- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Files deleted,need to know who deleted????
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-05-2010 07:18 AM
тАО05-05-2010 07:18 AM
Re: Files deleted,need to know who deleted????
Try the script and let us know; and from the lesson learnt, give access permission only to those responsible. You can use ACLs etc(from next time onwards)..
Have a check at the CIS Internet Security Standards of HP for future implementation
http://cisecurity.org/en-us/?route=downloads.show.single.hpux.150
HTH
SNS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-05-2010 11:38 AM
тАО05-05-2010 11:38 AM
Re: Files deleted,need to know who deleted????
What R.O. suggested is likely your only open option. The only issue with it is that most user keystroke history files, are just that, a single file that only maintains so many lines of history.
So by the time you realize the files have been removed, the evidence is likely gone out of "whoever's" .sh_history file.
Now you could get logging software, turn on auditing, or you could change everyone's .profile so their .sh_history file becomes a directory with multiple history files, so you don't lose the keystroke data so fast. Try something like this:
HISTFILE=/
export HISTFILE
HISTSIZE=100
export HISTSIZE
Advantage - you didn't turn on auditing and you get more keystroke history; you didn't have to get some thirdparty software installed and configured.
Disadvantage - You have to implement on (how many users) .profile; you now get alot more files you need to keep cleaned up. Likely using some quickie script in cron to just go clean these up.
Just a thought,
Rita
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-05-2010 11:20 PM
тАО05-05-2010 11:20 PM
Re: Files deleted,need to know who deleted????
if you want to know who culprit did this.. you should have the activity history log... do you have it ????
else configure it, so you can avoid these type of issues in future
Steps:--
Pre-implementation steps:-
===============================
1. cp /etc/profile /etc/profile.old
Implementation steps:-
=========================
1. Login to server & run below commands.
cp /etc/profile /etc/profile.old
mkdir /var/adm/commandlog/
chmod 733 /var/adm/commandlog/
2. vi /etc/profile & remove old history definitions if exists.
3. Add below entry to the last for profile file.
export HISTFILE=/var/adm/commandlog/history_$(uname -n)_$( date +%Y_%b_%d_%H.%M.%S)_$(whoami)_from_$(who am i | awk '{print $1}')_$( who am i -u | awk '{print $8}')
HISTFILESIZE=5000
HISTSIZE=5000
export HISTFILE HISTSIZE HISTFILESIZE
Verification plan:-
============
1. Login to server againg & check can you able to see history file for you new session in /var/adm/commandlog/
Backup plan:-
=====================
cp /etc/profile.old.bhe /etc/profile
THIS IS TESTED & WORKING IN MY SITE, WHERE I AM HAVING 600+ SERVERS
GUDLUCK
Peasanth
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-05-2010 11:21 PM
тАО05-05-2010 11:21 PM
Re: Files deleted,need to know who deleted????
export HISTFILE=/var/adm/commandlog/history_$(uname -n)_$( date +%Y_%b_%d_%H.%M.%S)_$(whoami)_from_$(who am i | awk '{print $1}')_$( who am i -u | awk '{print $8}')
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-05-2010 11:27 PM
тАО05-05-2010 11:27 PM
Re: Files deleted,need to know who deleted????
Check the syslog and history file.
Cheers//
taifur
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-06-2010 05:31 AM
тАО05-06-2010 05:31 AM
Re: Files deleted,need to know who deleted????
Where everyone uses the right shell, and
all commands are run interactively, and no
"culprit" is smart enough to find and destroy
the evidence, and ...
> I want to know that who is the culprit
> behind this.
Why do these threads always involve setting
up the security surveillance cameras _after_
the robbery?
- « Previous
-
- 1
- 2
- Next »