Audit

apt-get install auditd

Add watcher to /etc/audit/audit.rules to detect delete or write/append of /shares/pubblica/esca.doc

-w /shares/pubblica/esca.doc -p wa -k esca

Restart service auditd

Search events

ausearch -k esca | aureport -f -i