CODEWITHSUNDEEP
linuxfilesystems
Myles McDonnell
Myles McDonnell

Reputation: 13335

Monitor/audit file delete on Linux

One of the .beam files of one of my application deps is being deleted and I am not sure by what/how.

Is there a way to monitor or audit a file to see what happens when it is deleted?

I'm using RedHat distro.

Upvotes: 8

Views: 13756

Answers (2)

Wasi
Wasi

Reputation: 11

You can monitor your Linux file system using aide. AIDE means Intrusion Detection Software to Monitor Changes. Steps:

  1. Install AIDE #yum install aide -y
  2. Configuration AIDE // PERMS=p+i+u+g+acl+selinux
  3. Initialize the AIDE database #aide –-init
  4. Check the file system changes #aide –-check

To get more details you can visit below link http://topicsfeedback.com/linux-system-monitoring-tools/ or you may download best android apps about advance Linux in your phone to get instant access https://play.google.com/store/apps/details?id=com.topicsfeedback.advancelinux

Upvotes: 0

Pete Cornell
Pete Cornell

Reputation: 235

Yes, you can use the audit daemon. You did't say which Linux distro. Red Hat based systems contain auditd, and you can use auditctl to add rules.

To watch a directory recursively for changes:

auditctl -w /usr/local/someapp/ -p wa

To watch system calls made by a program with pid of 2021:

auditctl -a exit,always -S all -F pid=2021

Check the man page for auditctl.

Results will be logged to /var/log/audit/audit.log

To ensure it's running.

/etc/init.d/auditd status

For a more thorough approach, you could use tripwire or OSSEC, but they're geared more toward intrusion detection.

Upvotes: 9

Related Questions