System Administrator tips: how to check who deleted the file

Article title: System Administrator tips: how to check who deleted the file. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
To enhance the security of systems and applications, administrators often need to know whether users have deleted specific files. The following describes how to achieve the administrator's goal through system audit.

The system security audit function allows you to manage system security with minimal system overhead. it only records object change events and does not record detailed data in the object.

The following is the system setting method:
1. run the go sectools command to Display the * Display the Security Tools Menu.

2. Select Option 10: Change Security Auditing

3. change the system value QAUDCTL to * OBJAUD and QAUDLVL to * DELETE. Press Enter.

4. if the security audit log does not exist in the system at this time, the system will create it.

5. run the command CHGOBJAUD to change the object audit.

6. in the CHGOBJAUD parameter, enter the name of the object you want to audit. Fill in * change at the parameter objaud.

7. Repeat Steps 5-6 to add the object you want to audit.

8. the created log is displayed. after running the go sectools command, select option 22.

9. fill in "DO" in the ENTTYP parameter -- it will record who, when, and what object has been deleted