Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 385
  • Last Modified:

Log deleted files

I am having an issue where a file is getting deleted, and I am trying to track down the cause.  It doesn't seem to be a user deleting it on purpose, it may be a script that is deleting it.  I would like to log all file deletions so I can find out who and what time this file is being deleted.  I am running RHEL 4.
0
rtwilde
Asked:
rtwilde
  • 6
  • 5
1 Solution
 
ravenplCommented:
0
 
rtwildeAuthor Commented:
ravenpl:

Thanks for the links,  but I didn't see what I'm looking for.  I tried fileschanged, but it gives me errors.  I am not looking for something I can incorporate into a program, like the 1st and last links seem to be, rather I am looking for something that can run unattended and log all file deletions from any process (or within a directory).
0
 
ravenplCommented:
Well, it depends what You need. I downloaded and installed (on RH 4.4) http://surfnet.dl.sourceforge.net/sourceforge/fileschanged/fileschanged-0.6.5-0.i386.rpm
run: fileschanged -r -p -s deleted /tmp
on another console: touch /tmp/file1; rm /tmp/file1
the output from fileschanged was
R /tmp/file1

therefore removed file was logged. No timestamp? You can workaround it. Create script and make it executeable
#!/bin/sh
echo "`date` :" $@

and run: fileschanged -r -p -s deleted -x /path/to/script /tmp
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
ravenplCommented:
Or You simply don't know hot to run it unattended?
the script:
#!/bin/sh
echo "`date` :" $@ >> /path/to/logfile

the run command
nohup fileschanged -rps deleted -x /path/to/script /dir/to/watch &

You can put it into /etc/rc.d/rc.local so it will start automatically with the system.
0
 
rtwildeAuthor Commented:
I think I'm getting it now...

I've installed this, and it seems to work, the only question I have - is it possible to also display the username or UID of person doing the deleting?

Also, I've noticed that when monitoring a directory recursively with a large amount of files, it doesn't always show when I've deleted a file.  I'm still testing this, to see if it's something I'm doing.

Thanks.
0
 
ravenplCommented:
> is it possible to also display the username or UID of person doing the deleting?
That's the drawback - if possible, never invented how.
I also looked into FAMEvent - seems that there is no room for that information :(
0
 
rtwildeAuthor Commented:
Hmmm, unfortunately, who deletes is important to me, but I am much further along thanks to your help.  Is there another area I could ask this question, or is this something I would have to re-write the ext3 code to do (not an option, BTW)?
0
 
ravenplCommented:
> Hmmm, unfortunately, who deletes is important to me
I know - I faced the problem myself...
> Is there another area I could ask this question
Try making pointer question at Linux Programming area. Maybe someone... Try it.
> or is this something I would have to re-write the ext3 code to do
Rather linux VFS code. The inotify code...
0
 
rtwildeAuthor Commented:
Thank you ravenpl for your help.
0
 
winsocCommented:
Hello ravenpl you need tripwire to do this for you.
Read the documentation and install the open source version.

Regards.

0
 
ravenplCommented:
tripwire? I thought it's database, which is compared and updated everytime it's run. Used to verify which files are changed.
How can it provide the info who changed/removed the file?
[ If You can answer this, I'll open new Q to give You points for that ]
0
 
rtwildeAuthor Commented:
If tripwire can tell me who deleted something, that would be exactly what I need, but a bit of help with it would be appreciated.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now