1. Introduction
Often, a system administrator needs to track the activity of other users of a server.
In this article, we’ll look at ways to find a user that has deleted a certain file on Linux. We’ll first learn how to filter out the users who weren’t online for a long time. Then, we’ll check whether any of the remaining users had executed commands to delete a given file. Finally, we’ll study some advanced tools that we can use to audit our system more efficiently.
2. Find User Login Times
Let’s assume that a file was deleted relatively recently. Then, the first step would be to check when each user was logged in on a server. This allows us to filter out users who weren’t online for a long time. For that, we can use the last command:
$ last
user1 ... Fri Sep 09 14:42 - 15:04 (00:22)
user2 ... Wed Sep 07 10:13 - 11:12 (00:59)
user3 ... Mon Jan 03 07:15 - 07:20 (00:05)
...
In the first column, we can see the username, while in the last columns, there are log-in and logout times. Noticeably, user1 and user2 were online more recently than user3, who wasn’t online for months before. Depending on our needs, we can filter user3 out of our search.
3. Find Commands That a User Executed
Now, that we know user1 and user2 were online recently, we need to check whether these users executed commands to delete a file.
For that, we’ll look at their bash histories. These are files that store any commands executed by a particular user during their Bash session. The files are called .bash_history and are typically located in each user’s home directory.
To find a possible culprit, we’ll browse through the bash history file of each user and search for commands related to the deleted file. Thus, we can run sudo grep -a ‘<deleted_file_name>’ /home/<user_name>/.bash_history.
Let’s break down the command to understand it:
- sudo provides root privileges
- grep enables us to find sequences in the file
- -a for processing binary data, as the .bash_history file may start with non-text data
- ‘<deleted_file_name>’ is the name of the deleted file
- /home/<user_name>/.bash_history is the path to the .bash_history file of user user_name
We’ll run this command for both user1 and user2, and see if we can find the information about the deleted file. Let’s check for user1 first:
$ sudo grep -a 'deleted_file.txt' /home/user1/.bash_history
We haven’t got any output here, which means that user1 hasn’t run any command related to the deleted file.
Now, let’s run the same command for user2:
$ sudo grep -a 'deleted_file.txt' /home/user2/.bash_history
...
rm deleted_file.txt
...
We can see that user2 executed the rm deleted_file.txt command, which deleted the file. So, user2 may be the user that we were looking for. We should note that the rm command’s not the only way to delete files. Other commands to delete files in Linux are rm, unlink, and find -delete.
Although the above method is good for basic scenarios, it doesn’t cover all possible ways of deleting a file. For example, the user may create and run a script for that. This would make it difficult to find the exact command the user used. Furthermore, both user1 and user2 can execute the command rm on the same file, but one might not succeed.
Considering the various ways a file might disappear, it’s good to have more thorough evidence of when and by whom it was deleted.
4. Use the Audit Tool to Track Files
In general, it’s good practice to track an important file before we lose it. For that, we can use the audit daemon tool. If set up correctly, it tells us the conditions under which a file has been removed from our Linux server. Let’s briefly discuss the process of using the audit daemon tool to watch our file.
First, we need to configure auditd to watch the file. To achieve that, we’ll run the command auditctl, specifying the file to watch with -w, and any specific permissions that trigger an event with -p. For example, if we want to track the file deleted_file.txt, we run the following command to start our audit process:
$ sudo auditctl -w /home/user2/deleted_file.txt -p wa -k my-file-deleted
This will run the audit in the background and watch deleted_file.txt for any writes(w) and attribute(a) changes, which detect deletion.
Once the audit’s running, we can look at the logs to see whether there have been any user actions with this file. A simple way of doing that is to run the command ausearch -k my-file-deleted, where -k sets the log key to search (set earlier), and my-file-deleted is the log keyword we’re using to track the file updates. If someone has deleted this file, we’ll see it in the log:
$ sudo ausearch -k my-file-deleted
----
time->Mon Sep 09 14:27:41 2022
...
name="deleted_file.txt"
...
uid=1000
...
comm="rm" exe="/usr/bin/rm"
...
There’s a lot of information logged, but the key fields here are time, name, uid, and comm. The uid field provides the ID of the user who deleted the file. Therefore, we can see user uid 1000 has deleted deleted_file.txt at 14:27:41 on Monday, 09 Sep 2022.
5. Conclusion
In this tutorial, we learned how to find a user that has deleted a file on a Linux system. Firstly, we saw how to manually check user login times to narrow down our search. Secondly, we found out how to check the commands that the users executed and filter through them. Finally, we learned how to use a more advanced audit tool to watch our files more efficiently.