[CentOS] A Directory/Subdirectories Disappeared - which log file to look for this kind of information?
JohnS
jses27 at gmail.com
Tue May 18 13:40:06 UTC 2010
On Fri, 2010-05-14 at 15:30 -0400, JohnS wrote:
>
> > On Fri, May 14, 2010 at 11:36 AM, Wang, Mary Y <mary.y.wang at boeing.com> wrote:
> > > Hi,
> > >
> > > A directory/subdirectories just disappeared on our dev box, and we don't know what happened. Is there a log file that logs this kind of stuff (such as who/date did a 'rmdir'). The /var/log directory has a lot of files and I'm not sure where to start.
> ---
> Some greatfull wiki contributer may want to do a how to on this.
> Auditd:
> Look at tail /var/log/audit.log audit.log.1 ans so on.
>
> To log every thing from one user: This logs all sys calls except[1]
>
> [root at x X]# /sbin/auditctl -a entry,always -S all -F uid=500
> where uid=your_usr_id. Root is "0" or should be.
> Also you can watch specific directories. How to beyond this scope atm.
> See man auditctl.
>
> Restart:
> [root at x X]# /sbin/service auditd restart
> Stopping auditd: [ OK ]
> Starting auditd: [ OK ]
>
> [root at x X]# grep gedit /var/log/audit/audit.log.1
>
> type=SYSCALL msg=audit(1273861358.952:59793): arch=40000003 syscall=78
> success=yes exit=0 a0=bfcb7498 a1=0 a2=8416a8 a3=8a66d70 items=0
> ppid=1 pid=16192 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
> egid=500 sgid=500 fsgid=500 tty=(none) comm="gedit"
> exe="/usr/bin/gedit"
> subj=user_u:system_r:unconfined_t:s0 key=(null)
>
> [1]. Problem, I have a list of rules at work but im home today. I see
> a problem I think with either auditd or bash console. I had this
> previously configured for root to log all sys calls made. I made a file
> with touch, deleted the file and all that got logged was /bin/bash and
> thats it. Can anyone else confirm this? Either Bash is Spoofing Auditd
> or something else is happening. Search string is,
> grep rm /var/log/audit/audit.log
>
> As so goes this don't really help her problem and really makes a problem
> for me when I have to confirm to SAS 70 Type 2 Infrastructure.
>
> John
---
Add on Appended:
dmesg | grep rm
audit(1273860293.659:144758): arch=40000003 syscall=252 a0=0 a1=4 a2=0
a3=4c240278 items=0 ppid=3055 pid=3067 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="rm" exe="/bin/rm"
subj=user_u:system_r:initrc_t:s0 key=(null)
In fact does have my rm command I used.
More information about the CentOS
mailing list