cancel
Showing results for 
Search instead for 
Did you mean: 

Deleted /root directory

 
WW288996
Frequent Advisor

Deleted /root directory

Hi,

I have found that /root directory is deleted from one of our linux server (RHEL4).

I have again created that file but i have lost some data.

Is there any way we can check which user or from which machine he/she deleted /root directory.

I want to see all commands executed using root account

I want to check who is deleted /root or from which ip he logged in to the server.

Is there any logs which shows all root related operations, i have seen one log in HP-UX which stores all root related operations.

Please help me in this regard.

Thanks in advance.


2 REPLIES
Steven E. Protter
Exalted Contributor

Re: Deleted /root directory

Shalom,

It works just like HP-UX if command log auditing is not turned on.

You need to check the sulog for who switched to root. Unless you have more than one user UID zero a regular user can not do this.

last -R suppressed the hostname display. last by default shows the hostname or the ip address of the system logging in. IP only if hostname does not resolve.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Thomas Callahan
Valued Contributor

Re: Deleted /root directory

Most Linux distro's don't have auditing enabled by default, due to the need to setup for your needs.

if /root was deleted, the root user's history file is gone as well, so nix that possibility.

How many people know the root password? How many users are created that have uid 0? You could check various log files in /var, but if it was done intentionally, they more than likely modified the logs as well.