On our AIX 7.1 server we have a file named /content/development/system.tar with ownership as root.
Many people on our Unix team has sudo access and they will be able to sudo to root user.
We want to which particular user has actually created this file.
Is it possible to find that ? Please let me know.
[pmut3:root:/home/root:] ls -ld /content/development/system.tar
-rw-r--r-- 1 root system 22412608000 Sep 19 2014 /content/development/system.tar
I doubt... Unless you configured all the system for each person who can sudo to have complete activity logs...
You could try using last command to find who was connected at the time, then search in their history but then in .sh_history you have no dates or time stamps to help you...
To start I suggest you look how your sudo is configured, maybe you are lucky...
As agent.kgb mentioned, you can also use audit - even redirecting to syslog. audit reports both the euid (effective uid) and the ruid (real uid, or login id).
You can check sulog file and compare timestamps if the file in question has not been modified since.
If john used sudo command and the file has been created around that time you could have something.
This is, of course, if one didn't use sudo to sudo himself out of sulog
So, then a bit of "advertising" for IBM - there is a component called Trusted Logging (part of PowerSC ) - to address the issue/question Peasant brings up - are my logs accurate or have they been tampered with?