How to check which processes are deleting files without using inotify or auditd?

Question

I'm trying to figure out which processes are deleting files from a specific directory on my CentOS server.

I looked at inotify, but all this does is to tell me how many file deletions are occurring; it does not tell me what process run by which user did the deletions, nor does it tell me when they happened.

I also tried auditd, but I have had no luck in getting it set up on my server.

Does anyone have any other tool they can suggest that will do this?

score 1 · Answer 1 · answered Nov 05 '12 at 04:34

1

auditd is the correct tool to be using here, man auditctl and set your rules correctly. Some good info: http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf

answered Nov 05 '12 at 04:34

Kurt

1,293
9
9

How to check which processes are deleting files without using inotify or auditd?

1 Answers1