LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices



Reply
 
Search this Thread
Old 04-08-2011, 06:39 PM   #1
rohit.dhaval1
Member
 
Registered: Jul 2009
Posts: 39
Blog Entries: 2

Rep: Reputation: 0
How do I know who deleted my bash history


Hi,

In my organization, we have a centralized home directory for all users which gets mounted from all the machine where user logs in.

Since any XYZ user can login to any of hundreds test machines and run 'sudo su - myusername', hence taking control of my home dir.

How do I track who took control of my home dir and deleted its contents.

Thank you,
 
Old 04-08-2011, 06:43 PM   #2
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
If they used sudo, the sudo commands are logged, often in /var/log/messages. If they used "sudo su - <username>" the sudo command will be logged but not the deletion commands unless you use accounting to log who altered or deleted a file.

If they log in remotely, and you have an idea when your files were deleted, you can look at "w" or "who" or "last" to see which IP was logged in around that time.

Last edited by jschiwal; 04-08-2011 at 06:45 PM.
 
1 members found this post helpful.
Old 04-08-2011, 08:05 PM   #3
rohit.dhaval1
Member
 
Registered: Jul 2009
Posts: 39
Blog Entries: 2

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by jschiwal View Post
If they used sudo, the sudo commands are logged, often in /var/log/messages. If they used "sudo su - <username>" the sudo command will be logged but not the deletion commands unless you use accounting to log who altered or deleted a file.

If they log in remotely, and you have an idea when your files were deleted, you can look at "w" or "who" or "last" to see which IP was logged in around that time.
Many thanks jschiwal.

Can you please brief me how do I set accounting for files in my home directory. I need to have a log file in another remote location to check who is running 'sudo su - <myuserid>' and from which machine IP.
 
Old 04-08-2011, 10:06 PM   #4
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
Search for a package named "acct" or "audit" for your distribution. It may be partially preconfigured. The process involves using the kernel to report when a file is modified. System level calls are reported. An auditing process is run in the background as well. You configure the system for what you are interested and can use tools such as aureport to provide information.

This page is a little dated, but may give you an idea how auditing works. http://www.novell.com/documentation/..._aureport.html

I didn't catch where you configure it to send audit messages to a logging server, but did see there is an entry for which port to use to receive reports, so I assume, I just missed it.

You can also configure syslog-ng to log /var/log/messages, and other text logs to a central logging server. This will help prevent an intruder from hiding his tracks.

---

Just as important is maintaining regular backups. Most deletions or modifications you will deal with will be accidental and not something malicious.
 
  


Reply

Tags
bash, bashprofile, bashrc, home directory


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Bash history delete command from bash itself ashishag Linux - Software 6 05-02-2010 04:39 AM
all previous commands history is deleted when rebooted or relogining the RHEL4 singh_chitranjan Linux - Server 2 04-21-2010 10:28 PM
Where's my bash history? subnet_rx Red Hat 6 02-07-2007 07:35 PM
need someone to look into this bash history bytez Linux - General 7 10-16-2006 11:26 PM
bash history slowly Linux - General 2 11-12-2004 12:35 PM


All times are GMT -5. The time now is 09:33 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration