log deletion of directories?

Brian LaMere brianl at clinicomp.com
Fri Sep 5 23:34:24 UTC 2008


Trying to find what is deleting a directory (/tmp/xauth).  Thought I'd
start with the basics, and just putting a watch on it.

[bel at comsup]:/etc/audit > auditctl -w /testdir/checkdir -p rwxa -k
missingfiles
[bel at comsup]:/etc/audit > auditctl -l|grep missing
LIST_RULES: exit,always dir=/testdir/checkdir (0x11) perm=rwxa
key=missingfiles
[bel at comsup]:/etc/audit > ausearch -k missingfiles
<no matches>
[bel at comsup]:/etc/audit > rmdir /testdir/checkdir 
[bel at comsup]:/etc/audit > ausearch -k missingfiles
<no matches>
[bel at comsup]:/etc/audit > auditctl -w /testdir/checkfile -p wrxa -k
missingfiles
[bel at comsup]:/etc/audit > rm /testdir/checkfile
[bel at comsup]:/etc/audit > ausearch -k missingfiles
----
(lots of text here)

Any suggestions on how to get it to do for a directory what it's doing
for the file?  I don't want to watch /tmp for adds/removes obviously;
that would be silly.  It is indeed a *directory* (regardless whether the
directory contents show up) that I want to watch.

Thanks,
Brian LaMere
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20080905/6dc641ce/attachment.htm>


More information about the Linux-audit mailing list