LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Is there a way to find out the history of a file written by users (https://www.linuxquestions.org/questions/linux-security-4/is-there-a-way-to-find-out-the-history-of-a-file-written-by-users-700121/)

ZAMO 01-27-2009 12:54 AM
Is there a way to find out the history of a file written by users
 
Hi all,


I want to find out the history of a file, which was overwritten by my users in my absence. Its a common ENV , in which all the users are using the same user name and Authenticate using their public key .

I just want to show, its overwritten by others during my absence. Is there a way to do it other than the history command?

colucix 01-27-2009 01:42 AM
You have to install and configure an audit daemon. Look for package audit using yum. Other possibilities are the Intrusion Detection Systems, like Samhain, but they are more complex and less easy to mantain. Auditd should be the right solution for you.

unSpawn 01-27-2009 01:39 PM
While Colucix mentioned Auditd, the audit daemon, there's another tool that might come in handy showing a complete history of user commands: 'rootsh'. On top of that it doesn't need much configuration. As for past events the answer remains "no". Unless you have proper auditing in place the only way to get a sequence of events is from users shell history (if any). Mind you, that's not a timeline because correllation with any system events is not possible unless it sources HISTTIMEFORMAT (and even then).


All times are GMT -5. The time now is 10:01 PM.