Some user on my server just deleted a file, I want to find out who did it. Going through everyone's history is not feasible and command cannot be as simple as rm -rf file
.
Is it possible to know who made the last changes to a folder? I am on linux.
-
hi ,It may depend on Your file system. I guess if You're lucky the superuser in question may have the rm/del ** command in their *._history file? Otherwise I guess it would be very hard– BlueBerry - Vignesh4303Commented Feb 4, 2016 at 12:10
-
I think the commands like rm, mkdir should keep this data in file's node in file system.– username_4567Commented Feb 4, 2016 at 12:11
-
you could try this alternative way cyberciti.biz/tips/…– BlueBerry - Vignesh4303Commented Feb 4, 2016 at 12:27
2 Answers
In General,its hard to find out whom deleted the files,whom modified the files without knowing about the 'logging system' or pre-configured events
Try to find out who logged at the time when the directory was deleted.
check the OS syslog (/var/adm/syslog/syslog.log for hp-ux, /var/log/messages for linux)
Try the last commando to get a list of who logged on when
Check the command histories of the sidadm, root user, use the history command, or the h alias
Check if there are scripts running, which regularly delete files
Also You can take a look at your users's .bash_history, assuming they use bash:
Execute the below commands in terminal:
cd /home
find `ls`/.bash_history -exec /usr/bin/grep "deleted-filename" {} /dev/null \;
it's a file that only root can delete then look at root's .bash_history, but then you have to find out who was logged as root or su'ed to root. For this the command last root|more could help you
As the trans directory might be NFS mounted to other servers, you might need to do the checks there too.
Also for future use ,install any open source SIEM solutions like alienvault,etc which could help you to maintain and log the events.
Step 1: enable process accounting.
Step 2: enable fascist logging of tty add/enable pam_tty_audit.so in your pam system-auth
Step 3: search user activity using ausearch