Is there a way to see what files an user deletes during his/her daily work. I know about bash_history, but I wonder if there is something more than this. The question is about plain Ubuntu (presumably any Linux) server installation.
If a user runs rm -fr dir1 in its home directory, would there be a log of the event? Do I have a way to easily enable such a feature?
Edit: Can I find out before installing anything? Both answers are excellent!
Thanks
Best Answer
To monitor file system manipulation, you'll need to use inotify or the built-in auditing system with the kernel. Take a look at this page for a brief overview of your options. The man pages for inotify and auditctl are also very valuable.
These processes will tell you whenever a certain file is altered, whether or not it is done as a command in the user's history (e.g. through a GUI file manager, etc).