Is there a way to see what files a user deleted in Linux?

linux ubuntu logging

Is there a way to see what files an user deletes during his/her daily work. I know about bash_history, but I wonder if there is something more than this. The question is about plain Ubuntu (presumably any Linux) server installation.

If a user runs rm -fr dir1 in its home directory, would there be a log of the event? Do I have a way to easily enable such a feature?

Edit: Can I find out before installing anything? Both answers are excellent!

Thanks


Solution 1:

To monitor file system manipulation, you'll need to use inotify or the built-in auditing system with the kernel. Take a look at this page for a brief overview of your options. The man pages for inotify and auditctl are also very valuable.

These processes will tell you whenever a certain file is altered, whether or not it is done as a command in the user's history (e.g. through a GUI file manager, etc).

Solution 2:

You can enable process accounting to do this.

apt-get install acct

After it's installed you will be able to see all commands run by a user using lastcomm username. man lastcomm for more options.

Related

Does a VPN connection bypass a router's firewall?
What and why is my swap space used under linux
Why Place Load-Balancer Behind Firewall?
Web site kills hard disk I/O, how to prevent?
Do firewalls and anti-virus software affect a server's performance?
Prevent sudo, apt-get, etc. from swallowing pasted input to STDIN?
tail -f without the tail?
High iowait on Amazon EC2 MySQL instance with EBS volume
First Request to IIS Express Fails with 503 Service Unavailable, Second Succeeds
WAF vs Firewall
Linux command to find and delete certain files, but output the result or verbose mode?
How to group by month from Date field using sql