Thanks for those who responded my question. I'll keep the information with in case I need them in the future. After discussing the logging with my system admins, we decided that we'll not turn them on (may be just the basic bash and csh history files) because they will possibility create lots of logs. I've not lost any more directory/subdirectories since that day I reported my problem. So I'm happy for now. Mary -----Original Message----- From: centos-bounces@xxxxxxxxxx [mailto:centos-bounces@xxxxxxxxxx] On Behalf Of JohnS Sent: Tuesday, May 18, 2010 6:40 AM To: CentOS mailing list Subject: Re: A Directory/Subdirectories Disappeared - whichlog file to look for this kind of information? On Fri, 2010-05-14 at 15:30 -0400, JohnS wrote: > > > On Fri, May 14, 2010 at 11:36 AM, Wang, Mary Y <mary.y.wang@xxxxxxxxxx> wrote: > > > Hi, > > > > > > A directory/subdirectories just disappeared on our dev box, and we don't know what happened. Is there a log file that logs this kind of stuff (such as who/date did a 'rmdir'). The /var/log directory has a lot of files and I'm not sure where to start. > --- > Some greatfull wiki contributer may want to do a how to on this. > Auditd: > Look at tail /var/log/audit.log audit.log.1 ans so on. > > To log every thing from one user: This logs all sys calls except[1] > > [root@x X]# /sbin/auditctl -a entry,always -S all -F uid=500 where > uid=your_usr_id. Root is "0" or should be. > Also you can watch specific directories. How to beyond this scope atm. > See man auditctl. > > Restart: > [root@x X]# /sbin/service auditd restart > Stopping auditd: [ OK ] > Starting auditd: [ OK ] > > [root@x X]# grep gedit /var/log/audit/audit.log.1 > > type=SYSCALL msg=audit(1273861358.952:59793): arch=40000003 syscall=78 > success=yes exit=0 a0=bfcb7498 a1=0 a2=8416a8 a3=8a66d70 items=0 > ppid=1 pid=16192 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 > egid=500 sgid=500 fsgid=500 tty=(none) comm="gedit" > exe="/usr/bin/gedit" > subj=user_u:system_r:unconfined_t:s0 key=(null) > > [1]. Problem, I have a list of rules at work but im home today. I > see a problem I think with either auditd or bash console. I had this > previously configured for root to log all sys calls made. I made a > file with touch, deleted the file and all that got logged was > /bin/bash and thats it. Can anyone else confirm this? Either Bash is > Spoofing Auditd or something else is happening. Search string is, > grep rm /var/log/audit/audit.log > > As so goes this don't really help her problem and really makes a > problem for me when I have to confirm to SAS 70 Type 2 Infrastructure. > > John --- Add on Appended: dmesg | grep rm audit(1273860293.659:144758): arch=40000003 syscall=252 a0=0 a1=4 a2=0 a3=4c240278 items=0 ppid=3055 pid=3067 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="rm" exe="/bin/rm" subj=user_u:system_r:initrc_t:s0 key=(null) In fact does have my rm command I used. _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos