On 03/31/2011 08:55 AM, Abhilash abhi wrote: > I have one directory which contains some files..and the directory is owned > by some group called X. All files within the directory have group membership > X since SGID is set .some files are frequently missing from that directory > and i am restoring it through snapshots(Netapp filer). Is there anyway to > find out who is (which user) or by what operation deleted the file?? This can be fairly easily done with SELinux. First, make sure selinux is enabled and auditd is running. Then, start monitoring the directory with 'auditctl'. Example, assuming the directory is /tmp/testing (this starts auditing writes to the directory, and labels it with the key "whodeletedit"): # auditctl -w /tmp/testing -k whodeletedit -p w when you're done monitoring it, you can remove this search with: # auditctl -W /tmp/testing -k whodeletedit -p w You will want to stop monitoring it once you've figured it out, because it'll continue to fill the audit log for every time someone adds or removes a file from the directory. If you want to see who deleted files with /bin/rm in that directory, run: # ausearch -i -k whodeletedit -x /bin/rm This will print out the audit log for every /bin/rm in called that writes to the directory. I added the -i to ausearch so it'll print out the username instead of the userid. You can get rid of the -x /bin/rm if no one is running /bin/rm but using some other program that unlinks files. -- Jonathan Billings <jsbillin@xxxxxxxxx> College of Engineering - CAEN - Unix and Linux Support -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
