On Thursday 03 January 2008 19:09:11 Christopher Thorjussen wrote:
On one of my systems I seem to loose a file or two from time to time. Last night, one of my files (/home/online/sh/NattjobbPrivat.sh) was deleted/removed/vanished. Another time it was /home/online/sh/daemon that was deleted.
But I can't seem to find anything strange in the logs or in the history, nor would any of my scripts running in crontab mess with those files.
Where can I look for clues? And how do I enable audit for file operations in my home folder?
Hi, this really sounds weird. In order to audit it, the following checklist might help: 1. If the system was administered by an admin other than you and he got fired/dismissed with hard feeling on him, he might put a crontab that would do nasty thing randomly. Audit all the files in: /var/spool/cron /var/spool/at Also all the script in /etc/cron.{d,daily,weekly,monthly}, /etc/crontab
2, Audit all RPM files installed using: rpm -Va, looks for a difference in md5sum for binary files such as /bin/ls,/bin/ps, etc. You might want to use cracker detection script such as rkhunter.
3. Looks for the word "error" in log files: grep -r error /var/log See for related error such as filesystem corruption, etc
4. It's a long shot, but could be a misconfigured rsync script?
HTH, pls let us know the result.