Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Monitor/audit file delete on Linux

Tags:

linux

filesystems

One of the .beam files of one of my application deps is being deleted and I am not sure by what/how.

Is there a way to monitor or audit a file to see what happens when it is deleted?

I'm using RedHat distro.

like image 591
Myles McDonnell Avatar asked Apr 08 '15 15:04

Myles McDonnell

People also ask

How do I monitor delete files in Linux?

Check audit logs for file deletion You can now try deleting the file “/var/tmp/test_file” to see if the auditd rule we just created logs this event in the log file. As you can see in the above log, the user root(uid=0) deleted(exe=”/usr/bin/rm”) the file /var/tmp/test_file.

How do I monitor file deletion?

Reviewing events. Open the Event Viewer and search the security log for event ID 4656 with a task category of "File System" or "Removable Storage" and the string "Accesses: DELETE". Review the report. The "Subject: Security ID" field will show who deleted each file.

How do I delete the audit log in Linux?

Use the cat command (concatenate) to empty the log files or directories. - /dev/null is a non-existent file with no information. - When you concatenate /dev/null to a log file, you empty the file data, but do not delete the file name. The output from the previous example shows that the munin-update.

How do I enable file deletion in auditing?

Click the “Show advanced permission” option in the permissions section to view all the permissions. Here, select the activities that you want to audit. For tracking file and folder deletion, you will have to select the “Delete”, and “Delete subfolders and files” options. Click “OK” to close “Auditing Entry” window.

1 Answers

Yes, you can use the audit daemon. You did't say which Linux distro. Red Hat based systems contain auditd, and you can use auditctl to add rules.

To watch a directory recursively for changes:

auditctl -w /usr/local/someapp/ -p wa

To watch system calls made by a program with pid of 2021:

auditctl -a exit,always -S all -F pid=2021

Check the man page for auditctl.

Results will be logged to /var/log/audit/audit.log

To ensure it's running.

/etc/init.d/auditd status

For a more thorough approach, you could use tripwire or OSSEC, but they're geared more toward intrusion detection.

like image 55
Pete Cornell Avatar answered Oct 13 '22 00:10

Pete Cornell
Sign in to Comment

Related questions

SIGPROF kills my server when using google perftools
can a program read its own elf section?
Installing Clang/LLVM/Ubuntu
Trying to port GCC specific asm goto to Clang
getaddrinfo, I am not getting any canonname
Does epoll preserve the order in which fd's was registered?
Unable to disable Hardware prefetcher in Core i7
How to compile Linux kernel code on Windows?
SIGIO arriving for file descriptors I did not set it for and when no IO is possible
When pty [Pseudo terminal] slave fd settings are changed by "tcsetattr" , how can the master end capture this event without delay?
How to copy symbolic link file from Linux to Windows and then back to Linux but still keeping it as a symbolic link
hide output of aplay shell command
How to check if currently running shell is BusyBox
Specifying the dynamic linker / loader to be used when launching an executable on Linux
How cassandra is able to perform snapshot by hard link?
Navigate to another man page within a man page
Shared library on Linux and -fPIC error
ipython notebook on linux VM running matplotlib interactive with nbagg
Bluetooth Library for BlueZ (Windows)
python tornado user authentication and then reverse proxy via apache

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!