From mboxrd@z Thu Jan 1 00:00:00 1970 From: Brian LaMere Subject: log deletion of directories? Date: Fri, 05 Sep 2008 16:34:24 -0700 Message-ID: <1220657664.8619.13.camel@orpheus.clinicomp.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1015867005==" Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m85NYZIZ008688 for ; Fri, 5 Sep 2008 19:34:35 -0400 Received: from mailout.clinicomp.com (mailout.clinicomp.com [63.251.123.51]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id m85NYOBq000843 for ; Fri, 5 Sep 2008 19:34:25 -0400 Received: from hermes.CLINICOMP.COM (hermes.clinicomp.com [10.224.40.12]) by mailout.clinicomp.com (Postfix) with ESMTP id AACFE22981 for ; Fri, 5 Sep 2008 16:34:19 -0700 (PDT), List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============1015867005== Content-Type: multipart/alternative; boundary="=-viqQehnWVYLXGW8kCUvK" --=-viqQehnWVYLXGW8kCUvK Content-Type: text/plain Content-Transfer-Encoding: 7bit Trying to find what is deleting a directory (/tmp/xauth). Thought I'd start with the basics, and just putting a watch on it. [bel@comsup]:/etc/audit > auditctl -w /testdir/checkdir -p rwxa -k missingfiles [bel@comsup]:/etc/audit > auditctl -l|grep missing LIST_RULES: exit,always dir=/testdir/checkdir (0x11) perm=rwxa key=missingfiles [bel@comsup]:/etc/audit > ausearch -k missingfiles [bel@comsup]:/etc/audit > rmdir /testdir/checkdir [bel@comsup]:/etc/audit > ausearch -k missingfiles [bel@comsup]:/etc/audit > auditctl -w /testdir/checkfile -p wrxa -k missingfiles [bel@comsup]:/etc/audit > rm /testdir/checkfile [bel@comsup]:/etc/audit > ausearch -k missingfiles ---- (lots of text here) Any suggestions on how to get it to do for a directory what it's doing for the file? I don't want to watch /tmp for adds/removes obviously; that would be silly. It is indeed a *directory* (regardless whether the directory contents show up) that I want to watch. Thanks, Brian LaMere --=-viqQehnWVYLXGW8kCUvK Content-Type: text/html; charset=utf-8 Trying to find what is deleting a directory (/tmp/xauth).  Thought I'd start with the basics, and just putting a watch on it.

[bel@comsup]:/etc/audit > auditctl -w /testdir/checkdir -p rwxa -k missingfiles
[bel@comsup]:/etc/audit > auditctl -l|grep missing
LIST_RULES: exit,always dir=/testdir/checkdir (0x11) perm=rwxa key=missingfiles
[bel@comsup]:/etc/audit > ausearch -k missingfiles
<no matches>
[bel@comsup]:/etc/audit > rmdir /testdir/checkdir
[bel@comsup]:/etc/audit > ausearch -k missingfiles
<no matches>
[bel@comsup]:/etc/audit > auditctl -w /testdir/checkfile -p wrxa -k missingfiles
[bel@comsup]:/etc/audit > rm /testdir/checkfile
[bel@comsup]:/etc/audit > ausearch -k missingfiles
----
(lots of text here)

Any suggestions on how to get it to do for a directory what it's doing for the file?  I don't want to watch /tmp for adds/removes obviously; that would be silly.  It is indeed a *directory* (regardless whether the directory contents show up) that I want to watch.

Thanks,
Brian LaMere --=-viqQehnWVYLXGW8kCUvK-- --===============1015867005== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============1015867005==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: log deletion of directories? Date: Sat, 6 Sep 2008 18:37:35 -0400 Message-ID: <200809061837.35772.sgrubb@redhat.com> References: <1220657664.8619.13.camel@orpheus.clinicomp.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1220657664.8619.13.camel@orpheus.clinicomp.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Brian LaMere List-Id: linux-audit@redhat.com On Friday 05 September 2008 19:34:24 Brian LaMere wrote: > Trying to find what is deleting a directory (/tmp/xauth). Thought I'd > start with the basics, and just putting a watch on it. > > [bel@comsup]:/etc/audit > auditctl -w /testdir/checkdir -p rwxa -k > missingfiles This rule translates to: auditctl -a always,exit -F dir=/testdir/checkdir -F perm=rwxa -k missingfiles This watches any *files* in the /testdir/checkdir directory and it's subdirectories. To check the directory itself, you need to use the "path" field to point at the directory and not the files it contains. [root ~]# mkdir temp [root ~]# auditctl -a exit,always -F path=/root/temp -F perm=wa -k rm [root ~]# rmdir temp/ [root ~]# ausearch --start recent -k rm time->Sat Sep 6 18:30:10 2008 node=127.0.0.1 type=PATH msg=audit(1220740210.750:906): item=1 name="temp/" inode=13664599 dev=08:08 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 node=127.0.0.1 type=PATH msg=audit(1220740210.750:906): item=0 name="/root" inode=13664257 dev=08:08 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:user_home_dir_t:s0 node=127.0.0.1 type=CWD msg=audit(1220740210.750:906): cwd="/root" node=127.0.0.1 type=SYSCALL msg=audit(1220740210.750:906): arch=c000003e syscall=84 success=yes exit=0 a0=7fff777e189e a1=2 a2=3960b66114 a3=3960b67a70 items=2 ppid=3621 pid=3940 auid=4325 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="rmdir" exe="/bin/rmdir" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="rm" -Steve