You can enable auditing to determine if the files are disappearing due to human/machine intervention (audit file system deletes) or if it is due to file system corruption (files disappear and no delete audits recorded).
It may just be an errant rsync script.
-Ross
-----Original Message----- From: centos-bounces@centos.org centos-bounces@centos.org To: centos@centos.org centos@centos.org Sent: Thu Jan 03 07:09:11 2008 Subject: [CentOS] Random files in homedir gets deleted
On one of my systems I seem to loose a file or two from time to time. Last night, one of my files (/home/online/sh/NattjobbPrivat.sh) was deleted/removed/vanished. Another time it was /home/online/sh/daemon that was deleted.
But I can't seem to find anything strange in the logs or in the history, nor would any of my scripts running in crontab mess with those files.
Where can I look for clues? And how do I enable audit for file operations in my home folder?
/Christopher Thorjussen
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
You can enable auditing to determine if the files are disappearing due
to human/machine intervention (audit file system deletes) or if it is due to file system corruption (files disappear and no delete audits recorded).
It may just be an errant rsync script.
-Ross
How do I enable auditing of the home dir?
/Christopher
Hi you can try to use the kernel audit facility:
1) enable the auditd daemon:
service auditd start
2) enable audit for the home directory (only audit write operations to the directory inode); the command is not recursive and you cannot use wildcards
auditctl -w /home/user -pw
3) after a file disapears use ausearch to find who removed it (and what command was used to remove it); suppose file "test" was removed
ausearch -f /home/user/test
Radu
On Jan 4, 2008 11:25 AM, Christopher Thorjussen Christopher.Thorjussen@carrot.no wrote:
You can enable auditing to determine if the files are disappearing due
to human/machine intervention (audit file system deletes) or if it is due to file system corruption (files disappear and no delete audits recorded).
It may just be an errant rsync script.
-Ross
How do I enable auditing of the home dir?
/Christopher
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Friday 04 January 2008 17:18:25 Radu Radutiu wrote:
Hi you can try to use the kernel audit facility:
- enable the auditd daemon:
service auditd start
- enable audit for the home directory (only audit write operations to
the directory inode); the command is not recursive and you cannot use wildcards
auditctl -w /home/user -pw
- after a file disapears use ausearch to find who removed it (and
what command was used to remove it); suppose file "test" was removed
ausearch -f /home/user/test
Thanks Radu for the directions. I google for more information and found this very nice article: http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a...
But it seems that there's no man page for the /etc/audit.rules?
-
Christopher Thorjussen -
Fajar Priyanto -
Radu Radutiu -
Ross S. W. Walker