• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 531
  • Last Modified:

Track user activity on UNIX

Hello experts,
i have a user that deleted work files saved on a shared folder on our system.
is there any way to access a log the provided information that would prove that they deleted these files?
1 Solution
what is the OS?

If the user is using ksh or bash then you could look at commands history in their home dir:

kash: ~/.sh_history

bash: ~/.bash_history
if you have auditing enabled, you can probably find the exact details in there...
but, how it's configured would depend on which os flavor you're using.
The audit logging should be configured in your system. You may give a try with pam_tty_audit module if you want to keep a track of all commands they use. You can enable this module only for a particular user, then track the commands executed by that user.  

Another method would be using sudo, with sudo you get each and every commands logged into /var/log/secure file, so it's easy to track user activities.  

You could also check http://people.redhat.com/sgrubb/audit/

Read (Sample for Redhat)
How can I log all the commands that are run by root? - http://kbase.redhat.com/faq/docs/DOC-9131
How can I use audit to see who changed a file in Red Hat Enterprise Linux? - http://kbase.redhat.com/faq/docs/DOC-10108
How do I configure audit to log all files opened on a system in Red Hat Enterprise Linux? - http://kbase.redhat.com/faq/docs/DOC-7428
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now