LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-27-2009, 12:54 AM   #1
ZAMO
Member
 
Registered: Mar 2007
Distribution: Redhat &CentOS
Posts: 579

Rep: Reputation: 30
Is there a way to find out the history of a file written by users


Hi all,


I want to find out the history of a file, which was overwritten by my users in my absence. Its a common ENV , in which all the users are using the same user name and Authenticate using their public key .

I just want to show, its overwritten by others during my absence. Is there a way to do it other than the history command?
 
Old 01-27-2009, 01:42 AM   #2
colucix
Moderator
 
Registered: Sep 2003
Location: Bologna
Distribution: CentOS 6.5 OpenSuSE 12.3
Posts: 10,508

Rep: Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957
You have to install and configure an audit daemon. Look for package audit using yum. Other possibilities are the Intrusion Detection Systems, like Samhain, but they are more complex and less easy to mantain. Auditd should be the right solution for you.

Last edited by colucix; 01-27-2009 at 01:46 AM. Reason: mispelled name of package
 
Old 01-27-2009, 01:39 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,457
Blog Entries: 54

Rep: Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897
While Colucix mentioned Auditd, the audit daemon, there's another tool that might come in handy showing a complete history of user commands: 'rootsh'. On top of that it doesn't need much configuration. As for past events the answer remains "no". Unless you have proper auditing in place the only way to get a sequence of events is from users shell history (if any). Mind you, that's not a timeline because correllation with any system events is not possible unless it sources HISTTIMEFORMAT (and even then).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how do i find if somefile is being written to a folder at any point in time? MaRock Programming 10 08-25-2008 05:38 AM
find printing history manojg Linux - General 1 07-29-2008 08:45 AM
Need to log users command history FatSteve Linux - Security 2 07-22-2004 06:25 PM
where can i find history farhan Linux - Security 4 04-29-2003 09:06 AM


All times are GMT -5. The time now is 10:09 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration