LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 02-04-2011, 04:07 AM   #1
Sayan Acharjee
Member
 
Registered: Feb 2010
Location: Chennai, India
Distribution: Manjaro
Posts: 623

Rep: Reputation: 64
Somebody deleted a folder from /opt, how to figure out which user did that?


Hi,
Somebody deleted a folder from /opt, now how I to know who did it? should I login to every user from root and check the history? or there is better and easy solution?

thanks
 
Old 02-04-2011, 04:13 AM   #2
xeleema
Member
 
Registered: Aug 2005
Location: D.i.t.h.o, Texas
Distribution: Slackware 13.x, rhel3/5, Solaris 8-10(sparc), HP-UX 11.x (pa-risc)
Posts: 988
Blog Entries: 4

Rep: Reputation: 252Reputation: 252Reputation: 252
Greetingz!
Time to play "When should I stop typing!"

Code:
for x in $(find /home -type f -name "*history" 2>/dev/null)
do
printf "===  $x\n"
strings $x | grep -i filename | sort -u
done | tee -a list_of_users_to_beat.wri && \

cat list_of_users_to_beat.wri | sort -u | \
egrep -v `logname` | \
mailx -s "Weekly Beatings List" managers@company.com

Last edited by xeleema; 02-04-2011 at 04:15 AM. Reason: Why am I telling a RHCE how to do this? Note to self, get certified so I can finally start a thread on LQ...
 
1 members found this post helpful.
Old 02-04-2011, 04:17 AM   #3
Sayan Acharjee
Member
 
Registered: Feb 2010
Location: Chennai, India
Distribution: Manjaro
Posts: 623

Original Poster
Rep: Reputation: 64
And what if its not there in the history? Any other way to check it?
 
Old 02-04-2011, 04:22 AM   #4
xeleema
Member
 
Registered: Aug 2005
Location: D.i.t.h.o, Texas
Distribution: Slackware 13.x, rhel3/5, Solaris 8-10(sparc), HP-UX 11.x (pa-risc)
Posts: 988
Blog Entries: 4

Rep: Reputation: 252Reputation: 252Reputation: 252
Well, if they did it thru samba, maybe check the Samba logs?
Just what have you looked at so far?

Last edited by xeleema; 02-04-2011 at 04:23 AM. Reason: At this rate, my post count will be in the thousands by Monday.
 
Old 02-04-2011, 04:25 AM   #5
Sayan Acharjee
Member
 
Registered: Feb 2010
Location: Chennai, India
Distribution: Manjaro
Posts: 623

Original Poster
Rep: Reputation: 64
Quote:
Originally Posted by xeleema View Post
Well, if they did it thru samba, maybe check the Samba logs?
Just what have you looked at so far?
I logged into each user and checked their history, no rm command found.

But somebody has deleted a folder named /opt/IT through ssh.
Can I check it from the log of ssh?
 
Old 02-04-2011, 04:32 AM   #6
xeleema
Member
 
Registered: Aug 2005
Location: D.i.t.h.o, Texas
Distribution: Slackware 13.x, rhel3/5, Solaris 8-10(sparc), HP-UX 11.x (pa-risc)
Posts: 988
Blog Entries: 4

Rep: Reputation: 252Reputation: 252Reputation: 252
Oh seriously.
As root you don't need to "su -" to each user, you can read their history files directly.
If they ssh into the system, then they use a shell. Each shell should have a history file. So it would be in their history file.
Why are you only looking for "rm"? Look for the folder name! They could have moved or copied-over the folder, or used tar or who knows what.

1) Is this a "server"?
2) Do any users have the ability to pull up a remote desktop session of this system, or can they walk right up to it and login to a GUI (like KDE & GNOME)?

If this isn't a server, drat. If it is, and you let users access a desktop....guess what? Mouse clicks aren't logged (by default).

Last edited by xeleema; 02-04-2011 at 04:32 AM. Reason: /me breaths in. /me breaths out. In with the butterflies, out with the bees.....
 
Old 02-04-2011, 04:35 AM   #7
Sayan Acharjee
Member
 
Registered: Feb 2010
Location: Chennai, India
Distribution: Manjaro
Posts: 623

Original Poster
Rep: Reputation: 64
Quote:
Originally Posted by xeleema View Post
Oh seriously.
As root you don't need to "su -" to each user, you can read their history files directly.
If they ssh into the system, then they use a shell. Each shell should have a history file. So it would be in their history file.
Why are you only looking for "rm"? Look for the folder name! They could have moved or copied-over the folder, or used tar or who knows what.

1) Is this a "server"?
2) Do any users have the ability to pull up a remote desktop session of this system, or can they walk right up to it and login to a GUI (like KDE & GNOME)?

If this isn't a server, drat. If it is, and you let users access a desktop....guess what? Mouse clicks aren't logged (by default).
Ok, so what is the location of the history file? I'm afraid I don't know that.

And yes, its a server without any desktop. They are logging in with ssh only.
 
Old 02-04-2011, 04:48 AM   #8
xeleema
Member
 
Registered: Aug 2005
Location: D.i.t.h.o, Texas
Distribution: Slackware 13.x, rhel3/5, Solaris 8-10(sparc), HP-UX 11.x (pa-risc)
Posts: 988
Blog Entries: 4

Rep: Reputation: 252Reputation: 252Reputation: 252
Quote:
Originally Posted by Sayan Acharjee View Post
Ok, so what is the location of the history file?
Is that your RHCE ID #? Seriously, dude, the first chunk of code in my post I gave you said;
Code:
find /home -type f -name "*history" 2>/dev/null
Quote:
Originally Posted by Sayan Acharjee View Post
And yes, its a server without any desktop. They are logging in with ssh only.
Well thank $DIETY. Read the man page for bash and you'll find out where the shell keeps it's history files.
 
Old 02-04-2011, 04:52 AM   #9
Sayan Acharjee
Member
 
Registered: Feb 2010
Location: Chennai, India
Distribution: Manjaro
Posts: 623

Original Poster
Rep: Reputation: 64
Quote:
Originally Posted by xeleema View Post
Is that your RHCE ID #? Seriously, dude, the first chunk of code in my post I gave you said;
Code:
find /home -type f -name "*history" 2>/dev/null

Well thank $DIETY. Read the man page for bash and you'll find out where the shell keeps it's history files.
Actually, I did not go through that code. Someone has informed me that he checked and histories and found no command with that folder.
 
Old 02-04-2011, 04:54 AM   #10
xeleema
Member
 
Registered: Aug 2005
Location: D.i.t.h.o, Texas
Distribution: Slackware 13.x, rhel3/5, Solaris 8-10(sparc), HP-UX 11.x (pa-risc)
Posts: 988
Blog Entries: 4

Rep: Reputation: 252Reputation: 252Reputation: 252
Quote:
Someone has informed me that he checked and histories and found no command with that folder.
Yeah...the shell's log by default. Whatever $HOME is for your users, run the find command there. Don't take the PFY's word for it.
 
Old 02-05-2011, 10:31 PM   #11
nallanisai
LQ Newbie
 
Registered: Dec 2010
Location: Bangalore
Distribution: Red Hat Linux
Posts: 28

Rep: Reputation: 0
Hi sayan,

issue the below command to know which user executed which command

#cat /home/<user home directory>/.bash_history

It will show the user executed commands
 
Old 02-05-2011, 11:42 PM   #12
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Germany
Distribution: Whatever fits the task best
Posts: 17,148
Blog Entries: 2

Rep: Reputation: 4870Reputation: 4870Reputation: 4870Reputation: 4870Reputation: 4870Reputation: 4870Reputation: 4870Reputation: 4870Reputation: 4870Reputation: 4870Reputation: 4870
I have questions about this: On all my systems the /opt-directory is owned by root and not writable to users. If I assume that this is the same on your system then I have to assume that your users know the root-password. If they su to root with this password, is one even able to find out which user has deleted the folder, because it was root who deleted it?
Or did you change the permissions on /opt (and if so, why?)? If you have not changed the permissions, I have to ask why your users know the root-password?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
accidentally delete /opt folder ababil151 Linux - Newbie 2 09-20-2010 11:34 AM
Cannot copy to my /opt folder ? Twin Cams Linux - Newbie 27 04-18-2010 02:51 PM
restore opt folder jbumgarjr Linux - Newbie 1 03-31-2010 04:24 PM
user rights and opt JuliusV Linux - Newbie 6 01-22-2009 10:05 AM
creating folders under opt/lampp/htdocs folder in fedora sent222 Linux - Newbie 3 01-03-2008 04:46 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 10:44 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration