Audit delete commands in Linux

(This article is the essence of a post from this Redhat Archive and it goes as follows:

Problem: You need to detect what deletes files on your Linux

Solution: Using auditd, with the right flags, you could get a lot of information.

In Practice:

  • If the mount point/directory is /oracle, then:
  • (as root:) auditctl –w /oracle -k whodeletedit -p w
    (Explanation: Monitor the directory /oracle, and log everything under the label “whodeleteit”. Monitor write operations)
  • To see, later, who deleted files, run (as root): ausearch -i -k whodeletedit -x /bin/rm
  • You would want to stop the logging as soon as you found the culprit, by running (as root):  auditctl –W /oracle -k whodeletedit -p w

I hope it helps you just as it helps me.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.