• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Geek Diary

CONCEPTS | BASICS | HOWTO

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • Linux Services
    • VCS
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
    • Data Guard
  • DevOps
    • Docker
    • Shell Scripting
  • Interview Questions
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How To Identify User Deleting Files From A Given Directory in Linux

By admin

Question

How to find which user is deleting the files under a particular directory on Linux?

Solution

You can use the auditd service to record a notice when any change is made to a particular file or directory. Below is an example which will record any change made to any file under the /tmp/dir directory.

1. Run the below command to add the audit rule:

# auditctl -a always,exit -F dir=/tmp/dir/ -F perm=war -k file_del

Verify the configured audit rules:

# auditctl -l
-w /tmp/dir// -p rwa -k file_del

2. Delete a file under /tmp/dir/ directory and then check audit.log file:

$ date > /tmp/dir/when
$ rm /tmp/dir/when

3. You can check the audit.log by tailing it:

# tail -f /var/log/audit/audit.log
...
type=SYSCALL msg=audit(1515697690.586:2237): arch=c000003e syscall=2 success=yes exit=3 a0=251a9f0 a1=90800 a2=251a9c0 a3=a items=1 ppid=12424 pid=12425 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts0 ses=332 comm="bash" exe="/bin/bash" key="file_del"
type=CWD msg=audit(1515697690.586:2237): cwd="/home/test"
type=PATH msg=audit(1515697690.586:2237): item=0 name="/tmp/dir/" inode=912888 dev=f9:00 mode=040777 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=PROCTITLE msg=audit(1515697690.586:2237): proctitle="-bash"
type=SYSCALL msg=audit(1515697690.861:2238): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=f2f0c0 a2=0 a3=100 items=2 ppid=12425 pid=12519 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts0 ses=332 comm="rm" exe="/bin/rm" key="file_del"
type=CWD msg=audit(1515697690.861:2238): cwd="/home/test"
type=PATH msg=audit(1515697690.861:2238): item=0 name="/tmp/dir/" inode=912888 dev=f9:00 mode=040777 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
type=PATH msg=audit(1515697690.861:2238): item=1 name="/tmp/dir/when" inode=913056 dev=f9:00 mode=0100664 ouid=501 ogid=501 rdev=00:00 nametype=DELETE
type=PROCTITLE msg=audit(1515697690.861:2238): proctitle=726D002F746D702F6469722F31

4. Alternatively, the log file can be searched using the ausearch tool:

# ausearch -k file_del
----
time->Thu Jan 11 19:08:10 2018
type=PROCTITLE msg=audit(1515697690.586:2237): proctitle="-bash"
type=PATH msg=audit(1515697690.586:2237): item=0 name="/tmp/dir/" inode=912888 dev=f9:00 mode=040777 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1515697690.586:2237): cwd="/home/test"
type=SYSCALL msg=audit(1515697690.586:2237): arch=c000003e syscall=2 success=yes exit=3 a0=251a9f0 a1=90800 a2=251a9c0 a3=a items=1 ppid=12424 pid=12425 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts0 ses=332 comm="bash" exe="/bin/bash" key="file_del"
----
time->Thu Jan 11 19:08:10 2018
type=PROCTITLE msg=audit(1515697690.861:2238): proctitle=726D002F746D702F6469722F31
type=PATH msg=audit(1515697690.861:2238): item=1 name="/tmp/dir/when" inode=913056 dev=f9:00 mode=0100664 ouid=501 ogid=501 rdev=00:00 nametype=DELETE
type=PATH msg=audit(1515697690.861:2238): item=0 name="/tmp/dir/" inode=912888 dev=f9:00 mode=040777 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
type=CWD msg=audit(1515697690.861:2238): cwd="/home/test"
type=SYSCALL msg=audit(1515697690.861:2238): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=f2f0c0 a2=0 a3=100 items=2 ppid=12425 pid=12519 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts0 ses=332 comm="rm" exe="/bin/rm" key="file_del"
Note: This auditing system cannot prevent an undesired access. Only an audit trail entry can be made.
Auditing for Modifications to and Execution of Files in Linux

Filed Under: Linux

Some more articles you might also be interested in …

  1. CentOS / RHEL 7 : How to follow the mount order in /etc/fstab
  2. Understanding /etc/group file
  3. How to create and mount Btrfs file system (explained with examples)
  4. “btrfs” command examples to Create and Manage Btrfs File System
  5. Why Does “/var/log/messages” Report Martian Packets
  6. CentOS / RHEL : How to find if a network port is open or not?
  7. How to Configure Device File owner/group with udev rules
  8. Linux / UNIX : How to create primary partition using fdisk
  9. CentOS / RHEL 5 : How to configure Interface bonding (NIC teaming)
  10. How to disable Ctrl+Alt+Del causing system reboot in CentOS/RHEL 6

You May Also Like

Primary Sidebar

Recent Posts

  • How to set the default character set in MySQL and how to propagate it in a master-master replication scenario
  • “Connection reset by peer” – error while ssh into a CentOS/RHEL system with a specific user only
  • MySQL: how to figure out which session holds which table level or global read locks
  • Recommended Configuration of the MySQL Performance Schema
  • Archives
  • Contact Us
  • Copyright

© 2021 · The Geek Diary