[CentOS] A Directory/Subdirectories Disappeared - which log file to look for this kind of information?
JohnS
jses27 at gmail.com
Fri May 14 19:30:46 UTC 2010
> On Fri, May 14, 2010 at 11:36 AM, Wang, Mary Y <mary.y.wang at boeing.com> wrote:
> > Hi,
> >
> > A directory/subdirectories just disappeared on our dev box, and we don't know what happened. Is there a log file that logs this kind of stuff (such as who/date did a 'rmdir'). The /var/log directory has a lot of files and I'm not sure where to start.
---
Some greatfull wiki contributer may want to do a how to on this.
Auditd:
Look at tail /var/log/audit.log audit.log.1 ans so on.
To log every thing from one user: This logs all sys calls except[1]
[root at x X]# /sbin/auditctl -a entry,always -S all -F uid=500
where uid=your_usr_id. Root is "0" or should be.
Also you can watch specific directories. How to beyond this scope atm.
See man auditctl.
Restart:
[root at x X]# /sbin/service auditd restart
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
[root at x X]# grep gedit /var/log/audit/audit.log.1
type=SYSCALL msg=audit(1273861358.952:59793): arch=40000003 syscall=78
success=yes exit=0 a0=bfcb7498 a1=0 a2=8416a8 a3=8a66d70 items=0
ppid=1 pid=16192 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) comm="gedit"
exe="/usr/bin/gedit"
subj=user_u:system_r:unconfined_t:s0 key=(null)
[1]. Problem, I have a list of rules at work but im home today. I see
a problem I think with either auditd or bash console. I had this
previously configured for root to log all sys calls made. I made a file
with touch, deleted the file and all that got logged was /bin/bash and
thats it. Can anyone else confirm this? Either Bash is Spoofing Auditd
or something else is happening. Search string is,
grep rm /var/log/audit/audit.log
As so goes this don't really help her problem and really makes a problem
for me when I have to confirm to SAS 70 Type 2 Infrastructure.
John
More information about the CentOS
mailing list