LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page Is there a way to find out the history of a file written by users
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-27-2009, 12:54 AM   #1
ZAMO
Member
 
Registered: Mar 2007
Distribution: Redhat &CentOS
Posts: 598

Rep: Reputation: 30
Is there a way to find out the history of a file written by users

Hi all,


I want to find out the history of a file, which was overwritten by my users in my absence. Its a common ENV , in which all the users are using the same user name and Authenticate using their public key .

I just want to show, its overwritten by others during my absence. Is there a way to do it other than the history command?
 
Old 01-27-2009, 01:42 AM   #2
colucix
LQ Guru
 
Registered: Sep 2003
Location: Bologna
Distribution: CentOS 6.5 OpenSuSE 12.3
Posts: 10,509

Rep: Reputation: 1983Reputation: 1983Reputation: 1983Reputation: 1983Reputation: 1983Reputation: 1983Reputation: 1983Reputation: 1983Reputation: 1983Reputation: 1983Reputation: 1983
You have to install and configure an audit daemon. Look for package audit using yum. Other possibilities are the Intrusion Detection Systems, like Samhain, but they are more complex and less easy to mantain. Auditd should be the right solution for you.
Last edited by colucix; 01-27-2009 at 01:46 AM. Reason: mispelled name of package
 
Old 01-27-2009, 01:39 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
While Colucix mentioned Auditd, the audit daemon, there's another tool that might come in handy showing a complete history of user commands: 'rootsh'. On top of that it doesn't need much configuration. As for past events the answer remains "no". Unless you have proper auditing in place the only way to get a sequence of events is from users shell history (if any). Mind you, that's not a timeline because correllation with any system events is not possible unless it sources HISTTIMEFORMAT (and even then).
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how do i find if somefile is being written to a folder at any point in time? MaRock Programming 10 08-25-2008 05:38 AM
find printing history manojg Linux - General 1 07-29-2008 08:45 AM
Need to log users command history FatSteve Linux - Security 2 07-22-2004 06:25 PM
where can i find history farhan Linux - Security 4 04-29-2003 09:06 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:26 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration