See which user is deleting files
Polytropon
freebsd at edvax.de
Mon Feb 9 20:02:43 UTC 2015
On Mon, 9 Feb 2015 14:55:59 -0500, Jeremy Gransden wrote:
> Is there a way to log when files get deleted and by whom?
A possible approach would be to make /bin/rm a script
that logs the required information. Or, on a per-user
or global basis, an alias (but this depends on the
shell heavily). The idea with the script sounds a little
better because it would already get the evaluated shell
arguments, and all programs (!) that call /bin/rm would
be "affected". Of course, if a program doesn't use /bin/rm,
but instead calls unlink(), it doesn't work anymore.
THis will probably be true for most UI-based programs
(for example deleting from X file managers, or even
with Midnight Commander's PF8).
It's probably a better idea to use a file alteration
monitor to track when files disappear. However, I don't
know if those tools around have the ability to determine
_who_ deleted files...
Maybe there are accounting tools that track I/O activity
in a way that they can capture the creation of files in
the same way as their removal?
--
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
More information about the freebsd-questions
mailing list