[CentOS] A Directory/Subdirectories Disappeared - which log file to look for this kind of information?

JohnS jses27 at gmail.com
Tue May 18 13:40:06 UTC 2010


On Fri, 2010-05-14 at 15:30 -0400, JohnS wrote:
> 
> > On Fri, May 14, 2010 at 11:36 AM, Wang, Mary Y <mary.y.wang at boeing.com> wrote:
> > > Hi,
> > >
> > > A directory/subdirectories just disappeared on our dev box, and we don't know what happened. Is there a log file that logs this kind of stuff (such as who/date did a 'rmdir').  The /var/log directory has a lot of files and I'm not sure where to start.
> ---
> Some greatfull wiki contributer may want to do a how to on this.
> Auditd:
> Look at tail /var/log/audit.log audit.log.1 ans so on.
> 
> To log every thing from one user:  This logs all sys calls except[1]
> 
> [root at x X]# /sbin/auditctl -a entry,always -S all -F uid=500
> where uid=your_usr_id.  Root is "0" or should be.
> Also you can watch specific directories.  How to beyond this scope atm.
> See man auditctl.
> 
> Restart:
> [root at x X]# /sbin/service auditd restart
> Stopping auditd:                                           [  OK  ]
> Starting auditd:                                           [  OK  ]
> 
> [root at x X]# grep gedit /var/log/audit/audit.log.1
> 
> type=SYSCALL msg=audit(1273861358.952:59793): arch=40000003 syscall=78 
> success=yes exit=0 a0=bfcb7498 a1=0 a2=8416a8 a3=8a66d70 items=0 
> ppid=1 pid=16192 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 
> egid=500 sgid=500 fsgid=500 tty=(none) comm="gedit"
> exe="/usr/bin/gedit" 
> subj=user_u:system_r:unconfined_t:s0 key=(null)
> 
> [1].  Problem, I have a list of rules at work but im home today.  I see
> a problem I think with either auditd or bash console.  I had this
> previously configured for root to log all sys calls made.  I made a file
> with touch, deleted the file and all that got logged was /bin/bash and
> thats it.  Can anyone else confirm this?  Either Bash is Spoofing Auditd
> or something else is happening.  Search string is,
>  grep rm /var/log/audit/audit.log
> 
> As so goes this don't really help her problem and really makes a problem
> for me when I have to confirm to SAS 70 Type 2 Infrastructure.
> 
> John
---
Add on Appended:

dmesg | grep rm

audit(1273860293.659:144758): arch=40000003 syscall=252 a0=0 a1=4 a2=0
a3=4c240278 items=0 ppid=3055 pid=3067 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="rm" exe="/bin/rm"
subj=user_u:system_r:initrc_t:s0 key=(null)

In fact does have my rm command I used.  




More information about the CentOS mailing list