This is an answer i wrote to a previous question:
Generally if you wish to know what a process/user/file is doing without
having to run lsof against it 24/7 you
use auditctl.
Assuming you have a recent-ish kernel
audit control should be a simple
operation. (This is in Debian-fu, if
you're running Red Hat translate as
appropriate)
# apt-get install auditd
Make sure that its running
(/etc/init.d/auditd status).
auditctl -a entry,always -F arch=b64 -S open -F pid=<process id>
Replace b64 with b32 if you're running
32-bit arch, open can be replaced by
any system call or the word 'all'
For more read the auditctl manpage.
You can use this method and ask it to watch for the 'unlink' system call.
The -w parameter is useful for watching files/directories, but the as the man page explains there are caveats.
-w path
Insert a watch for the file system object at path. You cannot insert a watch to the top level directory. This is prohibited by the kernel. Wildcards are not supported either and will generate a warning. The way that watches work is by tracking the inode internally. This means that if you put a watch on a directory, you will see what appears to be file events, but it is really just the updating of meta data. You might miss a few events by doing this. If you need to watch all files in a directory, its recommended to place an individual watch on each file. Unlike syscall auditing rules, watches do not impact performance based on the number of rules sent to the kernel.