HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

can we know who deleted a particular file. & is there any process to get back that file.

 
uadmin_1
Occasional Contributor

can we know who deleted a particular file. & is there any process to get back that file.

Hi,

can we know who deleted a particular file in HPUX.
and is there any process to get back that file.

any other way to restrict file deletion except setuid,setgid & setid
5 REPLIES
Torsten.
Acclaimed Contributor

Re: can we know who deleted a particular file. & is there any process to get back that file.

You need to restore from backup.

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.

__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
Mel Burslan
Honored Contributor

Re: can we know who deleted a particular file. & is there any process to get back that file.

unless you have auditing turned on, or any other trip-wire like mechanism running on this system, watching that file, the answer is, no, you can not tell with 100% surety, who deleted the file. You can scan the .sh_history or equivalent for each logged on user to see the commands they executed, but since this file can be modified by the end user, you can not trust the integrity of this file. But, with luck, you might find the culprit.

And as Torsten said, there is no undelete in any form of stock unix installation, including hpux. If you lost a file by accident, cross your fingers and pray that you have a recently backed up copy on tape somewhere. Otherwise, you're out of luck.
________________________________
UNIX because I majored in cryptology...
klb
Valued Contributor

Re: can we know who deleted a particular file. & is there any process to get back that file.


Some OS are getting to the point where it ~might~ be possible to roll backwards and "see" previous versions of files, but not HPUX.

The only defense you have against this sort of thing is solid backup strategy.

If you had a server somewhere setup to mirror your FS's via something like rsync and you had built in a delay, you might be able to catch this and stop the sync process before the users actions were duplicated, thus saving the file(s). Even that would be a timing issue and you'd need some luck to be successful.

As for finding who deleted the file... not really possible, but you may have some luck by looking through shell history files system wide and searching for the file name and/or the name of the directory where the file lived.
DIR="name of directory"
FILE="name of file"

Hth,

-klb

Mel Burslan
Honored Contributor

Re: can we know who deleted a particular file. & is there any process to get back that file.

In the light of what klb said, if this file was resident on some sort of SAN back-end and if you are doing something similar to periodic snap clones, you might roll back to the the most recent clone and retrieve your file from there, but this is not an HPUX functionality. It is a SAN provided utility if you had it to start with.
________________________________
UNIX because I majored in cryptology...
James R. Ferguson
Acclaimed Contributor

Re: can we know who deleted a particular file. & is there any process to get back that file.

Hi:

> any other way to restrict file deletion except setuid,setgid & setid

A directory determines the file's fate. That is, if you have write permissions to the *directory* then you can delete entities within the directory.

The 'setuid' bit is not going to do anything. If you have the 'setgid' bit set on the file's directory, some additonal protection is provided insofar as only the owner of a file can delete it.

Of course, if it's the root user doing the removal, then you are out-of-luck.

By design, Unix does what it is told to do without fuss. If you delete a file you better have a backup if you later decide you want it.

Regards!

...JRF...