• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How To Identify User Deleting Files From A Given Directory in Linux

by admin

Question

How to find which user is deleting the files under a particular directory on Linux?

Solution

You can use the auditd service to record a notice when any change is made to a particular file or directory. Below is an example which will record any change made to any file under the /tmp/dir directory.

1. Run the below command to add the audit rule:

# auditctl -a always,exit -F dir=/tmp/dir/ -F perm=war -k file_del

Verify the configured audit rules:

# auditctl -l
-w /tmp/dir// -p rwa -k file_del

2. Delete a file under /tmp/dir/ directory and then check audit.log file:

$ date > /tmp/dir/when
$ rm /tmp/dir/when

3. You can check the audit.log by tailing it:

# tail -f /var/log/audit/audit.log
...
type=SYSCALL msg=audit(1515697690.586:2237): arch=c000003e syscall=2 success=yes exit=3 a0=251a9f0 a1=90800 a2=251a9c0 a3=a items=1 ppid=12424 pid=12425 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts0 ses=332 comm="bash" exe="/bin/bash" key="file_del"
type=CWD msg=audit(1515697690.586:2237): cwd="/home/test"
type=PATH msg=audit(1515697690.586:2237): item=0 name="/tmp/dir/" inode=912888 dev=f9:00 mode=040777 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=PROCTITLE msg=audit(1515697690.586:2237): proctitle="-bash"
type=SYSCALL msg=audit(1515697690.861:2238): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=f2f0c0 a2=0 a3=100 items=2 ppid=12425 pid=12519 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts0 ses=332 comm="rm" exe="/bin/rm" key="file_del"
type=CWD msg=audit(1515697690.861:2238): cwd="/home/test"
type=PATH msg=audit(1515697690.861:2238): item=0 name="/tmp/dir/" inode=912888 dev=f9:00 mode=040777 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
type=PATH msg=audit(1515697690.861:2238): item=1 name="/tmp/dir/when" inode=913056 dev=f9:00 mode=0100664 ouid=501 ogid=501 rdev=00:00 nametype=DELETE
type=PROCTITLE msg=audit(1515697690.861:2238): proctitle=726D002F746D702F6469722F31

4. Alternatively, the log file can be searched using the ausearch tool:

# ausearch -k file_del
----
time->Thu Jan 11 19:08:10 2018
type=PROCTITLE msg=audit(1515697690.586:2237): proctitle="-bash"
type=PATH msg=audit(1515697690.586:2237): item=0 name="/tmp/dir/" inode=912888 dev=f9:00 mode=040777 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1515697690.586:2237): cwd="/home/test"
type=SYSCALL msg=audit(1515697690.586:2237): arch=c000003e syscall=2 success=yes exit=3 a0=251a9f0 a1=90800 a2=251a9c0 a3=a items=1 ppid=12424 pid=12425 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts0 ses=332 comm="bash" exe="/bin/bash" key="file_del"
----
time->Thu Jan 11 19:08:10 2018
type=PROCTITLE msg=audit(1515697690.861:2238): proctitle=726D002F746D702F6469722F31
type=PATH msg=audit(1515697690.861:2238): item=1 name="/tmp/dir/when" inode=913056 dev=f9:00 mode=0100664 ouid=501 ogid=501 rdev=00:00 nametype=DELETE
type=PATH msg=audit(1515697690.861:2238): item=0 name="/tmp/dir/" inode=912888 dev=f9:00 mode=040777 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
type=CWD msg=audit(1515697690.861:2238): cwd="/home/test"
type=SYSCALL msg=audit(1515697690.861:2238): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=f2f0c0 a2=0 a3=100 items=2 ppid=12425 pid=12519 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts0 ses=332 comm="rm" exe="/bin/rm" key="file_del"
Note: This auditing system cannot prevent an undesired access. Only an audit trail entry can be made.
Auditing for Modifications to and Execution of Files in Linux

Filed Under: Linux

Some more articles you might also be interested in …

  1. Linux OS Service ‘network’
  2. How to scan newly Assigned LUNs in Multipathd under CentOS / RHEL
  3. How to Make User Account Read-Only in CentOS/RHEL 7
  4. How to Schedule Jobs with ‘at’ command under Linux
  5. RPM command examples to query, install, remove and upgrade packages
  6. How to Install the pip Package in CentOS/RHEL 7 and 8
  7. Basic “chmod” Command examples in Linux
  8. How to Run a Script When USB Devices Is Attached or Removed Using UDEV
  9. Introduction to sed (Stream Editor) : Useful sed Command Examples
  10. CentOS / RHEL : iptables troubleshooting guide

You May Also Like

Primary Sidebar

Recent Posts

  • vgextend Command Examples in Linux
  • setpci command – configure PCI device
  • db_load command – generate db database
  • bsdtar command – Read and write tape archive files

© 2022 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright