+ Post New Thread
Results 1 to 4 of 4
  1. #1
    Newbie level 1
    Points: 14, Level: 1

    Join Date
    Jul 2013
    Posts
    1
    Helped
    0 / 0
    Points
    14
    Level
    1

    In LINUX how to identify which User has deleted the file from a directory

    Hi All,

    Someone deleted a file from the directory, I have restored the file based upon the backup file with the same name. But I want to know who deleted the file & when it was deleted. Please advise

    Thanks,
    Jay

    •   AltAdvertisement

        
       

  2. #2
    Advanced Member level 2
    Points: 4,629, Level: 16
    Achievements:
    7 years registered
    yura717's Avatar
    Join Date
    Aug 2009
    Location
    USA
    Posts
    687
    Helped
    92 / 92
    Points
    4,629
    Level
    16

    Re: In LINUX how to identify which User has delete the file from a directory

    How user can delete files? Did you give them /root password/ ?
    "facts or figures from which conclusions can be inferred; information"



    •   AltAdvertisement

        
       

  3. #3
    Super Moderator
    Points: 30,006, Level: 42
    andre_teprom's Avatar
    Join Date
    Nov 2006
    Location
    Brazil
    Posts
    8,951
    Helped
    1134 / 1134
    Points
    30,006
    Level
    42
    Blog Entries
    9

    Re: In LINUX how to identify which User has delete the file from a directory

    Try this :

    Code:
    find /home | grep bash_history | xargs grep "rm"
    +++
    --------------------------------------------------------------------------------------------------
    Part of the world that you live in, You are the part that you're giving ( Renaissance )



    •   AltAdvertisement

        
       

  4. #4
    Newbie level 1
    Points: 134, Level: 1

    Join Date
    Jan 2013
    Posts
    1
    Helped
    0 / 0
    Points
    134
    Level
    1

    Re: In LINUX how to identify which User has delete the file from a directory

    Most Linux systems now (kernel 2.6+ i think) support auditing using the "audit" daemon. I am not sure about the default configurations on your distro but you can configure to monitor your file system or a folder for changes (read write delete ...etc) and many other things and it will report such activities in its log file (under Fedora it is /var/log/audit/audit.log)

    Regular users has no access to the log, but if users had root access then they can delete that log and you cannot track them easily



--[[ ]]--