25 Jan
2008
25 Jan
'08
11:43 a.m.
On Friday 04 January 2008 17:18:25 Radu Radutiu wrote:
Hi you can try to use the kernel audit facility:
- enable the auditd daemon:
service auditd start
- enable audit for the home directory (only audit write operations to
the directory inode); the command is not recursive and you cannot use wildcards
auditctl -w /home/user -pw
- after a file disapears use ausearch to find who removed it (and
what command was used to remove it); suppose file "test" was removed
ausearch -f /home/user/test
Thanks Radu for the directions. I google for more information and found this very nice article: http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a...
But it seems that there's no man page for the /etc/audit.rules?
--
Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial
http://linux2.arinet.org
17:04:31 up 2:35, 2.6.22-14-generic GNU/Linux
Let's use OpenOffice. http://www.openoffice.org
The real challenge of teaching is getting your students motivated to learn.
--
Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial
http://linux2.arinet.org
18:43:16 up 19 min, 2.6.22-14-generic GNU/Linux
Let's use OpenOffice. http://www.openoffice.org
The real challenge of teaching is getting your students motivated to learn.