A Directory/Subdirectories Disappeared - which log file to look for this kind of information?
Hi,
A directory/subdirectories just disappeared on our dev box, and we don't know what happened. Is there a log file that logs this kind of stuff (such as who/date did a 'rmdir'). The /var/log directory has a lot of files and I'm not sure where to start.
Thanks in advance. Mary
On Fri, May 14, 2010 at 11:36 AM, Wang, Mary Y mary.y.wang@boeing.com wrote:
Hi,
A directory/subdirectories just disappeared on our dev box, and we don't know what happened. Is there a log file that logs this kind of stuff (such as who/date did a 'rmdir'). The /var/log directory has a lot of files and I'm not sure where to start.
Unless auditing is enabled and rules are configured then there's no easy way to tell. You might try looking through the .bash_history files of recently logged in users, but that's not time coded.
Thanks for the info. There are only three of us who have the "root" access and I guess the date/time is more important to us. We are also concerned that there might be a script did the "rmdir" unintentionally. The .bash_history had some old stuff with an older timestamp of the file. Some of us use csh and there is no history file associated with it.
How do I enable the auditing that you described below?
Mary
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Kwan Lowe Sent: Friday, May 14, 2010 8:39 AM To: CentOS mailing list Subject: Re: [CentOS] A Directory/Subdirectories Disappeared - which logfile to look for this kind of information?
On Fri, May 14, 2010 at 11:36 AM, Wang, Mary Y mary.y.wang@boeing.com wrote:
Hi,
A directory/subdirectories just disappeared on our dev box, and we don't know what happened. Is there a log file that logs this kind of stuff (such as who/date did a 'rmdir'). The /var/log directory has a lot of files and I'm not sure where to start.
Unless auditing is enabled and rules are configured then there's no easy way to tell. You might try looking through the .bash_history files of recently logged in users, but that's not time coded. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
please bottom post, more at the bottom ...
On May 14, 2010, at 11:50 AM, Wang, Mary Y wrote:
Thanks for the info. There are only three of us who have the "root" access and I guess the date/time is more important to us. We are also concerned that there might be a script did the "rmdir" unintentionally. The .bash_history had some old stuff with an older timestamp of the file. Some of us use csh and there is no history file associated with it.
How do I enable the auditing that you described below?
Mary
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Kwan Lowe Sent: Friday, May 14, 2010 8:39 AM To: CentOS mailing list Subject: Re: [CentOS] A Directory/Subdirectories Disappeared - which logfile to look for this kind of information?
On Fri, May 14, 2010 at 11:36 AM, Wang, Mary Y mary.y.wang@boeing.com wrote:
Hi,
A directory/subdirectories just disappeared on our dev box, and we don't know what happened. Is there a log file that logs this kind of stuff (such as who/date did a 'rmdir'). The /var/log directory has a lot of files and I'm not sure where to start.
Unless auditing is enabled and rules are configured then there's no easy way to tell. You might try looking through the .bash_history files of recently logged in users, but that's not time coded. _______________________________________________
If no other directories or files have been added or deleted to the parent directory of the missing directory, then the time stamp of the parent directory will tell you when the directory was deleted.
Tony Schreiner
On 14 May 2010 16:59, Tony Schreiner schreian@bc.edu wrote:
please bottom post, more at the bottom ...
On May 14, 2010, at 11:50 AM, Wang, Mary Y wrote:
Thanks for the info. There are only three of us who have the "root" access and I guess the date/time is more important to us. We are also concerned that there might be a script did the "rmdir" unintentionally.
If you have scripts deleting/moving or otherwise playing around with the filesystems you might want to double check they are null safe for variables that end up filenames...
example:
#!/bin/bash MYFILE=$1 scp ${MYFILE} me@backup: rm -fr ./${MYFILE}
Very basic but illustrates the point.... if the bash argument (in this case) was invalid or missed out somehow the result could be the removal of the entire PWD. This only gets worse with absolute paths (oops bye bye /) and more complicated setups... when quickly scripting it is also something that often gets overlooked....
James
Thanks for the info. There are only three of us who have the "root" access and I guess the date/time is more important to us. We are also concerned that there might be a script did the "rmdir" unintentionally. The .bash_history had some old stuff with an older timestamp of the file. Some of us use csh and there is no history file associated with it.
How do I enable the auditing that you described below?
Here's a question: was it done by someone logged in as root, or via sudo? If the latter, then check /var/log/secure to find it.
mark
On Fri, May 14, 2010 at 11:36 AM, Wang, Mary Y mary.y.wang@boeing.com wrote:
Hi,
A directory/subdirectories just disappeared on our dev box, and we don't know what happened. Is there a log file that logs this kind of stuff (such as who/date did a 'rmdir'). The /var/log directory has a lot of files and I'm not sure where to start.
--- Some greatfull wiki contributer may want to do a how to on this. Auditd: Look at tail /var/log/audit.log audit.log.1 ans so on.
To log every thing from one user: This logs all sys calls except[1]
[root@x X]# /sbin/auditctl -a entry,always -S all -F uid=500 where uid=your_usr_id. Root is "0" or should be. Also you can watch specific directories. How to beyond this scope atm. See man auditctl.
Restart: [root@x X]# /sbin/service auditd restart Stopping auditd: [ OK ] Starting auditd: [ OK ]
[root@x X]# grep gedit /var/log/audit/audit.log.1
type=SYSCALL msg=audit(1273861358.952:59793): arch=40000003 syscall=78 success=yes exit=0 a0=bfcb7498 a1=0 a2=8416a8 a3=8a66d70 items=0 ppid=1 pid=16192 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gedit" exe="/usr/bin/gedit" subj=user_u:system_r:unconfined_t:s0 key=(null)
[1]. Problem, I have a list of rules at work but im home today. I see a problem I think with either auditd or bash console. I had this previously configured for root to log all sys calls made. I made a file with touch, deleted the file and all that got logged was /bin/bash and thats it. Can anyone else confirm this? Either Bash is Spoofing Auditd or something else is happening. Search string is, grep rm /var/log/audit/audit.log
As so goes this don't really help her problem and really makes a problem for me when I have to confirm to SAS 70 Type 2 Infrastructure.
John
On Fri, 2010-05-14 at 15:30 -0400, JohnS wrote:
On Fri, May 14, 2010 at 11:36 AM, Wang, Mary Y mary.y.wang@boeing.com wrote:
Hi,
A directory/subdirectories just disappeared on our dev box, and we don't know what happened. Is there a log file that logs this kind of stuff (such as who/date did a 'rmdir'). The /var/log directory has a lot of files and I'm not sure where to start.
Some greatfull wiki contributer may want to do a how to on this. Auditd: Look at tail /var/log/audit.log audit.log.1 ans so on.
To log every thing from one user: This logs all sys calls except[1]
[root@x X]# /sbin/auditctl -a entry,always -S all -F uid=500 where uid=your_usr_id. Root is "0" or should be. Also you can watch specific directories. How to beyond this scope atm. See man auditctl.
Restart: [root@x X]# /sbin/service auditd restart Stopping auditd: [ OK ] Starting auditd: [ OK ]
[root@x X]# grep gedit /var/log/audit/audit.log.1
type=SYSCALL msg=audit(1273861358.952:59793): arch=40000003 syscall=78 success=yes exit=0 a0=bfcb7498 a1=0 a2=8416a8 a3=8a66d70 items=0 ppid=1 pid=16192 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gedit" exe="/usr/bin/gedit" subj=user_u:system_r:unconfined_t:s0 key=(null)
[1]. Problem, I have a list of rules at work but im home today. I see a problem I think with either auditd or bash console. I had this previously configured for root to log all sys calls made. I made a file with touch, deleted the file and all that got logged was /bin/bash and thats it. Can anyone else confirm this? Either Bash is Spoofing Auditd or something else is happening. Search string is, grep rm /var/log/audit/audit.log
As so goes this don't really help her problem and really makes a problem for me when I have to confirm to SAS 70 Type 2 Infrastructure.
John
--- Add on Appended:
dmesg | grep rm
audit(1273860293.659:144758): arch=40000003 syscall=252 a0=0 a1=4 a2=0 a3=4c240278 items=0 ppid=3055 pid=3067 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="rm" exe="/bin/rm" subj=user_u:system_r:initrc_t:s0 key=(null)
In fact does have my rm command I used.
Thanks for those who responded my question. I'll keep the information with in case I need them in the future. After discussing the logging with my system admins, we decided that we'll not turn them on (may be just the basic bash and csh history files) because they will possibility create lots of logs. I've not lost any more directory/subdirectories since that day I reported my problem. So I'm happy for now.
Mary
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of JohnS Sent: Tuesday, May 18, 2010 6:40 AM To: CentOS mailing list Subject: Re: [CentOS] A Directory/Subdirectories Disappeared - whichlog file to look for this kind of information?
On Fri, 2010-05-14 at 15:30 -0400, JohnS wrote:
On Fri, May 14, 2010 at 11:36 AM, Wang, Mary Y mary.y.wang@boeing.com wrote:
Hi,
A directory/subdirectories just disappeared on our dev box, and we don't know what happened. Is there a log file that logs this kind of stuff (such as who/date did a 'rmdir'). The /var/log directory has a lot of files and I'm not sure where to start.
Some greatfull wiki contributer may want to do a how to on this. Auditd: Look at tail /var/log/audit.log audit.log.1 ans so on.
To log every thing from one user: This logs all sys calls except[1]
[root@x X]# /sbin/auditctl -a entry,always -S all -F uid=500 where uid=your_usr_id. Root is "0" or should be. Also you can watch specific directories. How to beyond this scope atm. See man auditctl.
Restart: [root@x X]# /sbin/service auditd restart Stopping auditd: [ OK ] Starting auditd: [ OK ]
[root@x X]# grep gedit /var/log/audit/audit.log.1
type=SYSCALL msg=audit(1273861358.952:59793): arch=40000003 syscall=78 success=yes exit=0 a0=bfcb7498 a1=0 a2=8416a8 a3=8a66d70 items=0 ppid=1 pid=16192 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gedit" exe="/usr/bin/gedit" subj=user_u:system_r:unconfined_t:s0 key=(null)
[1]. Problem, I have a list of rules at work but im home today. I see a problem I think with either auditd or bash console. I had this previously configured for root to log all sys calls made. I made a file with touch, deleted the file and all that got logged was /bin/bash and thats it. Can anyone else confirm this? Either Bash is Spoofing Auditd or something else is happening. Search string is, grep rm /var/log/audit/audit.log
As so goes this don't really help her problem and really makes a problem for me when I have to confirm to SAS 70 Type 2 Infrastructure.
John
--- Add on Appended:
dmesg | grep rm
audit(1273860293.659:144758): arch=40000003 syscall=252 a0=0 a1=4 a2=0 a3=4c240278 items=0 ppid=3055 pid=3067 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="rm" exe="/bin/rm" subj=user_u:system_r:initrc_t:s0 key=(null)
In fact does have my rm command I used.
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
James Hogarth -
JohnS -
Kwan Lowe -
m.roth@5-cent.us -
Tony Schreiner -
Wang, Mary Y