UNIX for Dummies Questions & Answers

Hi,

We have a file which needs supper user previleges to delete. There are 10 users having super user preveleges. Some times back that file got deleted. How to know who has deleted that file?

Hi,
that may depend on Your file system.
I guess if You're lucky the superuser in question may have the rm/del command in their .*_history file? Otherwise I guess it would be very hard.

/Lakris

on linux you could use inotify to get a notifikation if somebody changes a file observed by inotify.

or another solution would be wrap the default rm command /bin/rm

provide a symlink to rm command like

/bin/rm -> /bin/my_own_rm

and in /bin/my_own_rm filename, who deleted_it, time_of_deletion everything could be logged but again one who has super_user permission could still modify this or bypass it without having to use /bin/my_own_rm command

but its a good way of keeping track of the files that are deleted and the user who deleted that

If you are using Linux you should be able to use the AUDIT program.

Hello -

By superuser do you mean sudo?

If so do you have access to the /var/log directory?

$ cat /var/log/auth.log | grep rm

You will see entries like this:

Dec 14 00:37:32 test-laptop sudo: joeuser : TTY=pts/0 ; PWD=/home/joeuser ; USER=root ; COMMAND=/bin/rm /tmp/fille

yrs


Michael

You'll need some kind of system accounting package, depending on the O/S you're using.
There's no default logging of super user commands, as super user is supposed to be the most trusted person to have system access. There's also security issues with logging all super user commands.

You could use a shell with history functionality (most have same form of command history), but these can be easily overcome by a malicious user. The only sure way is to install a system/process audit package and these are available for most distro's.