How can I find out which user deleted a directory?

My Ubuntu server has about roughly 30 active users on it. I personally know everyone using the server. Recently, a few friends and I were working on project. We made a new directory for the project and since everyone knows everyone we didn't bother protecting our work under a bunch of permissions. We should have though, because we woke up this morning to find that someone removed our entire directory.

Our work is backed up every night so it's really not a big deal to restore our work. However, we would like to find out who removed it so we can confront them. So far the best thing we've come up with for finding our culprit is checking everyone's bash history but this is long and tedious and chances are that if there was a malicious intent behind the directory removal that our culprit probably modified theirs to cover their tracks (or of course they might use a different shell).

So, basically, what is the easiest and quickest way to find out who deleted a directory?

Thanks in advance for your time.


Solution 1:

I didn't find a magic bullet answer to your question; part of that reason is detailed here: https://superuser.com/questions/178596/checking-user-command-history-in-unix

This simple command may help you track down what happened, searching for rm & mv commands in all shell history files in all users home directories:

find /home -type f -iname .*history -exec grep "rm\|mv" {} \;

It's good you have a valid backup to save you, but I highly recommend creating some groups for project folders and just adding user accounts to those groups; that will save you a lot of pain in the future.

Example: add a group and add project team members to it

groupadd coolproject
adduser jim coolproject
adduser joe coolproject
adduser charlie coolproject

set the permissions properly recursively and guarantee access going forward for the team regardless of who creates/edits files

chown -R yourusername:coolproject /path/to/projectdir
find /path/to/projectdir -type d -exec chmod 2775 {} \;

(the 2 sets the group ownership to "sticky" this makes sure the group owner of any projects remains "coolproject")

find /path/to/projectdir -type f -exec chmod 664 {} \;

Hope that helps ya out! B-)

Solution 2:

In theory it is possible to find out the delete time, so this can narrow the users down.

Check the i_dtime in ext2 specs.