Linux – How to recover the /root directory and find out who deleted it

linux

I have a centos 4 linux server; Three people have the root's password including me.

When I logged on the server and switched to root today, I found that the directory /root has gone…

How can I recover my /root directory and find out who deleted it ? Is there any way that I can know who logged on the server and the every changes they made ?

Really thanks for any response.

Best Answer

recovery: I have no idea, sorry. You can assume I made some snippy comment about how you should have backups ;)

who dun it: Assuming everyone is accessing the machine remotely (preferably via ssh) then last should tell you the IP address and username of the last people to log on.

misc: When you say 3 people have the root password: could I recommend (if you aren't already doing so) that you set PermitRootLogin no in the sshd.conf file and just make sure these 'admins' ssh as their own account and then use su. This gives you both another layer of security as well as some more logging info (rather than just the IP address 'root' connected from, you'd see Jon ssh into the server and then take root privileges.

Best Answer

Related Solutions

Linux – How to you prevent root password change on linux

Linux – How to prevent people from looking at a listing of files in parent directory if I haven’t uploaded index.html

Related Topic