Is there a way to see what files a user deleted in Linux?
Is there a way to see what files an user deletes during his/her daily work. I know about bash_history
, but I wonder if there is something more than this. The question is about plain Ubuntu (presumably any Linux) server installation.
If a user
runs rm -fr dir1
in its home directory, would there be a log of the event? Do I have a way to easily enable such a feature?
Edit: Can I find out before installing anything? Both answers are excellent!
Thanks
Solution 1:
To monitor file system manipulation, you'll need to use inotify or the built-in auditing system with the kernel. Take a look at this page for a brief overview of your options. The man pages for inotify and auditctl are also very valuable.
These processes will tell you whenever a certain file is altered, whether or not it is done as a command in the user's history (e.g. through a GUI file manager, etc).
Solution 2:
You can enable process accounting to do this.
apt-get install acct
After it's installed you will be able to see all commands run by a user using lastcomm username
. man lastcomm
for more options.