Hi you can try to use the kernel audit facility:
1) enable the auditd daemon:
service auditd start
2) enable audit for the home directory (only audit write operations to the directory inode); the command is not recursive and you cannot use wildcards
auditctl -w /home/user -pw
3) after a file disapears use ausearch to find who removed it (and what command was used to remove it); suppose file "test" was removed
ausearch -f /home/user/test
Radu
On Jan 4, 2008 11:25 AM, Christopher Thorjussen Christopher.Thorjussen@carrot.no wrote:
You can enable auditing to determine if the files are disappearing due
to human/machine intervention (audit file system deletes) or if it is due to file system corruption (files disappear and no delete audits recorded).
It may just be an errant rsync script.
-Ross
How do I enable auditing of the home dir?
/Christopher
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos