How to find the user who deleted the file?

Question

Some user on my server just deleted a file, I want to find out who did it. Going through everyone's history is not feasible and command cannot be as simple as rm -rf file. Is it possible to know who made the last changes to a folder? I am on linux.

Answer 1

In General,its hard to find out whom deleted the files,whom modified the files without knowing about the 'logging system' or pre-configured events

Try to find out who logged at the time when the directory was deleted.

• check the OS syslog (/var/adm/syslog/syslog.log for hp-ux, /var/log/messages for linux)

• Try the last commando to get a list of who logged on when

• Check the command histories of the sidadm, root user, use the history command, or the h alias

• Check if there are scripts running, which regularly delete files

Also You can take a look at your users's .bash_history, assuming they use bash:

Execute the below commands in terminal:

cd /home

find `ls`/.bash_history -exec /usr/bin/grep "deleted-filename" {} /dev/null \;

it's a file that only root can delete then look at root's .bash_history, but then you have to find out who was logged as root or su'ed to root. For this the command last root|more could help you

As the trans directory might be NFS mounted to other servers, you might need to do the checks there too.

Also for future use ,install any open source SIEM solutions like alienvault,etc which could help you to maintain and log the events.

Answer 2

Step 1: enable process accounting.

Step 2: enable fascist logging of tty add/enable pam_tty_audit.so in your pam system-auth

Step 3: search user activity using ausearch