From mboxrd@z Thu Jan 1 00:00:00 1970 From: Brian LaMere Subject: log deletion of directories? Date: Fri, 05 Sep 2008 16:34:24 -0700 Message-ID: <1220657664.8619.13.camel@orpheus.clinicomp.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1015867005==" Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m85NYZIZ008688 for ; Fri, 5 Sep 2008 19:34:35 -0400 Received: from mailout.clinicomp.com (mailout.clinicomp.com [63.251.123.51]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id m85NYOBq000843 for ; Fri, 5 Sep 2008 19:34:25 -0400 Received: from hermes.CLINICOMP.COM (hermes.clinicomp.com [10.224.40.12]) by mailout.clinicomp.com (Postfix) with ESMTP id AACFE22981 for ; Fri, 5 Sep 2008 16:34:19 -0700 (PDT), List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============1015867005== Content-Type: multipart/alternative; boundary="=-viqQehnWVYLXGW8kCUvK" --=-viqQehnWVYLXGW8kCUvK Content-Type: text/plain Content-Transfer-Encoding: 7bit Trying to find what is deleting a directory (/tmp/xauth). Thought I'd start with the basics, and just putting a watch on it. [bel@comsup]:/etc/audit > auditctl -w /testdir/checkdir -p rwxa -k missingfiles [bel@comsup]:/etc/audit > auditctl -l|grep missing LIST_RULES: exit,always dir=/testdir/checkdir (0x11) perm=rwxa key=missingfiles [bel@comsup]:/etc/audit > ausearch -k missingfiles [bel@comsup]:/etc/audit > rmdir /testdir/checkdir [bel@comsup]:/etc/audit > ausearch -k missingfiles [bel@comsup]:/etc/audit > auditctl -w /testdir/checkfile -p wrxa -k missingfiles [bel@comsup]:/etc/audit > rm /testdir/checkfile [bel@comsup]:/etc/audit > ausearch -k missingfiles ---- (lots of text here) Any suggestions on how to get it to do for a directory what it's doing for the file? I don't want to watch /tmp for adds/removes obviously; that would be silly. It is indeed a *directory* (regardless whether the directory contents show up) that I want to watch. Thanks, Brian LaMere --=-viqQehnWVYLXGW8kCUvK Content-Type: text/html; charset=utf-8 Trying to find what is deleting a directory (/tmp/xauth).  Thought I'd start with the basics, and just putting a watch on it.

[bel@comsup]:/etc/audit > auditctl -w /testdir/checkdir -p rwxa -k missingfiles
[bel@comsup]:/etc/audit > auditctl -l|grep missing
LIST_RULES: exit,always dir=/testdir/checkdir (0x11) perm=rwxa key=missingfiles
[bel@comsup]:/etc/audit > ausearch -k missingfiles
<no matches>
[bel@comsup]:/etc/audit > rmdir /testdir/checkdir
[bel@comsup]:/etc/audit > ausearch -k missingfiles
<no matches>
[bel@comsup]:/etc/audit > auditctl -w /testdir/checkfile -p wrxa -k missingfiles
[bel@comsup]:/etc/audit > rm /testdir/checkfile
[bel@comsup]:/etc/audit > ausearch -k missingfiles
----
(lots of text here)

Any suggestions on how to get it to do for a directory what it's doing for the file?  I don't want to watch /tmp for adds/removes obviously; that would be silly.  It is indeed a *directory* (regardless whether the directory contents show up) that I want to watch.

Thanks,
Brian LaMere --=-viqQehnWVYLXGW8kCUvK-- --===============1015867005== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============1015867005==--