On Friday 04 January 2008 17:18:25 Radu Radutiu wrote: > Hi you can try to use the kernel audit facility: > 1) enable the auditd daemon: > service auditd start > > 2) enable audit for the home directory (only audit write operations to > the directory inode); the command is not recursive and you cannot use > wildcards > > auditctl -w /home/user -pw > > 3) after a file disapears use ausearch to find who removed it (and > what command was used to remove it); suppose file "test" was removed > > ausearch -f /home/user/test Thanks Radu for the directions. I google for more information and found this very nice article: http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html But it seems that there's no man page for the /etc/audit.rules? -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 17:04:31 up 2:35, 2.6.22-14-generic GNU/Linux Let's use OpenOffice. http://www.openoffice.org The real challenge of teaching is getting your students motivated to learn. -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 18:43:16 up 19 min, 2.6.22-14-generic GNU/Linux Let's use OpenOffice. http://www.openoffice.org The real challenge of teaching is getting your students motivated to learn. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. URL: <http://lists.centos.org/pipermail/centos/attachments/20080125/4cba531a/attachment-0005.sig>