0

a directory was moved with mv command in a Linux box, what logs should be looked at for such action? in root bash_history i can see the command was used, unfortunatly bash_history was not recording time & date, therefore making it difficult to trace.

Regards and thanks.

Vlad
  • 45
  • 6
  • What information do you want? – Michael Hampton Mar 19 '13 at 23:15
  • It won't help you with your existing problem, but in the future if you use `sudo`, it logs each individual command it is used for. – DerfK Mar 19 '13 at 23:19
  • To Micheal Hampton, ideally the person that issued the command, but that i see will not be possible... there are two ways users access those machines, ssh or telnet... is there any logs for telnet sessions? – Vlad Mar 19 '13 at 23:34
  • 1
    Why on earth would you be allowing _telnet_?!? – Michael Hampton Mar 20 '13 at 10:56
  • we use telnet because the application involved requires telnet. – Vlad Mar 25 '13 at 15:09
  • Thank you Mr. tink, although was not the answer i was looking for, still i can use this for better audit logging. and thanks all for the time. – Vlad Mar 25 '13 at 15:10
  • Vlad, the above comment suggests to me that you're happy with tink's answer. If that's so, then let me mention that local etiquette is that, after a reasonable time, you accept the best answer for any given question by clicking on the "tick" outline next to it. That helps drive SF's reputation system, both for you and the author of the accepted answer. My apologies if you already know this. – MadHatter Mar 25 '13 at 15:33

1 Answers1

1

Vlad, as a rule of thumb (unless you have system auditing enabled, which most admins avoid because of the huge overheads it can incur) file activities aren't actually logged in Linux land. To make your .bash_history more useful for future events you may want to add the following lines to your .bashrc:

# append to the history file, don't overwrite it
shopt -s histappend
# write out each command, useful if you have many sessions/shells open at the same time, or run the risk of having an unclean session termination
export PROMPT_COMMAND='history -a'
# 'normal' history stuff
export HISTFILESIZE=8000
export HISTSIZE=6000
export HISTTIMEFORMAT="%F %T%n"
tink
  • 1,036
  • 11
  • 19