Is there a way to see what files a user deleted in Linux?

Is there a way to see what files an user deletes during his/her daily work. I know about bash_history, but I wonder if there is something more than this. The question is about plain Ubuntu (presumably any Linux) server installation.

If a user runs rm -fr dir1 in its home directory, would there be a log of the event? Do I have a way to easily enable such a feature?

Edit: Can I find out before installing anything? Both answers are excellent!

Thanks


Solution 1:

To monitor file system manipulation, you'll need to use inotify or the built-in auditing system with the kernel. Take a look at this page for a brief overview of your options. The man pages for inotify and auditctl are also very valuable.

These processes will tell you whenever a certain file is altered, whether or not it is done as a command in the user's history (e.g. through a GUI file manager, etc).

Solution 2:

You can enable process accounting to do this.

apt-get install acct

After it's installed you will be able to see all commands run by a user using lastcomm username. man lastcomm for more options.