Who is deleting the file

Carl G. Riches cgr at u.washington.edu
Fri Apr 1 15:40:52 UTC 2011 

On Fri, 1 Apr 2011, Abhilash abhi wrote:

> Thanks to all especially to Jonathan for the suport.
>
> But we are using SLES10 OS and selinux feature is not there. therefore
> auditctl method wont work even if the service auditd is running.
>
> Also in this case audit feature should be enabled in the Netapp filer right
> ? not from the machine from which we are accessing the NFS path from those
> filer.
>

Do you have process accounting installed?  With that you can use the 
"lastcomm" command to see who's running what command.  On RHEL that's
the "psacct" package.  Can't help you with SLES.

Carl
--
Carl G. Riches
IT Manager
Department of Biostatistics
Box 357232                      voice:     206-616-2725
University of Washington        fax:       206-543-3286
Seattle, WA  98195-7232         internet:  cgr at u.washington.edu

>
> On Fri, Apr 1, 2011 at 12:15 AM, Jonathan S Billings <jsbillin at umich.edu>wrote:
>
>> On 03/31/2011 08:55 AM, Abhilash abhi wrote:
>>> I have one directory which contains some files..and the directory is
>> owned
>>> by some group called X. All files within the directory have group
>> membership
>>> X since SGID is set .some files are frequently missing from that
>> directory
>>> and i am restoring it through snapshots(Netapp filer). Is there anyway to
>>> find out who is (which user) or by what operation deleted the file??
>>
>> This can be fairly easily done with SELinux.
>>
>> First, make sure selinux is enabled and auditd is running.  Then, start
>> monitoring the directory with 'auditctl'.  Example, assuming the
>> directory is /tmp/testing (this starts auditing writes to the directory,
>> and labels it with the key "whodeletedit"):
>>
>> # auditctl -w /tmp/testing -k whodeletedit -p w
>>
>> when you're done monitoring it, you can remove this search with:
>>
>> # auditctl -W /tmp/testing -k whodeletedit -p w
>>
>> You will want to stop monitoring it once you've figured it out, because
>> it'll continue to fill the audit log for every time someone adds or
>> removes a file from the directory.
>>
>> If you want to see who deleted files with /bin/rm in that directory, run:
>> # ausearch -i -k whodeletedit -x /bin/rm
>>
>> This will print out the audit log for every /bin/rm in called that
>> writes to the directory.  I added the -i to ausearch so it'll print out
>> the username instead of the userid.  You can get rid of the -x /bin/rm
>> if no one is running /bin/rm but using some other program that unlinks
>> files.
>>
>>
>> --
>> Jonathan Billings <jsbillin at umich.edu>
>> College of Engineering - CAEN - Unix and Linux Support
>>
>> --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>>
>
>
>
> -- 
>
> Regards,
> Abhilash
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>

More information about the redhat-list mailing list