Hi,

In my organization, we have a centralized home directory for all users which gets mounted from all the machine where user logs in.

Since any XYZ user can login to any of hundreds test machines and run 'sudo su - myusername', hence taking control of my home dir.

How do I track who took control of my home dir and deleted its contents.

Thank you,

If they used sudo, the sudo commands are logged, often in /var/log/messages. If they used "sudo su - <username>" the sudo command will be logged but not the deletion commands unless you use accounting to log who altered or deleted a file.

If they log in remotely, and you have an idea when your files were deleted, you can look at "w" or "who" or "last" to see which IP was logged in around that time.

1 members found this post helpful.

Many thanks jschiwal.

Can you please brief me how do I set accounting for files in my home directory. I need to have a log file in another remote location to check who is running 'sudo su - <myuserid>' and from which machine IP.

Search for a package named "acct" or "audit" for your distribution. It may be partially preconfigured. The process involves using the kernel to report when a file is modified. System level calls are reported. An auditing process is run in the background as well. You configure the system for what you are interested and can use tools such as aureport to provide information.

This page is a little dated, but may give you an idea how auditing works. http://www.novell.com/documentation/..._aureport.html

I didn't catch where you configure it to send audit messages to a logging server, but did see there is an entry for which port to use to receive reports, so I assume, I just missed it.

You can also configure syslog-ng to log /var/log/messages, and other text logs to a central logging server. This will help prevent an intruder from hiding his tracks.

---

Just as important is maintaining regular backups. Most deletions or modifications you will deal with will be accidental and not something malicious.