rm trace

[AIXFinder]

some keps removing /etc/filesystems

-rw-r--r-- 1 root system 0 Feb 22 23:00 filesystems

What is the best way to trace back who touched it?

 

[AIXFinder]

I meant someone keeps removing /etc/filesystems..

 

[bennotech]

The .sh_history file will catch the command used. The /var/adm/sulog will tell you which user has switched to root and when.

Benno

...it really does get worse than this !!

 

[bennotech]

...forgot to ask but is it happening at different times or the same time ? if so it could be a dodgy script, check what is running at that time, the file looks like it's being overwritten with nothing
( cat /dev/null >/etc/filesystems )
( >/etc/filesystems )

Benno

...it really does get worse than this !!

 

[masrolyat]

You could set-up auditing, you could look through root's crontab, you could change root password and set up sudo for those FEW individuals that need a command or 2 to run as root (then make them tell you what commands so that you can config sudo and the person who says rm you can ask what directory they need it in) You could replace rm with a shell script the does (echo "the remove command is not functional please call AIXFinder") and then rename rm to remove

Hope you enjoyedthe serious and humorous suggestions