HPE Community
Operating System - HP-UX
1753867 Members
7556 Online
108809 Solutions
New Discussion юеВ

Re: Files deleted,need to know who deleted????

 
S.N.S
Valued Contributor

тАО05-05-2010 07:18 AM

тАО05-05-2010 07:18 AM

Re: Files deleted,need to know who deleted????

Yes, as others opined - its hard to find unless the auditing was set before this happened.

Try the script and let us know; and from the lesson learnt, give access permission only to those responsible. You can use ACLs etc(from next time onwards)..
Have a check at the CIS Internet Security Standards of HP for future implementation

http://cisecurity.org/en-us/?route=downloads.show.single.hpux.150

HTH
SNS
"Genius is 1% inspiration, 99% Perspiration" - Edison
0 Kudos
Reply
Rita C Workman
Honored Contributor

тАО05-05-2010 11:38 AM

тАО05-05-2010 11:38 AM

Re: Files deleted,need to know who deleted????

AS others have mentioned, if you don't have some kind of software that logs keystrokes, you're going to have a problem finding this.

What R.O. suggested is likely your only open option. The only issue with it is that most user keystroke history files, are just that, a single file that only maintains so many lines of history.
So by the time you realize the files have been removed, the evidence is likely gone out of "whoever's" .sh_history file.

Now you could get logging software, turn on auditing, or you could change everyone's .profile so their .sh_history file becomes a directory with multiple history files, so you don't lose the keystroke data so fast. Try something like this:

HISTFILE=//.hist/HIST$$
export HISTFILE
HISTSIZE=100
export HISTSIZE

Advantage - you didn't turn on auditing and you get more keystroke history; you didn't have to get some thirdparty software installed and configured.
Disadvantage - You have to implement on (how many users) .profile; you now get alot more files you need to keep cleaned up. Likely using some quickie script in cron to just go clean these up.

Just a thought,
Rita
0 Kudos
Reply
Prasanth V Aravind
Trusted Contributor

тАО05-05-2010 11:20 PM

тАО05-05-2010 11:20 PM

Re: Files deleted,need to know who deleted????

Its very simple....

if you want to know who culprit did this.. you should have the activity history log... do you have it ????

else configure it, so you can avoid these type of issues in future

Steps:--


Pre-implementation steps:-
===============================
1. cp /etc/profile /etc/profile.old




Implementation steps:-
=========================

1. Login to server & run below commands.

cp /etc/profile /etc/profile.old
mkdir /var/adm/commandlog/
chmod 733 /var/adm/commandlog/

2. vi /etc/profile & remove old history definitions if exists.

3. Add below entry to the last for profile file.

export HISTFILE=/var/adm/commandlog/history_$(uname -n)_$( date +%Y_%b_%d_%H.%M.%S)_$(whoami)_from_$(who am i | awk '{print $1}')_$( who am i -u | awk '{print $8}')
HISTFILESIZE=5000
HISTSIZE=5000
export HISTFILE HISTSIZE HISTFILESIZE


Verification plan:-
============
1. Login to server againg & check can you able to see history file for you new session in /var/adm/commandlog/

Backup plan:-
=====================
cp /etc/profile.old.bhe /etc/profile


THIS IS TESTED & WORKING IN MY SITE, WHERE I AM HAVING 600+ SERVERS

GUDLUCK
Peasanth
0 Kudos
Reply
Prasanth V Aravind
Trusted Contributor

тАО05-05-2010 11:21 PM

тАО05-05-2010 11:21 PM

Re: Files deleted,need to know who deleted????

Make sure that this history file definition comes is in single line when you edit profile.

export HISTFILE=/var/adm/commandlog/history_$(uname -n)_$( date +%Y_%b_%d_%H.%M.%S)_$(whoami)_from_$(who am i | awk '{print $1}')_$( who am i -u | awk '{print $8}')

0 Kudos
Reply
Taifur
Respected Contributor

тАО05-05-2010 11:27 PM

тАО05-05-2010 11:27 PM

Re: Files deleted,need to know who deleted????

HI,

Check the syslog and history file.

Cheers//
taifur
0 Kudos
Reply
Steven Schweda
Honored Contributor

тАО05-06-2010 05:31 AM

тАО05-06-2010 05:31 AM

Re: Files deleted,need to know who deleted????

> THIS IS TESTED & WORKING IN MY SITE, [...]

Where everyone uses the right shell, and
all commands are run interactively, and no
"culprit" is smart enough to find and destroy
the evidence, and ...


> I want to know that who is the culprit
> behind this.

Why do these threads always involve setting
up the security surveillance cameras _after_
the robbery?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.