Track user activity on UNIX

Posted on 2012-08-28
Medium Priority
Last Modified: 2012-09-01
Hello experts,
i have a user that deleted work files saved on a shared folder on our system.
is there any way to access a log the provided information that would prove that they deleted these files?
Question by:dina78
LVL 40

Expert Comment

ID: 38339998
what is the OS?

If the user is using ksh or bash then you could look at commands history in their home dir:

kash: ~/.sh_history

bash: ~/.bash_history

Expert Comment

ID: 38344471
if you have auditing enabled, you can probably find the exact details in there...
but, how it's configured would depend on which os flavor you're using.
LVL 25

Accepted Solution

madunix earned 2000 total points
ID: 38358235
The audit logging should be configured in your system. You may give a try with pam_tty_audit module if you want to keep a track of all commands they use. You can enable this module only for a particular user, then track the commands executed by that user.  

Another method would be using sudo, with sudo you get each and every commands logged into /var/log/secure file, so it's easy to track user activities.  

You could also check http://people.redhat.com/sgrubb/audit/

Read (Sample for Redhat)
How can I log all the commands that are run by root? - http://kbase.redhat.com/faq/docs/DOC-9131
How can I use audit to see who changed a file in Red Hat Enterprise Linux? - http://kbase.redhat.com/faq/docs/DOC-10108
How do I configure audit to log all files opened on a system in Red Hat Enterprise Linux? - http://kbase.redhat.com/faq/docs/DOC-7428

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Java performance on Solaris - Managing CPUs There are various resource controls in operating system which directly/indirectly influence the performance of application. one of the most important resource controls is "CPU".   In a multithreaded…
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question