How to figure out which processes are deleting files from a specific directory?

Question

I'm trying to figure out which processes are deleting files from a specific directory, so I want to set up and run auditd on my system.

I've set up the following rule in audit.rules:

-w S unlink -S truncate -S ftruncate -a exit,always -k cache_deletion -w /home/myfolder/cache

Then I type this to start the audit daemon:

auditctl -R /etc/audit/audit.rules -e 1

But I get this error message:

Error - nested rule files not supported

Does anyone know what I am doing wrong here, and how I can resolve this?

Also, what do I have to do to get the daemon running at startup?

skohrs · Answer 1 · 2012-09-28T20:36:25.157

2

That rule is trying to define two paths to audit, -w S and -w /home/myfolder/cache. You can only use -p and -k options with -w too.

Try the following rule:

-a exit,always -S unlinkat -S truncate -S ftruncate -F dir=/home/myfolder/cache -F key=cache_deletion

...or for simplicity's sake:

-w /home/myfolder/cache -k cache_deletion -p wa

To start the service at startup:

/sbin/chkconfig auditd on

edited Sep 28 '12 at 20:36

answered Sep 28 '12 at 19:19

skohrs

Thanks for replying, skohrs. Unfortunately, that didn't work - it returned the same error about 'nested rule files'. – Tola Odejayi Sep 28 '12 at 19:37
Did you see my updated rule? I had a typo. Is this the only rule in /etc/audit/audit.rules? In my testing, I had to use the 'unlinkat' system call to detect the file being removed. – skohrs Sep 28 '12 at 19:53
I tried your suggestion, but now I get the following error: `The audit system is disabled`. I tried adding `-e 1` to the line in `/etc/audit/audit.trail`, but it still makes no difference. – Tola Odejayi Sep 29 '12 at 03:36
@TolaOdejayi to enable auditing (with auditd running) just run `auditctl -e` (alone, by itself). – voretaq7 Nov 06 '12 at 03:42
@voretaq7 No, that would fail. It needs a second parameter, the type of flag (0-silent, 1-print, 2-panic). – Christian Jan 03 '13 at 11:34

score -2 · Accepted Answer · answered Oct 08 '12 at 18:06

-2

In the end, I gave up on trying to do this because I was able to identify (through some other means) some code which causing the deletes to occur.

answered Oct 08 '12 at 18:06

Tola Odejayi

Just saw this. Downvoted because I found another way to do this? Some people need to get out more. – Tola Odejayi Oct 31 '14 at 04:38

2 Answers2