Who is deleting the file
Yong Huang
yong321 at yahoo.com
Thu Mar 31 16:55:09 UTC 2011
Some ideas. You can create a cron job to check file existence once per minute so you know exactly when the files disappear. Then check login history (command `last') to see who logs in at the time.
You can create a huge file so deleting it takes a few seconds. Run `top -b' forever and log to a file. 'rm' will be shown in the log.
If the 'rm' does not have -f, chmod 000 the file or a file so it hangs till you have time to see the rm process.
If the 'rm' is not written as '/bin/rm' or '\rm', create alias rm='rm -i' in suspect users' profile so the rm will hang. (May not be a good idea to change /etc/profile without thorough testing.)
More information about the redhat-list
mailing list