To find the user who has created the file

Hi

On our AIX 7.1 server we have a file named /content/development/system.tar with ownership as root.
Many people on our Unix team has sudo access and they will be able to sudo to root user.
We want to which particular user has actually created this file.
Is it possible to find that ? Please let me know.

[pmut3:root:/home/root:] ls -ld /content/development/system.tar
-rw-r--r--    1 root     system   22412608000 Sep 19 2014 /content/development/system.tar

I doubt... Unless you configured all the system for each person who can sudo to have complete activity logs...
You could try using last command to find who was connected at the time, then search in their history but then in .sh_history you have no dates or time stamps to help you...
To start I suggest you look how your sudo is configured, maybe you are lucky...

another way is to have audit on AIX box.

Another way would be to use RBAC - because then you get additional privileges, but you do not change your userid.

If you give someone root access you also give the ability to them to cover their tracks...

As agent.kgb mentioned, you can also use audit - even redirecting to syslog. audit reports both the euid (effective uid) and the ruid (real uid, or login id).

For a simple way to feed audit into syslog look at a blog of mine here: IBM Systems Magazine - Combining audit and syslog (that was hard to find - they archived it!) or a related article I wrote on the same topic at: ROOTVG - AIX, LinuxOnPower & POWER Systems Portal - Stream AIX AUDIT into SYSLOG

Is this helping? As we certainly hope so!

You can check sulog file and compare timestamps if the file in question has not been modified since.
If john used sudo command and the file has been created around that time you could have something.

This is, of course, if one didn't use sudo to sudo himself out of sulog :smiley:

So, then a bit of "advertising" for IBM - there is a component called Trusted Logging (part of PowerSC ) - to address the issue/question Peasant brings up - are my logs accurate or have they been tampered with?