LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-05-2009, 04:03 PM   #1
richeslinuxquestion
LQ Newbie
 
Registered: May 2009
Posts: 1

Rep: Reputation: 0
Is there a way to find out which user deleted a file and when?


Hi,

Recently we discovered a file located at the root of our web servers document directory (<apache2.0>/htdocs/w2 was missing. I'm trying to do some research as to who/what may have deleted the file and when. Is there a way to do this? I was thinking that investigating the .bash-history of root but was not sure if a user logged in as sudo writes to this file our their own. The only other thing I can think of is inspecting/grepping each users ./bash-history file.

Thanks
Richard
 
Old 05-05-2009, 04:14 PM   #2
pljvaldez
LQ Guru
 
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Wheezy (x86)
Posts: 6,094

Rep: Reputation: 281Reputation: 281Reputation: 281
Usually, sudo logs to a separate file. I think my box is /var/log/sudo.log. You might check sudo's config files and see if logging is enabled and if so where the log file is.
 
Old 05-05-2009, 04:16 PM   #3
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
if it was done as a sudo to open a root shell, then no you're kinda stuck unless you can match up sudo executions listed in your messages file to the rough time the deed was you.

you might want to check out something like rootsh which will record root shell sessions and the likes, or alternatively enablee file level auditing with auditd.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
File/User permissions - how it can be deleted? laki47 Linux - Newbie 6 02-19-2009 12:49 AM
In RHEL 4, how to find who deleted particular directory or file dhanju Linux - Server 1 09-25-2008 05:37 AM
cannot find user '******' in password file nagabioinfo Linux - Newbie 1 04-01-2008 01:59 AM
Is there a way to find out -when- a file got deleted? Thintalle Linux - Newbie 6 12-14-2007 09:02 AM
Lost Password file when user deleted clickit999 Linux - Security 2 09-19-2004 11:12 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 02:21 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration