[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

log deletion of directories?



Trying to find what is deleting a directory (/tmp/xauth).  Thought I'd start with the basics, and just putting a watch on it.

[bel comsup]:/etc/audit > auditctl -w /testdir/checkdir -p rwxa -k missingfiles
[bel comsup]:/etc/audit > auditctl -l|grep missing
LIST_RULES: exit,always dir=/testdir/checkdir (0x11) perm=rwxa key=missingfiles
[bel comsup]:/etc/audit > ausearch -k missingfiles
<no matches>
[bel comsup]:/etc/audit > rmdir /testdir/checkdir
[bel comsup]:/etc/audit > ausearch -k missingfiles
<no matches>
[bel comsup]:/etc/audit > auditctl -w /testdir/checkfile -p wrxa -k missingfiles
[bel comsup]:/etc/audit > rm /testdir/checkfile
[bel comsup]:/etc/audit > ausearch -k missingfiles
----
(lots of text here)

Any suggestions on how to get it to do for a directory what it's doing for the file?  I don't want to watch /tmp for adds/removes obviously; that would be silly.  It is indeed a *directory* (regardless whether the directory contents show up) that I want to watch.

Thanks,
Brian LaMere
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]