Question
How to find which user is deleting the files under a particular directory on Linux?
Solution
You can use the auditd service to record a notice when any change is made to a particular file or directory. Below is an example which will record any change made to any file under the /tmp/dir directory.
1. Run the below command to add the audit rule:
# auditctl -a always,exit -F dir=/tmp/dir/ -F perm=war -k file_del
Verify the configured audit rules:
# auditctl -l -w /tmp/dir// -p rwa -k file_del
2. Delete a file under /tmp/dir/ directory and then check audit.log file:
$ date > /tmp/dir/when $ rm /tmp/dir/when
3. You can check the audit.log by tailing it:
# tail -f /var/log/audit/audit.log ... type=SYSCALL msg=audit(1515697690.586:2237): arch=c000003e syscall=2 success=yes exit=3 a0=251a9f0 a1=90800 a2=251a9c0 a3=a items=1 ppid=12424 pid=12425 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts0 ses=332 comm="bash" exe="/bin/bash" key="file_del" type=CWD msg=audit(1515697690.586:2237): cwd="/home/test" type=PATH msg=audit(1515697690.586:2237): item=0 name="/tmp/dir/" inode=912888 dev=f9:00 mode=040777 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL type=PROCTITLE msg=audit(1515697690.586:2237): proctitle="-bash" type=SYSCALL msg=audit(1515697690.861:2238): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=f2f0c0 a2=0 a3=100 items=2 ppid=12425 pid=12519 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts0 ses=332 comm="rm" exe="/bin/rm" key="file_del" type=CWD msg=audit(1515697690.861:2238): cwd="/home/test" type=PATH msg=audit(1515697690.861:2238): item=0 name="/tmp/dir/" inode=912888 dev=f9:00 mode=040777 ouid=0 ogid=0 rdev=00:00 nametype=PARENT type=PATH msg=audit(1515697690.861:2238): item=1 name="/tmp/dir/when" inode=913056 dev=f9:00 mode=0100664 ouid=501 ogid=501 rdev=00:00 nametype=DELETE type=PROCTITLE msg=audit(1515697690.861:2238): proctitle=726D002F746D702F6469722F31
4. Alternatively, the log file can be searched using the ausearch tool:
# ausearch -k file_del ---- time->Thu Jan 11 19:08:10 2018 type=PROCTITLE msg=audit(1515697690.586:2237): proctitle="-bash" type=PATH msg=audit(1515697690.586:2237): item=0 name="/tmp/dir/" inode=912888 dev=f9:00 mode=040777 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL type=CWD msg=audit(1515697690.586:2237): cwd="/home/test" type=SYSCALL msg=audit(1515697690.586:2237): arch=c000003e syscall=2 success=yes exit=3 a0=251a9f0 a1=90800 a2=251a9c0 a3=a items=1 ppid=12424 pid=12425 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts0 ses=332 comm="bash" exe="/bin/bash" key="file_del" ---- time->Thu Jan 11 19:08:10 2018 type=PROCTITLE msg=audit(1515697690.861:2238): proctitle=726D002F746D702F6469722F31 type=PATH msg=audit(1515697690.861:2238): item=1 name="/tmp/dir/when" inode=913056 dev=f9:00 mode=0100664 ouid=501 ogid=501 rdev=00:00 nametype=DELETE type=PATH msg=audit(1515697690.861:2238): item=0 name="/tmp/dir/" inode=912888 dev=f9:00 mode=040777 ouid=0 ogid=0 rdev=00:00 nametype=PARENT type=CWD msg=audit(1515697690.861:2238): cwd="/home/test" type=SYSCALL msg=audit(1515697690.861:2238): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=f2f0c0 a2=0 a3=100 items=2 ppid=12425 pid=12519 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts0 ses=332 comm="rm" exe="/bin/rm" key="file_del"
Note: This auditing system cannot prevent an undesired access. Only an audit trail entry can be made.