There are some 4 people who know my root password.And someone deleted my code directory.
We have a single system where everyone has his own code base directory and everyone ssh to this system and work on that.
I tried looking into history ~/.bash_history. it shows that rm -rf command was executed but I do not know who logged in as root and deleted it. I have also tried list command. But unfortunately 3 people were logged in at that point of time and anyone of them might have done that. accounting info also did not help. Is there any way to find out?
If not, how can I write some script that I can run in background that captures all the commands that get issued from an ip address (SSH sessions) and at what time.
git
) for your source code.