HPE Community
Operating System - HP-UX
1820235 Members
2960 Online
109620 Solutions
New Discussion юеВ

Re: deleted files question

 
SOLVED
Go to solution
Jim Mickens
Frequent Advisor

тАО09-22-2000 08:03 AM

тАО09-22-2000 08:03 AM

deleted files question

Can anybody tell me if there is any way to find out what user deleted a specific file?

Someone deleted a file that Oracle (7.3.4) needed, and my boss wants me to figure out who did it and why. I told him I didn't think there was a way to do that, but I thought I'd try and get a confirmation. Pointy-haired types don't like to hear that.

HP-UX v10.20
0 Kudos
Reply
5 REPLIES 5
John Palmer
Honored Contributor

тАО09-22-2000 08:06 AM

тАО09-22-2000 08:06 AM

Solution

Re: deleted files question

If you are running measureware then the process history will contain details of which user ran 'rm' and when. It won't tell you what file was removed though so it may not be much use.
Reply
John_16
New Member

тАО09-22-2000 08:08 AM

тАО09-22-2000 08:08 AM

Re: deleted files question

No UNIX does not keep track of who deleted what files. Your best bet is to scan through everyone's .sh_history and maybe you might be able to find something. But the odds of that are slim since the file that was probably deleted was probably owned by the userid oracle....in which case you'd have to go and check to see who switched users to oracle and then check those users' .sh_history's.
whazup
Reply
Tom Danzig
Honored Contributor

тАО09-22-2000 08:09 AM

тАО09-22-2000 08:09 AM

Re: deleted files question

If you have auditing turned on, and are auditing event "delete", you may be able to find out (provided the user who did it is an audited user). By default, the auditing files are in the /.secure/etc directory.
Reply
Rick Garland
Honored Contributor

тАО09-22-2000 08:11 AM

тАО09-22-2000 08:11 AM

Re: deleted files question

If you are using the .sh_history for the users, parse through these files and find the rm command. Depending on on the HIST is setup, you may need to act fairly quickly as the oldest commands are bumped out of the list and replaced with the newer commands.
Reply
Jim Mickens
Frequent Advisor

тАО09-22-2000 08:26 AM

тАО09-22-2000 08:26 AM

Re: deleted files question

Thanks to everyone for the quick replies. We don't have auditing turned on, and no measureware. .sh_history turned up nothing (was probably done too long ago), so I guess I'll have to rely on the honesty of my users.

I've already had the conversation with my DBA about putting critical files in the user's production directories. It was just a matter of time before something like this happened. Now he has to spend the rest of the day recovering Oracle.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.