In LINUX how to identify which User has deleted the file from a directory
Hi All,
Someone deleted a file from the directory, I have restored the file based upon the backup file with the same name. But I want to know who deleted the file & when it was deleted. Please advise
Most Linux systems now (kernel 2.6+ i think) support auditing using the "audit" daemon. I am not sure about the default configurations on your distro but you can configure to monitor your file system or a folder for changes (read write delete ...etc) and many other things and it will report such activities in its log file (under Fedora it is /var/log/audit/audit.log)
Regular users has no access to the log, but if users had root access then they can delete that log and you cannot track them easily