0
I want to find who has deleted the file under the /home/oracle directory. my ausearch output like this:
ausearch -f /home/oracle/
time->Mon Nov 25 01:00:02 2019
type=PROCTITLE msg=audit(1574632802.259:85680): proctitle=746172002D7A637666002F76622F7674792F41534D5F41554449545F46494C45532F2F61756469745F3230313931313235303130302E7461722E677A002E002D2D72656D6F76652D66696C6573
type=PATH msg=audit(1574632802.259:85680): item=0 name="/home/oracle/" inode=524289 dev=f9:06 mode=040700 ouid=500 ogid=500 rdev=00:00 nametype=PARENT
type=CWD msg=audit(1574632802.259:85680): cwd="/home/oracle"
type=SYSCALL msg=audit(1574632802.259:85680): arch=c000003e syscall=84 success=no exit=-22 a0=e291a0 a1=0 a2=e29090 a3=0 items=1 ppid=123226 pid=123237 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4669 comm="tar" exe="/bin/tar" key="delete"
this output means the files had been deleted after archived with tar command. I use first time and I don't know this output what does it mean.
arifisik
Posted 2019-11-25T08:28:10.973
Reputation: 160