Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Is it possible to find out how/when/who deleted particular dierectory on UNIX Aix3
Top Forums UNIX for Dummies Questions & Answers Is it possible to find out how/when/who deleted particular dierectory on UNIX Aix3 Post 51186 by Perderabo on Wednesday 12th of May 2004 10:29:18 PM
Old 05-12-2004
Yow! First of all, you can do "ps -fu <uid>" to get a list of process for a certain user. But even with that revision, I would certainly not run that script. Especially for root. I don't know AIX, but there are processes like swapper and init that are special. I wouldn't try a ptrace() on them without a lot of research.

Can you briefly unplug the system from the network? If the directory disappears while the box is unplugged from the network, you know that it's a local process. If the directory is exported via NFS or a similiar service the local box may be invoking a rmdir() or unlink(). Even without NFS, a cronjob on another system could use a remote shell. Unplugging the system for a a few carefully timed seconds will tell you if another box is involved.

Deleting a directory requires write permission to the parent directory. By varying the permissions on that parent, you should be able to nail down the uid involved.

I would do a "ps -fu <uid>" in a loop around 4:00, sending the results to a file. Then I would study the file looking for any commands that could delete the directory.


Most directories are deleted by program like rm or rmdir. Or maybe perl. For that to happen, the program must run. To run a program, you must read it. This updates atime in the inode. Run "ls -lu /usr/bin/rm" at 3:59 and 4:01. If the time doesn't change, that was not the program used.

With a little detective work, you can usually zero in on the culprit.
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

lost or deleted data in Unix?

Quote: "Until the space is used for another file, it is not deleted and the data can be recovered (although it may require jumping through hoops)." Unquote I know this is true in the Windows world, but I didn't think it was true of Unix. I had always been told once it was deleted in Unix, it... (1 Reply)
Discussion started by: wmosley2
1 Replies

2. UNIX for Dummies Questions & Answers

Help comparing 2 files to find deleted records

Hi, I need to compare todays file to yesterdays file to find deletes. I cannot use comm -23 file.old file.new. Because each record may have a small change in it but is not really a delete. I have two delimited files. the first field in each file is static. All other fields may change. I... (2 Replies)
Discussion started by: eja
2 Replies

3. UNIX for Dummies Questions & Answers

is it possible to check logs in UNIX who deleted the files?

Hello, is it possible to check logs in UNIX who deleted the files? Is there logs in UNIX besides .sh_history? (1 Reply)
Discussion started by: james_falco
1 Replies

4. UNIX for Advanced & Expert Users

Unix ID deleted - What happen to process

I have an unix id (AIX system) which is used to run a couple of processes. They also write some log files into a file system (that is not in the home directory of the user id, but in different location). One bad day, the id was deleted accidentally. But the home directory, files and everything... (1 Reply)
Discussion started by: cmgreat
1 Replies

5. UNIX for Dummies Questions & Answers

recover deleted file in unix

hi after using rm command how to recover the deleted file (7 Replies)
Discussion started by: arulkumar
7 Replies

6. UNIX for Dummies Questions & Answers

how to recover deleted files in unix

Hi Experts, by mistake i deleted some files that are very important to the project. is there any way that i can recover those files,there is no backup for that but the details of the file we know. This will be a great help. Thanks (5 Replies)
Discussion started by: namishtiwari
5 Replies

7. UNIX for Dummies Questions & Answers

Restoring back a deleted file in unix.

Hi, Can any one tell me how to restore back the deleted file in unix? I know the file name. If i know the inode number of the file does help more to restore back the file? (1 Reply)
Discussion started by: siba.s.nayak
1 Replies

8. AIX

AIX emgr -l -u VUID command and differences from AIX3 to 6?

Hey, I currently only have access to an AIX 6.1 system with no interim fix information I.E. any emgr -l -u command results in the following: 'There is no efix data on this system' Could anyone provide me with valid output of a emgr -l -u VUID command when there IS efix data on a system for the... (0 Replies)
Discussion started by: bstullkid
0 Replies

9. UNIX for Dummies Questions & Answers

To find the Ip address of the user who deleted files

Hi, There were a few files deleted from a server by user xyz. The file names are:- /oraextME4/oradata/ME11G22/TEST_IMPORT_01.dbf /oraextME4/oradata/ME11G22/RKVITR1_03.dbf /oraextME4/oradata/ME11G22/TEST_IMPORT_02.dbf need to know the ip address of the terminal from which that... (10 Replies)
Discussion started by: Abhinav Jaiswal
10 Replies

10. UNIX for Advanced & Expert Users

How to list deleted files in UNIX?

Hi All, Its an interview question. I just want to know the answer of below question. 1) How to list deleted files in unix (13 Replies)
Discussion started by: pspriyanka
13 Replies

LEARN ABOUT OSF1

userdel

userdel(8)						      System Manager's Manual							userdel(8)

NAME

       userdel - Deletes a user login account from the system.

SYNOPSIS

       SVE:

       /usr/sbin/userdel [-r] login

       POSIX:

       /usr/sbin/userdel [-D] [-r] [-R] [-t type] [-P] [-x extended_option] login

OPTIONS

       This option is used under enhanced security to delete the user account from /etc/passwd file and the enhanced security protected passwd DB.
       Removes a user's home directory from the system. This directory must exist and must be owned by the  user  whose  login	account  is  being
       deleted.   When enhanced security is enabled, retires the account without deleting entries from the databases or removing home directories.
       Removes a local plus (+) or local minus (-) NIS user from the user database. The value of the type parameter can be +  or  -.   Removes	PC
       accounts  only,	without  deleting  the	user's	existing  UNIX account.  The following extended_option attributes are available: Indicates
       whether the account is distributed. The value of the distributed=n attribute can be 0 or 1. If set to 0, the account is	deleted  from  the
       local  database.  If  set  to 1, the account is deleted from the NIS master database on the running system. When this attribute is set, the
       local attribute is set to the opposite value.  Indicates whether or not the account is local. The value of the local=n attribute can  be  0
       or  1.  If  set	to  1, the account is deleted from the local database. If set to 0, the account information is deleted from the NIS master
       database. When this attribute is set, the distributed attribute is set to the opposite value.  The value of the pc_synchronize=n  attribute
       can  be	0  or  1.  If  set  to 1, both PC and UNIX accounts will be affected by delete operations. If set to 0, only UNIX accounts will be
       affected by delete operations and the PC account will be unaffected.  Specifies an existing login account on the system.

DESCRIPTION

       The userdel command is part of a set of command-line interfaces (CLI) that are used to create and administer user accounts on  the  system.
       When The Advanced Server for UNIX (ASDU) is installed and running, the userdel command can also be used to administer PC accounts. Accounts
       can also be administered with the /usr/bin/X11/dxaccounts graphical user interface (GUI), although the extended options are only  available
       from the CLI utilities such as useradd and usermod.

       Different  options  are available depending on how the local system is configured: In the default UNIX environment, user account management
       is compliant with the IEEE POSIX Draft P13873.3 standard.  If enhanced (C2) security is configured, additional options and extended options
       can  be	used.	The  CLI  is  backwards-compatible, so all existing local scripts will function. However, you should consider testing your
       account management scripts before using them.

       The userdel command deletes a user's login account from the system and makes the login-related changes  in  the	appropriate  system  files
       determined  by  the  current  level  of	security. Additionally, the files and directories contained under the user's home directory can be
       removed from the system.

       With the -x option, the system administrator can specify whether the user login account to be deleted is local or whether it resides in the
       NIS master database. If the -x option is not specified, the user login account is deleted from the appropriate database as specified by the
       system defaults.

       The default behavior on the system for the userdel command is distributed=0 and local=1. With these values, the system  deletes	the  group
       from  the  local  database  by  default.  Setting  the distributed= and local= attributes to the same value (for example, distributed=0 and
       local=0) produces an error.

RESTRICTIONS

       Note the following restriction that applies to this release:

       You must have superuser privilege to execute this command

EXIT STATUS

       The userdel command exits with one of the following values: Success.  Failure.  Warning.

EXAMPLES

       The following example removes the local plus (+) user, newuser1: % userdel -t + newuser1  The  following  example  removes  the	NIS  user,
       newuser4,  from	the  NIS master database: % userdel -x distributed=1 newuser4 The following example deletes the user, xyz, and removes the
       user's home directory: % userdel -r xyz The following example deletes the UNIX account for studentB, removing the home  directory  and  its
       corresponding PC account.  % userdel -r -x  pc_synchronize=1 studentB

FILES

       The userdel command operates on files for the specific level of system security.

SEE ALSO

       Commands:  groupadd(8), groupdel(8), groupmod(8), useradd(8), usermod(8), passwd(1),

       Manuals: System Administration, Security, Advanced Server for UNIX Installation and Administration

																	userdel(8)
All times are GMT -4. The time now is 11:31 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy