Re: log deletion of directories?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Brian LaMere <brianl@clinicomp.com>
Subject: Re: log deletion of directories?
Date: Sat, 6 Sep 2008 18:37:35 -0400	[thread overview]
Message-ID: <200809061837.35772.sgrubb@redhat.com> (raw)
In-Reply-To: <1220657664.8619.13.camel@orpheus.clinicomp.com>

On Friday 05 September 2008 19:34:24 Brian LaMere wrote:
> Trying to find what is deleting a directory (/tmp/xauth).  Thought I'd
> start with the basics, and just putting a watch on it.
>
> [bel@comsup]:/etc/audit > auditctl -w /testdir/checkdir -p rwxa -k
> missingfiles

This rule translates to:

auditctl -a always,exit -F dir=/testdir/checkdir -F perm=rwxa -k missingfiles

This watches any *files* in the /testdir/checkdir directory and it's 
subdirectories. To check the directory itself, you need to use the "path" 
field to point at the directory and not the files it contains.

[root ~]# mkdir temp
[root ~]# auditctl -a exit,always -F path=/root/temp -F perm=wa -k rm
[root ~]# rmdir temp/
[root ~]# ausearch --start recent -k rm
time->Sat Sep  6 18:30:10 2008
node=127.0.0.1 type=PATH msg=audit(1220740210.750:906): item=1 name="temp/" 
inode=13664599 dev=08:08 mode=040755 ouid=0 ogid=0 rdev=00:00 
obj=unconfined_u:object_r:user_home_t:s0 
node=127.0.0.1 type=PATH msg=audit(1220740210.750:906): item=0  name="/root" 
inode=13664257 dev=08:08 mode=040750 ouid=0 ogid=0 rdev=00:00 
obj=system_u:object_r:user_home_dir_t:s0 
node=127.0.0.1 type=CWD msg=audit(1220740210.750:906):  cwd="/root" 
node=127.0.0.1 type=SYSCALL msg=audit(1220740210.750:906): arch=c000003e 
syscall=84 success=yes exit=0 a0=7fff777e189e a1=2 a2=3960b66114 
a3=3960b67a70 items=2 ppid=3621 pid=3940 auid=4325 uid=0 gid=0 euid=0 suid=0 
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="rmdir" exe="/bin/rmdir" 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="rm" 


-Steve

     prev parent reply	other threads:[~2008-09-06 22:37 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-09-05 23:34 log deletion of directories? Brian LaMere
2008-09-06 22:37 ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200809061837.35772.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=brianl@clinicomp.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.