On Thursday 03 January 2008 19:09:11 Christopher Thorjussen wrote:
On one of my systems I seem to loose a file or two from time to
time.
Last night, one of my files (/home/online/sh/NattjobbPrivat.sh) was deleted/removed/vanished. Another time it was /home/online/sh/daemon that was deleted.
But I can't seem to find anything strange in the logs or in the
history,
nor would any of my scripts running in crontab mess with those
files.
Where can I look for clues? And how do I enable audit for file operations in my home folder?
Hi, this really sounds weird. In order to audit it, the following checklist might help:
- If the system was administered by an admin other than you and he
got
fired/dismissed with hard feeling on him, he might put a crontab that would do nasty thing randomly. Audit all the files in: /var/spool/cron /var/spool/at Also all the script in /etc/cron.{d,daily,weekly,monthly},
/etc/crontab
No admin or anyone else with access have quit or been fired. The files and folders looks fine.
2, Audit all RPM files installed using: rpm -Va, looks for a difference in md5sum for binary files such as /bin/ls,/bin/ps, etc. You might want to use cracker detection
script
such as rkhunter.
The files look fine. Some files are marked as MD5 mismatch but it's mostly config files I've changed. The only files I'm not sure of is:
SM5....T /usr/share/rhn/rhn_applet/rhn_applet.pyc SM5....T /usr/share/rhn/rhn_applet/rhn_applet_animation.pyc SM5....T /usr/share/rhn/rhn_applet/rhn_applet_apt.pyc SM5....T /usr/share/rhn/rhn_applet/rhn_applet_dialogs.pyc SM5....T /usr/share/rhn/rhn_applet/rhn_applet_model.pyc SM5....T /usr/share/rhn/rhn_applet/rhn_applet_protocols.pyc SM5....T /usr/share/rhn/rhn_applet/rhn_applet_rpc.pyc SM5....T /usr/share/rhn/rhn_applet/rhn_applet_rpm.pyc SM5....T /usr/share/rhn/rhn_applet/rhn_applet_version.pyc SM5....T /usr/share/rhn/rhn_applet/rhn_applet_yum.pyc SM5....T /usr/share/rhn/rhn_applet/rhn_sources.pyc SM5....T /usr/share/rhn/rhn_applet/rhn_utils.pyc
But I'm not running X so the applet isn't running.
- Looks for the word "error" in log files:
grep -r error /var/log See for related error such as filesystem corruption, etc
[root@ora01 tmp]# grep -r error /var/log /var/log/Xorg.0.log: (WW) warning, (EE) error, (NI) not implemented, (??) unknown. /var/log/anaconda.log:* getting rpm error class /var/log/prelink.log:/usr/lib64/libgpg-error.so.0.1.3 0000003c50e00000-0000003c50f02878 /var/log/rpmpkgs.4:libgpg-error-1.0-1.x86_64.rpm /var/log/rpmpkgs.1:libgpg-error-1.0-1.x86_64.rpm /var/log/messages.2:Dec 17 08:13:10 ora01 kernel: daemon[1562]: segfault at 0000007fc0000000 rip 0000002a957af4b2 rsp 0000007fbfffe730 error 6 /var/log/scrollkeeper.log:I/O error : Attempt to load network entity http://scrollkeeper.sourceforge.net/dtds/scrollkeeper-omf-1.0/scrollkeep er-omf.dtd /var/log/scrollkeeper.log:I/O error : Attempt to load network entity http://scrollkeeper.sourceforge.net/dtds/scrollkeeper-omf-1.0/scrollkeep er-omf.dtd /var/log/scrollkeeper.log:I/O error : Attempt to load network entity http://scrollkeeper.sourceforge.net/dtds/scrollkeeper-omf-1.0/scrollkeep er-omf.dtd /var/log/scrollkeeper.log:I/O error : Attempt to load network entity http://scrollkeeper.sourceforge.net/dtds/scrollkeeper-omf-1.0/scrollkeep er-omf.dtd /var/log/scrollkeeper.log:I/O error : Attempt to load network entity http://scrollkeeper.sourceforge.net/dtds/scrollkeeper-omf-1.0/scrollkeep er-omf.dtd /var/log/scrollkeeper.log:I/O error : Attempt to load network entity http://scrollkeeper.sourceforge.net/dtds/scrollkeeper-omf-1.0/scrollkeep er-omf.dtd /var/log/rpmpkgs.2:libgpg-error-1.0-1.x86_64.rpm /var/log/Xorg.0.log.old: (WW) warning, (EE) error, (NI) not implemented, (??) unknown. /var/log/rpmpkgs.3:libgpg-error-1.0-1.x86_64.rpm /var/log/rpmpkgs:libgpg-error-1.0-1.x86_64.rpm /var/log/anaconda.xlog: (WW) warning, (EE) error, (NI) not implemented, (??) unknown. /var/log/anaconda.xlog:error opening security policy file /etc/X11/xserver/SecurityPolicy
- It's a long shot, but could be a misconfigured rsync script?
Rsync is not running/used, but some custom scripts are running cleaning up some folders. I'm trying to battle through them to see if somethings wrong in them, but so far I've found nothing.
HTH, pls let us know the result.
Will do.
/Christopher