topic Re: Deleted /root directory in Operating System - Linux

Deleted /root directory

WW288996 — Mon, 10 Aug 2009 07:21:38 GMT

Hi,

I have found that /root directory is deleted from one of our linux server (RHEL4).

I have again created that file but i have lost some data.

Is there any way we can check which user or from which machine he/she deleted /root directory.

I want to see all commands executed using root account

I want to check who is deleted /root or from which ip he logged in to the server.

Is there any logs which shows all root related operations, i have seen one log in HP-UX which stores all root related operations.

Please help me in this regard.

Thanks in advance.

Re: Deleted /root directory

Steven E. Protter — Mon, 10 Aug 2009 08:45:02 GMT

Shalom,

It works just like HP-UX if command log auditing is not turned on.

You need to check the sulog for who switched to root. Unless you have more than one user UID zero a regular user can not do this.

last -R suppressed the hostname display. last by default shows the hostname or the ip address of the system logging in. IP only if hostname does not resolve.

SEP

Re: Deleted /root directory

Thomas Callahan — Mon, 10 Aug 2009 16:17:18 GMT

Most Linux distro's don't have auditing enabled by default, due to the need to setup for your needs.

if /root was deleted, the root user's history file is gone as well, so nix that possibility.

How many people know the root password? How many users are created that have uid 0? You could check various log files in /var, but if it was done intentionally, they more than likely modified the logs as well.