Audit rm?

Dustin Kirkland dustin.kirkland at gmail.com
Tue Apr 4 02:54:10 UTC 2006 

On 4/3/06, Mont Rothstein <mont.rothstein at gmail.com> wrote:
> What syscall is used by rm?  There is one for rmdir but I can't figure out
> how to audit when a file is deleted.

Try:
# touch test
# strace rm test

Toward the bottom you should see a call to unlink().

:-Dustin


[dustin at t41p tmp]$ strace rm test
execve("/bin/rm", ["rm", "test"], [/* 40 vars */]) = 0
brk(0)                                  = 0xa048000
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0xb7f09000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=89873, ...}) = 0
old_mmap(NULL, 89873, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef3000
close(3)                                = 0
open("/lib/libc.so.6", O_RDONLY)        = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\212\316"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1485672, ...}) = 0
old_mmap(0xbc8000, 1215452, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xbc8000
old_mmap(0xceb000, 16384, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x123000) = 0xceb000
old_mmap(0xcef000, 7132, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xcef000
close(3)                                = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0xb7ef2000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7ef26c0,
limit:1048575, seg_32bit:1, contents:0, read_exec_only:0,
limit_in_pages:1, seg_not_present:0, useable:1}) = 0
mprotect(0xceb000, 8192, PROT_READ)     = 0
mprotect(0xbc4000, 4096, PROT_READ)     = 0
munmap(0xb7ef3000, 89873)               = 0
brk(0)                                  = 0xa048000
brk(0xa069000)                          = 0xa069000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=49610336, ...}) = 0
mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7cf2000
close(3)                                = 0
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
lstat64("test", {st_mode=S_IFREG|0664, st_size=8, ...}) = 0
access("test", W_OK)                    = 0
unlink("test")                          = 0
exit_group(0)                           = ?

More information about the Linux-audit mailing list