In LINUX how to identify which User has delete the file from a directory

Status
Not open for further replies.

Jayavijayan

Newbie level 1
Joined
Jul 31, 2013
Messages
1
Helped
0
Reputation
0
Reaction score
0
Trophy points
1
Visit site
Activity points
9
In LINUX how to identify which User has deleted the file from a directory

Hi All,

Someone deleted a file from the directory, I have restored the file based upon the backup file with the same name. But I want to know who deleted the file & when it was deleted. Please advise

Thanks,
Jay
 

How user can delete files? Did you give them /root password/ ?
 

Most Linux systems now (kernel 2.6+ i think) support auditing using the "audit" daemon. I am not sure about the default configurations on your distro but you can configure to monitor your file system or a folder for changes (read write delete ...etc) and many other things and it will report such activities in its log file (under Fedora it is /var/log/audit/audit.log)

Regular users has no access to the log, but if users had root access then they can delete that log and you cannot track them easily
 

Status
Not open for further replies.

Similar threads

Cookies are required to use this site. You must accept them to continue using the site. Learn more…