HPE Community
Operating System - HP-UX
1753730 Members
4727 Online
108799 Solutions
New Discussion юеВ

can we know who deleted a particular file. & is there any process to get back that file.

 
uadmin_1
Occasional Contributor

тАО05-16-2011 07:02 AM

тАО05-16-2011 07:02 AM

can we know who deleted a particular file. & is there any process to get back that file.

Hi,

can we know who deleted a particular file in HPUX.
and is there any process to get back that file.

any other way to restrict file deletion except setuid,setgid & setid
0 Kudos
Reply
5 REPLIES 5
Torsten.
Acclaimed Contributor

тАО05-16-2011 07:08 AM

тАО05-16-2011 07:08 AM

Re: can we know who deleted a particular file. & is there any process to get back that file.

You need to restore from backup.

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
0 Kudos
Reply
Mel Burslan
Honored Contributor

тАО05-16-2011 08:13 AM

тАО05-16-2011 08:13 AM

Re: can we know who deleted a particular file. & is there any process to get back that file.

unless you have auditing turned on, or any other trip-wire like mechanism running on this system, watching that file, the answer is, no, you can not tell with 100% surety, who deleted the file. You can scan the .sh_history or equivalent for each logged on user to see the commands they executed, but since this file can be modified by the end user, you can not trust the integrity of this file. But, with luck, you might find the culprit.

And as Torsten said, there is no undelete in any form of stock unix installation, including hpux. If you lost a file by accident, cross your fingers and pray that you have a recently backed up copy on tape somewhere. Otherwise, you're out of luck.
________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
klb
Valued Contributor

тАО05-16-2011 08:18 AM

тАО05-16-2011 08:18 AM

Re: can we know who deleted a particular file. & is there any process to get back that file.


Some OS are getting to the point where it ~might~ be possible to roll backwards and "see" previous versions of files, but not HPUX.

The only defense you have against this sort of thing is solid backup strategy.

If you had a server somewhere setup to mirror your FS's via something like rsync and you had built in a delay, you might be able to catch this and stop the sync process before the users actions were duplicated, thus saving the file(s). Even that would be a timing issue and you'd need some luck to be successful.

As for finding who deleted the file... not really possible, but you may have some luck by looking through shell history files system wide and searching for the file name and/or the name of the directory where the file lived.
DIR="name of directory"
FILE="name of file"

Hth,

-klb

0 Kudos
Reply
Mel Burslan
Honored Contributor

тАО05-16-2011 08:33 AM

тАО05-16-2011 08:33 AM

Re: can we know who deleted a particular file. & is there any process to get back that file.

In the light of what klb said, if this file was resident on some sort of SAN back-end and if you are doing something similar to periodic snap clones, you might roll back to the the most recent clone and retrieve your file from there, but this is not an HPUX functionality. It is a SAN provided utility if you had it to start with.
________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО05-16-2011 08:44 AM

тАО05-16-2011 08:44 AM

Re: can we know who deleted a particular file. & is there any process to get back that file.

Hi:

> any other way to restrict file deletion except setuid,setgid & setid

A directory determines the file's fate. That is, if you have write permissions to the *directory* then you can delete entities within the directory.

The 'setuid' bit is not going to do anything. If you have the 'setgid' bit set on the file's directory, some additonal protection is provided insofar as only the owner of a file can delete it.

Of course, if it's the root user doing the removal, then you are out-of-luck.

By design, Unix does what it is told to do without fuss. If you delete a file you better have a backup if you later decide you want it.

Regards!

...JRF...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.