[CentOS] A Directory/Subdirectories Disappeared - whichlog file to look for this kind of information?

Wed May 19 23:57:41 UTC 2010
Wang, Mary Y <mary.y.wang at boeing.com>

Thanks for those who responded my question.  I'll keep the information with in case I need them in the future.  
After discussing the logging with my system admins, we decided that we'll not turn them on (may be just the basic bash and csh history files) because they will possibility create lots of logs. I've not lost any more directory/subdirectories since that day I reported my problem.  So I'm happy for now.   

Mary


-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of JohnS
Sent: Tuesday, May 18, 2010 6:40 AM
To: CentOS mailing list
Subject: Re: [CentOS] A Directory/Subdirectories Disappeared - whichlog file to look for this kind of information?


On Fri, 2010-05-14 at 15:30 -0400, JohnS wrote:
> 
> > On Fri, May 14, 2010 at 11:36 AM, Wang, Mary Y <mary.y.wang at boeing.com> wrote:
> > > Hi,
> > >
> > > A directory/subdirectories just disappeared on our dev box, and we don't know what happened. Is there a log file that logs this kind of stuff (such as who/date did a 'rmdir').  The /var/log directory has a lot of files and I'm not sure where to start.
> ---
> Some greatfull wiki contributer may want to do a how to on this.
> Auditd:
> Look at tail /var/log/audit.log audit.log.1 ans so on.
> 
> To log every thing from one user:  This logs all sys calls except[1]
> 
> [root at x X]# /sbin/auditctl -a entry,always -S all -F uid=500 where 
> uid=your_usr_id.  Root is "0" or should be.
> Also you can watch specific directories.  How to beyond this scope atm.
> See man auditctl.
> 
> Restart:
> [root at x X]# /sbin/service auditd restart
> Stopping auditd:                                           [  OK  ]
> Starting auditd:                                           [  OK  ]
> 
> [root at x X]# grep gedit /var/log/audit/audit.log.1
> 
> type=SYSCALL msg=audit(1273861358.952:59793): arch=40000003 syscall=78 
> success=yes exit=0 a0=bfcb7498 a1=0 a2=8416a8 a3=8a66d70 items=0
> ppid=1 pid=16192 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 
> egid=500 sgid=500 fsgid=500 tty=(none) comm="gedit"
> exe="/usr/bin/gedit" 
> subj=user_u:system_r:unconfined_t:s0 key=(null)
> 
> [1].  Problem, I have a list of rules at work but im home today.  I 
> see a problem I think with either auditd or bash console.  I had this 
> previously configured for root to log all sys calls made.  I made a 
> file with touch, deleted the file and all that got logged was 
> /bin/bash and thats it.  Can anyone else confirm this?  Either Bash is 
> Spoofing Auditd or something else is happening.  Search string is,  
> grep rm /var/log/audit/audit.log
> 
> As so goes this don't really help her problem and really makes a 
> problem for me when I have to confirm to SAS 70 Type 2 Infrastructure.
> 
> John
---
Add on Appended:

dmesg | grep rm

audit(1273860293.659:144758): arch=40000003 syscall=252 a0=0 a1=4 a2=0
a3=4c240278 items=0 ppid=3055 pid=3067 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="rm" exe="/bin/rm"
subj=user_u:system_r:initrc_t:s0 key=(null)

In fact does have my rm command I used.  

_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos