Somebody deleted a folder from /opt, how to figure out which user did that?
Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Somebody deleted a folder from /opt, how to figure out which user did that?
Hi,
Somebody deleted a folder from /opt, now how I to know who did it? should I login to every user from root and check the history? or there is better and easy solution?
Greetingz!
Time to play "When should I stop typing!"
Code:
for x in $(find /home -type f -name "*history" 2>/dev/null)
do
printf "=== $x\n"
strings $x | grep -i filename | sort -u
done | tee -a list_of_users_to_beat.wri && \
cat list_of_users_to_beat.wri | sort -u | \
egrep -v `logname` | \
mailx -s "Weekly Beatings List" managers@company.com
Last edited by xeleema; 02-04-2011 at 04:15 AM.
Reason: Why am I telling a RHCE how to do this? Note to self, get certified so I can finally start a thread on LQ...
Oh seriously.
As root you don't need to "su -" to each user, you can read their history files directly.
If they ssh into the system, then they use a shell. Each shell should have a history file. So it would be in their history file.
Why are you only looking for "rm"? Look for the folder name! They could have moved or copied-over the folder, or used tar or who knows what.
1) Is this a "server"? 2) Do any users have the ability to pull up a remote desktop session of this system, or can they walk right up to it and login to a GUI (like KDE & GNOME)?
If this isn't a server, drat. If it is, and you let users access a desktop....guess what? Mouse clicks aren't logged (by default).
Last edited by xeleema; 02-04-2011 at 04:32 AM.
Reason: /me breaths in. /me breaths out. In with the butterflies, out with the bees.....
Oh seriously.
As root you don't need to "su -" to each user, you can read their history files directly.
If they ssh into the system, then they use a shell. Each shell should have a history file. So it would be in their history file.
Why are you only looking for "rm"? Look for the folder name! They could have moved or copied-over the folder, or used tar or who knows what.
1) Is this a "server"? 2) Do any users have the ability to pull up a remote desktop session of this system, or can they walk right up to it and login to a GUI (like KDE & GNOME)?
If this isn't a server, drat. If it is, and you let users access a desktop....guess what? Mouse clicks aren't logged (by default).
Ok, so what is the location of the history file? I'm afraid I don't know that.
And yes, its a server without any desktop. They are logging in with ssh only.
I have questions about this: On all my systems the /opt-directory is owned by root and not writable to users. If I assume that this is the same on your system then I have to assume that your users know the root-password. If they su to root with this password, is one even able to find out which user has deleted the folder, because it was root who deleted it?
Or did you change the permissions on /opt (and if so, why?)? If you have not changed the permissions, I have to ask why your users know the root-password?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.