

/etc/motd

Contains the message of the day, which can be displayed each time someone logs in using a textual login. This file typically contains site policy and legal information. Keep this file short because users tend to see the message many times.

/etc/mtab

When you call mount without any arguments, it consults this file and displays a list of mounted devices. Each time you (or an init script) call mount or umount, these utilities make the necessary changes to mtab. Although this is an ASCII text file, you should not edit it. See also /etc/fstab.

Tip: Fixing mtab

The operating system maintains its own internal mount table in /proc/mounts. You can use cat to display the contents of /proc/mounts so that you can review the internal mount table. Sometimes the list of files in /etc/mtab may not be synchronized with the partitions in this table. To bring the mtab file in line with the operating system's mount table, you can either reboot the system or replace /etc/mtab with a symbolic link to /proc/mounts (some information may be lost).

# rm /etc/mtab
# ln -s /proc/mounts /etc/mtab


/etc/netgroup

Defines netgroups, which are used for checking permissions when performing remote logins and remote mounts and when starting remote shells.

/etc/nsswitch.conf

Specifies whether a system uses as the source of certain information NIS, DNS, local files, or a combination, and in what order it consults these services (page ).

/etc/pam.d

Files in this directory specify the authentication methods used by PAM (page ) applications.

Caution: Be cautious when changing PAM files

Unless you understand how to configure PAM, avoid changing the files in /etc/pam.d. Mistakes in the configuration of PAM can make the system unusable.

/etc/passwd

Describes users to the system. Do not edit this file directly; instead, use one of the utilities discussed in "" on page . Each line in passwd has seven colon-separated fields that describe one user:


login-name:dummy-password:user-ID:group-ID:info:directory:program

The login-name is the user's usernamethe name you enter in response to the login: prompt or GUI login screen. The value of the dummy-password is the character x. An encrypted/hashed password is stored in /etc/shadow (page ). For security reasons, every account should have a password. By convention, disabled accounts have an asterisk (*) in this field.

The user-ID is a number, with 0 indicating Superuser and 1499 being reserved for system accounts. The group-ID identifies the user as a member of a group. It is a number, with 0499 being reserved for system accounts; see /etc/group. You can change these values and set maximum values in /etc/login.defs.

The info is information that various programs, such as accounting programs and email, use to identify the user further. Normally it contains at least the first and last names of the user. It is referred to as the (page ) field.

The is the absolute pathname of the user's home directory. The is the program that runs once the user logs in. If program is not present, a value of /bin/bash is assumed. You can put /bin/tcsh here to log in using the TC Shell or /bin/zsh to log in using the Z Shell, assuming the shell you specify is installed. The chsh utility (page ) changes this value.

The program is usually a shell, but it can be any program. The following line in the passwd file creates a "user" whose only purpose is to execute the who utility:

who:x:1000:1000:execute who:/usr:/usr/bin/who

Using who as a username causes the system to log you in, execute the who utility, and log you out. The output of who flashes by in a hurry because the new login prompt clears the screen immediately after who finishes running. This entry in the passwd file does not provide a shell, so you cannot stay logged in after who finishes executing.

This technique is useful for providing special accounts that may do only one thing. For instance, sites may create an FTP (page ) account to enable anonymous FTP access to their systems. Because no one logs in on this account, the shell is set to /bin/false (which returns a false exit status) or to /sbin/nologin (which does not permit the user to log in). When you put a message in /etc/nologin.txt, nologin displays that message (except it has the same problem as the output of who: It is removed so quickly that you cannot see it).

Security: Do not replace a login shell with a shell script

Do not use shell scripts as replacements for shells in /etc/passwd. A user may be able to interrupt a shell script, giving him or her full shell access when you did not intend to do so. When installing a dummy shell, use a compiled program, not a shell script.

/etc/printcap

The printer capability database. This file describes system printers and is derived from 4.3BSD UNIX.

/etc/profile

Contains a systemwide interactive shell initialization script for environment and start-up programs. When you log in, the shell immediately executes the commands in this file in the same environment as the shell. (For more information on executing a shell script in this manner, refer to the discussion of the. [dot] command on page .) This file allows the system administrator to establish systemwide environment parameters that individual users can override. For example, you can set shell variables, execute utilities, set up aliases, and take care of other housekeeping tasks. See also ~/.bash_profile on page .

Following is an example of a /etc/profile file that displays the message of the day (the /etc/ motd file), sets the file-creation mask (umask, page ), and sets the interrupt character to CONTROL-C:

# cat /etc/profile
cat /etc/motd
umask 022
stty intr '^c'

See the /etc/profile file on the local system for a more complex example.

/etc/protocols

Provides protocol numbers, aliases, and brief definitions for DARPA Internet TCP/IP protocols. Do not modify this file.

/etc/rc.d

Holds the system init scripts, also called run command (rc) scripts. The init program executes several init scripts each time the system changes state or runlevel. For more information refer to "" on page .

/etc/resolv.conf

The resolver (page ) configuration file, used to provide access to DNS.

The following example shows the resolv.conf file for the example.com domain. A resolv.conf file usually has at least two linesa domain line and a nameserver line:

# cat /etc/resolv.conf
domain example.com
nameserver 10.0.0.50
nameserver 10.0.0.51

The first line (optional) specifies the domain name. A resolv.conf file may use search in place of domain: In the simple case, the two perform the same function. In either case, this domain name is appended to all hostnames that are not fully qualified. See on page .

The domain keyword takes a single domain name as an argument: This name is appended to all DNS queries, shortening the time needed to query local hosts. When you put domain example.com in resolv.conf, any reference to a host within the example.com domain or a subdomain (such as marketing.example.com) can use the abbreviated form of the host. For example, instead of issuing the command ping speedy.marketing.example.com, you can use ping speedy.marketing.

This search keyword is similar to domain but can contain up to six domain names. The domains are searched in order in the process of resolving a hostname. The following line in resolv.conf causes the marketing subdomain to be searched first, followed by sales, and finally the entire example.com domain:

search marketing.example.com sales.example.com example.com

It is a good idea to put the most frequently used domain names first to try to outguess possible conflicts. If both speedy.marketing.example.com and speedy.example.com exist, the order of the search determines which one is selected when you invoke DNS. Do not overuse this feature. The longer the search path, the more network DNS requests generated, and the slower the response. Three or four names are typically sufficient.

The nameserver line(s) indicate which systems the local system should query to resolve hostnames to IP addresses, and vice versa. These machines are consulted in the order they appear with a 10-second timeout between queries. The preceding file causes this machine to query 10.0.0.50, followed by 10.0.0.51 when the first machine does not answer within 10 seconds. The resolv.conf file may be automatically updated when a PPP- (Point-to-Point Protocol) or DHCP- (Dynamic Host Configuration Protocol) controlled interface is activated. Refer to the resolv.conf and resolver man pages for more information.

/etc/rpc

Maps RPC services to RPC numbers. The three columns in this file show the name of the server for the RPC program, the RPC program number, and any aliases.

/etc/services

Lists system services. The three columns in this file show the informal name of the service, the port number/protocol the service frequently uses, and any aliases for the service. This file does not specify which services are running on the local system, nor does it map services to port numbers. The services file is used internally to map port numbers to services for display purposes.

/etc/shadow

Contains encrypted or (page ) hashed user passwords. Each entry occupies one line composed of nine fields, separated by colons:


login-name:password:last-mod:min:max:warn:inactive:expire:flag

The login-name is the user's usernamethe name that the user enters in response to the login: prompt or GUI login screen. The password is an encrypted or hashed password that passwd puts into this file. When setting up new user accounts manually, run passwd as Superuser to assign a password to a new user.

The last-mod field indicates when the password was last modified. The min is the minimum number of days that must elapse before the password can be changed; the max is the maximum number of days before the password must be changed. The warn specifies how much advance warning (in days) to give the user before the password expires. The account will be closed if the number of days between login sessions exceeds the number of days specified in the inactive field. The account will also be closed as of the date in the expire field. The last field in an entry, flag, is reserved for future use. You can use the Password Info tab in system-config-users ("" on page ) to modify these fields.

The shadow password file should be owned by root and should not be publicly readable or writable. Setting ownership and permissions this way makes it more difficult for someone to break into the system by identifying accounts without passwords or by using specialized programs that try to match hashed passwords.

A number of conventions exist for creating special shadow entries. An entry of *LK* or NP in the password field indicates locked or no password, respectively. No password is different from an empty password, implying that this is an administrative account that no one ever logs in on directly. Occasionally programs will run with the privileges of this account for system maintenance functions. These accounts are set up under the principle of least privilege (page ).

Entries in the shadow file must appear in the same order as in the passwd file. There must be exactly one shadow entry for each passwd entry.

/etc/sysconfig

A directory containing a hierarchy of system configuration files. For more information refer to the /usr/share/doc/initscripts*/sysconfig.txt file.

/proc

The /proc pseudofilesystem provides a window into the Linux kernel. Through /proc you can obtain information on any process running on your computer, including its current state, memory usage, CPU usage, terminal, parent, and group. You can extract information directly from the files in /proc. An example follows:

$ sleep 1000 &
[1] 4567
$ cd /proc/4567
$ ls -l
total 0
dr-xr-xr-x 2 sam sam 0 Jan 25 21:57 attr
-r-------- 1 sam sam 0 Jan 25 21:57 auxv
-r--r--r-- 1 sam sam 0 Jan 25 21:57 cmdline
lrwxrwxrwx 1 sam sam 0 Jan 25 21:57 cwd -> /home/sam
-r-------- 1 sam sam 0 Jan 25 21:57 environ
lrwxrwxrwx 1 sam sam 0 Jan 25 21:57 exe -> /bin/sleep
dr-x------ 2 sam sam 0 Jan 25 21:57 fd
...
-r--r--r-- 1 sam sam 0 Jan 25 21:57 status
dr-xr-xr-x 3 sam sam 0 Jan 25 21:57 task
-r--r--r-- 1 sam sam 0 Jan 25 21:57 wchan
$  cat status
Name:   sleep
State:  S (sleeping)
SleepAVG:        78%
Tgid:    4567
Pid:     4567
PPid:    4548
TracerPid:      0
Uid:    500     500     500      500
Gid:    500     500     500      500
FDSize: 256
Groups: 500
VmPeak:      3584 kB
VmSize:      3584 kB
...

In this example, bash creates a background process (PID 4567) for sleep. Next the user changes directories to the directory in /proc that has the same name as the PID of the subject background process (cd /proc/4567). This directory holds information about the process for which it is named. In this case, it holds information about the sleep process. The ls l command shows that some entries in this directory are links (cwd is a link to the directory the process was started from, and exe is a link to the executable file that this process is running) and some appear to be ordinary files. All appear to be empty. When you cat one of these pseudofiles (status in the example), you get the output shown. Obviously this is not an ordinary file.

/sbin/shutdown

A utility that brings the system down (see page ).


Even though swap is not a file, swap space can be added and deleted from the system dynamically. Swap space is used by the virtual memory subsystem. When it runs low on real memory (RAM), the system writes memory pages from RAM to the swap space on the disk. Which pages are written and when they are written are controlled by finely tuned algorithms in the Linux kernel. When needed by running programs, these pages are brought back into RAMa technique is called (page ). When a system is running very short on memory, an entire process may be paged out to disk.

Running an application that requires a large amount of virtual memory may result in the need for additional swap space. If you run out of swap space, you can use mkswap to create a new swap file and swapon to enable it. Normally you use a disk partition as swap space, but you can also use a file. A disk partition provides much better performance than a file.

If you are using a file as swap space, first use df to ensure that the partition has adequate space for the file. In the following sequence of commands, the administrator first uses dd and /dev/zero (page ) to create an empty file (do not use cp as you may create a file with holes, which may not work) in the working directory. Next mkswap takes as an argument the name of the file created in the first step to set up the swap space. For security reasons, change the file so that it cannot be read from or written to by anyone but root. Use swapon with the same argument to turn the swap file on; then use swapon s to confirm that the swap space is available. The final two commands turn off the swap file and remove it:

# dd if=/dev/zero of=swapfile bs=1024 count=65536
65536+0 records in
65536+0 records out
67108864 bytes (67 MB) copied, 0.684039 seconds, 98.1 MB/s
# mkswap swapfile
Setting up swapspace version 1, size = 67104 kB
# chmod 600 swapfile
#  swapon swapfile
# swapon -s
Filename                                Type            Size    Used
Priority
/dev/hda5                               partition       1020088 0        -1
/root/swapfile                          file            65528   0        -2
# swapoff swapfile
# rm swapfile
rm: remove regular file 'swapfile'? y

/sys

The /sys pseudofilesystem was added in the Linux 2.6 kernel to make it easy for programs running in kernelspace, such as device drivers, to exchange information with programs running in userspace. Refer to udev on page .

/usr/share/magic

Most files begin with a unique identifier called a . This file is a text database listing all known magic numbers on the system. When you use the file utility, it consults /usr/share/magic to determine the type of a file. Occasionally you may acquire a new tool that creates a new type of file that is unrecognized by the file utility. In this situation you need to update the /usr/share/magic file; refer to the magic man page for details. See also "" on page .

/var/log

Holds system log files.

/var/log/messages

Contains messages from daemons, the Linux kernel, and security programs. For example, you will find filesystem full warning messages, error messages from system daemons (NFS, syslog, printer daemons), SCSI and IDE disk error messages, and more in messages. Check /var/log/messages periodically to keep informed about important system events. Much of the information displayed on the system console is also sent to messages. If the system experiences a problem and you cannot access the console, check this file for messages about the problem.

/var/log/secure

Holds messages from security-related programs such as su and the sshd daemon.