Posts Tagged ‘delete’

Audit delete commands in Linux

Sunday, October 22nd, 2017

(This article is the essence of a post from this Redhat Archive and it goes as follows:

Problem: You need to detect what deletes files on your Linux

Solution: Using auditd, with the right flags, you could get a lot of information.

In Practice:

  • If the mount point/directory is /oracle, then:
  • (as root:) auditctl –w /oracle -k whodeletedit -p w
    (Explanation: Monitor the directory /oracle, and log everything under the label “whodeleteit”. Monitor write operations)
  • To see, later, who deleted files, run (as root): ausearch -i -k whodeletedit -x /bin/rm
  • You would want to stop the logging as soon as you found the culprit, by running (as root):  auditctl –W /oracle -k whodeletedit -p w

I hope it helps you just as it helps me.

Quick and dirty delete old files, with exclude list and support for filenames with spaces

Sunday, June 18th, 2006

Here’s a little script I’ve written which deletes older than AGE days files, and has an exclude list, just in case. It’s meant to be run by cron on a daily basis:

#!/bin/sh

# Source of all evil
DIR=/ftp
# Age of file in days
AGE=10
# Exclude list – Use pipe (|) seperated values. Example:
# EXCLUDE=”me|tal” for excluding both “me” and both “tal”. Use the longest
# possible expression, for accurate match. For example:
# EXCLUDE=”/ftp/me|/ftp/tal”. Below is the default minimal exclude list.
EXCLUDE=”lost+found|incoming”

echo -n ” > /tmp/del-list.txt

find $DIR/*/* -mtime +$AGE -print | grep -vE “$EXCLUDE” | tr ‘n’ “”n”” >> /tmp/del-list.txt

for i in `cat /tmp/del-list.txt` ; do
echo $i >> /var/log/del-ftp.log
done

cat /tmp/del-list.txt | xargs rm -Rf

rm /tmp/del-list.txt

It seems to work. So far, I have delete 2nd level directories when old enough (10 days by default), and I can handle files with spaces in their names (scheduled delete of filenames with spaces – for the sake of those searching for a solution. At least, I’ve used this expression and didn’t find a solution online).