Reply to thread

Message: <blockquote data-quote="dbug" data-source="post: 28214711" data-attributes="member: 124340">There is NO smoking gun in UNIX without auditing. Period.Step 1:Code:ls -lc file_in_questionThis gives you the exact time of the incident, unless you have already set permissions back to what they are supposed to be.  Assuming this time is really correct try to correlate that with who was logged in at that time.  If you are very lucky only one person was logged in. Otherwise you get to guess who did it. How to do this?  Try:Code:last | moreThis lists who has logged in and when they logged out.  Since the the system was rebooted, in the order of newest to oldest.  You can see the timestamp on the file, you can see who was connected to the system at that time.  That is the best you can do.  Right now.  Enable auditing.   Then you are covered from now on.</blockquote>

Top Bottom