Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 01-27-2009, 01:54 AM   #1
Registered: Mar 2007
Distribution: Redhat &CentOS
Posts: 593

Rep: Reputation: 30
Is there a way to find out the history of a file written by users

Hi all,

I want to find out the history of a file, which was overwritten by my users in my absence. Its a common ENV , in which all the users are using the same user name and Authenticate using their public key .

I just want to show, its overwritten by others during my absence. Is there a way to do it other than the history command?
Old 01-27-2009, 02:42 AM   #2
LQ Guru
Registered: Sep 2003
Location: Bologna
Distribution: CentOS 6.5 OpenSuSE 12.3
Posts: 10,509

Rep: Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976
You have to install and configure an audit daemon. Look for package audit using yum. Other possibilities are the Intrusion Detection Systems, like Samhain, but they are more complex and less easy to mantain. Auditd should be the right solution for you.

Last edited by colucix; 01-27-2009 at 02:46 AM. Reason: mispelled name of package
Old 01-27-2009, 02:39 PM   #3
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
While Colucix mentioned Auditd, the audit daemon, there's another tool that might come in handy showing a complete history of user commands: 'rootsh'. On top of that it doesn't need much configuration. As for past events the answer remains "no". Unless you have proper auditing in place the only way to get a sequence of events is from users shell history (if any). Mind you, that's not a timeline because correllation with any system events is not possible unless it sources HISTTIMEFORMAT (and even then).


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
how do i find if somefile is being written to a folder at any point in time? MaRock Programming 10 08-25-2008 06:38 AM
find printing history manojg Linux - General 1 07-29-2008 09:45 AM
Need to log users command history FatSteve Linux - Security 2 07-22-2004 07:25 PM
where can i find history farhan Linux - Security 4 04-29-2003 10:06 AM

All times are GMT -5. The time now is 08:28 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration