Audit rm?
Mont Rothstein
mont.rothstein at gmail.com
Tue Apr 4 15:26:06 UTC 2006
Thanks, I wasn't familiar with strace.
-Mont
On 4/3/06, Dustin Kirkland <dustin.kirkland at gmail.com> wrote:
>
> On 4/3/06, Mont Rothstein <mont.rothstein at gmail.com> wrote:
> > What syscall is used by rm? There is one for rmdir but I can't figure
> out
> > how to audit when a file is deleted.
>
> Try:
> # touch test
> # strace rm test
>
> Toward the bottom you should see a call to unlink().
>
> :-Dustin
>
>
> [dustin at t41p tmp]$ strace rm test
> execve("/bin/rm", ["rm", "test"], [/* 40 vars */]) = 0
> brk(0) = 0xa048000
> old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
> -1, 0) = 0xb7f09000
> access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
> directory)
> open("/etc/ld.so.cache", O_RDONLY) = 3
> fstat64(3, {st_mode=S_IFREG|0644, st_size=89873, ...}) = 0
> old_mmap(NULL, 89873, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef3000
> close(3) = 0
> open("/lib/libc.so.6", O_RDONLY) = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\212\316"..., 512)
> = 512
> fstat64(3, {st_mode=S_IFREG|0755, st_size=1485672, ...}) = 0
> old_mmap(0xbc8000, 1215452, PROT_READ|PROT_EXEC,
> MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xbc8000
> old_mmap(0xceb000, 16384, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x123000) = 0xceb000
> old_mmap(0xcef000, 7132, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xcef000
> close(3) = 0
> old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
> -1, 0) = 0xb7ef2000
> set_thread_area({entry_number:-1 -> 6, base_addr:0xb7ef26c0,
> limit:1048575, seg_32bit:1, contents:0, read_exec_only:0,
> limit_in_pages:1, seg_not_present:0, useable:1}) = 0
> mprotect(0xceb000, 8192, PROT_READ) = 0
> mprotect(0xbc4000, 4096, PROT_READ) = 0
> munmap(0xb7ef3000, 89873) = 0
> brk(0) = 0xa048000
> brk(0xa069000) = 0xa069000
> open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3
> fstat64(3, {st_mode=S_IFREG|0644, st_size=49610336, ...}) = 0
> mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7cf2000
> close(3) = 0
> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo
> ...}) = 0
> lstat64("test", {st_mode=S_IFREG|0664, st_size=8, ...}) = 0
> access("test", W_OK) = 0
> unlink("test") = 0
> exit_group(0) = ?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20060404/491481ee/attachment.htm>
More information about the Linux-audit
mailing list