Is it possible to track this scenario?
I have a user account user1 which has direct root login disabled.
user2 and user3 are able to switch as user1 after ssh to the server.
suppose If user2 and user3 switched as user1 simultaneously and user2 removes a file from the server.
How I can track this event and determine which user has removed the file? Is linux auditing will be able to track this?
Is there any scp tools available so that I can login as user2 or 3 and switch as user1?