Friday, November 12, 2010

How to track in Linux which files have been deleted and by who ?

This is a hack you can use to control file deletion and know exactly who deleted a file.

The trick is to add into the /etc/profile file this script:

 rm () { echo `id` deleted the file $1 at `date` >> /tmp/.log; /bin/rm $1; }

The log file will show you this:

uid=500(walter) gid=500(walter) groups=500(walter) deleted the file test at Mon Nov 26 10:31:16 ART 2007 



To print also the hostname where the deletion has come from:

$ rm() { i=`tty | cut -d / -f 3,4`;host=`w | grep $i | awk '{print $3}'`;echo -e `id` deleted the file $1 at `date` comming from "$host\n" >> /tmp/.log;/bin/rm "$@";}


The output would be:


uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),503(devel) deleted the file at Tue Nov 27 15:09:14 ART 2007 comming from serverlinux.blogspot.com


The problem of this solution is that if the user is some curious, he could know about this "set" variable, and:

* Unset the variable
* Execute the binary calling it directly

So, if you need the best way, you will have to write a little C script that replaces the original "rm" binary and rename the original "rm" binary to "rm.orig". Now, the "rm" binary should log the deletion of the file and then execute the "rm.orig", obviously, changing the process name to "rm", so the user do not suspects.

    

1 comment:

  1. good tracking utility...
    can u tell how to track if files deleted by script...

    ReplyDelete