- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- Deleted /root directory
Operating System - Linux
1753500
Members
4556
Online
108794
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-10-2009 12:21 AM
тАО08-10-2009 12:21 AM
Deleted /root directory
Hi,
I have found that /root directory is deleted from one of our linux server (RHEL4).
I have again created that file but i have lost some data.
Is there any way we can check which user or from which machine he/she deleted /root directory.
I want to see all commands executed using root account
I want to check who is deleted /root or from which ip he logged in to the server.
Is there any logs which shows all root related operations, i have seen one log in HP-UX which stores all root related operations.
Please help me in this regard.
Thanks in advance.
I have found that /root directory is deleted from one of our linux server (RHEL4).
I have again created that file but i have lost some data.
Is there any way we can check which user or from which machine he/she deleted /root directory.
I want to see all commands executed using root account
I want to check who is deleted /root or from which ip he logged in to the server.
Is there any logs which shows all root related operations, i have seen one log in HP-UX which stores all root related operations.
Please help me in this regard.
Thanks in advance.
2 REPLIES 2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-10-2009 01:45 AM
тАО08-10-2009 01:45 AM
Re: Deleted /root directory
Shalom,
It works just like HP-UX if command log auditing is not turned on.
You need to check the sulog for who switched to root. Unless you have more than one user UID zero a regular user can not do this.
last -R suppressed the hostname display. last by default shows the hostname or the ip address of the system logging in. IP only if hostname does not resolve.
SEP
It works just like HP-UX if command log auditing is not turned on.
You need to check the sulog for who switched to root. Unless you have more than one user UID zero a regular user can not do this.
last -R suppressed the hostname display. last by default shows the hostname or the ip address of the system logging in. IP only if hostname does not resolve.
SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-10-2009 09:17 AM
тАО08-10-2009 09:17 AM
Re: Deleted /root directory
Most Linux distro's don't have auditing enabled by default, due to the need to setup for your needs.
if /root was deleted, the root user's history file is gone as well, so nix that possibility.
How many people know the root password? How many users are created that have uid 0? You could check various log files in /var, but if it was done intentionally, they more than likely modified the logs as well.
if /root was deleted, the root user's history file is gone as well, so nix that possibility.
How many people know the root password? How many users are created that have uid 0? You could check various log files in /var, but if it was done intentionally, they more than likely modified the logs as well.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP