Just looking for some guidance on how to figure out who might have deleted some files off one of my systems.
These files are not root owned files so could be deleted by a handful of folks in the group responsible for these files besides the root users.
Anyway I have been tasked with trying to figure out where they went. I can see from our backup server they were there on Sept. 26th and gone on Sept. 27th. I have tried reviewing the .sh_history file for each user but have just performed a copy of the .sh_history file of each user to a tmp location and then review the files with vi.
I have done this for the root user as well but notice after the copy that the last timestamp in the file is from yesterday. None of the commands I have run today are there. However if I use the fc command they are shown. My concern is that will be the case for the copy of the other users history file but don't have a way to properly format the history file with fc unless I log in as each user. The other issue I have is some uses history file does not appear to go back that far so I am having to restore from the previously mentioned time frame.
Just looking for any thoughts on how to better come up with an answer. Something had to happen to those files but thus far I am coming up empty.
I think I understand that if someone wanted to delete these files and not be found they could edit their own history file. I don't think it's the case of an on purpose delete as the files are still on the source server which they can delete as well. I can get them back from the source server or from backup but just would like to figure out how they got deleted to avoid this questioning from the customer in the future.
Thanks.