How to determine who or what deletes a files on the system e.g. images from virtual host root?
There exists an application which can be used to watch files on a filye system for a variety of events (access, modification, attribute changes, etc.) called
- Install the package:
# yum install audit
# apt-get install auditd
Configure the application:
# vi /etc/audit/audit.rules
Make sure only the following lines are present:
-e 0|1|2 flag can apparently be treated differently on some systems. It is recommended to test
auditd on some file and see if it genereates messages with the flag value you specified.
-e 2 locks the configuration of
auditd until server restart . It may not be desirable on production systems.
- After that, you can add rules for each individual file manually or automatically:
Rules look like this (exaple shows a watch which will track write access and attribute access ):
-w /path/to/file.jpg -p wa
More info on rules: OpenSuse docs (valid for any system). To add many files automatically, one can modify and use the following snippet:
# find /var/www/vhosts/example.com/httpdocs/ | grep -i .jpg | sed 's/^\\(.*\\)$/-w \\1 -p wa/' >> /etc/audit/audit.rules
Here, the command lists all
.jpg files and adds a rule for each individual file to
- Restart service to apply changes:
# service auditd restart
auditd will show a warning on restart saying that it does not support relative paths. If you did not add any relative paths to ruleset, you may ignore this warning (it is incorrectly triggered by
.. in file names).
- When the issue is reproduced, you can use
ausearchto search logs for info about the missing files (here, a search by part of file name is performed):
# ausearch -f .jpg
Entries like these will be displayed:
time->Wed Aug 13 09:00:37 2014
type=PATH msg=audit(1407938437.885:39847): item=1 name="/var/www/vhosts/example.com/httpdocs/gallery/themes/classic/images/tab_left_on.jpg" inode=1068503 dev=08:11 mode=0100644 ouid=10171 ogid=504 rdev=00:00 obj=system_u:object_r:httpd_sys_content_t:s0
type=PATH msg=audit(1407938437.885:39847): item=0 name="/var/www/vhosts/example.com/httpdocs/gallery/themes/classic/images/" inode=1068495 dev=08:11 mode=040755 ouid=10171 ogid=504 rdev=00:00 obj=system_u:object_r:httpd_sys_content_t:s0
type=CWD msg=audit(1407938437.885:39847): cwd="/var/www/vhosts/example.com/httpdocs/gallery/themes/matrix/images"
type=SYSCALL msg=audit(1407938437.885:39847): arch=c000003e syscall=87 success=yes exit=0 a0=7fff0ebebb98 a1=1 a2=2 a3=149a9bc0 items=2 ppid=13614 pid=21200 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=12918 comm="rm" exe="/bin/rm" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key="pics"
Here, for example, we can see that command
comm="rm" exe="/bin/rm" was executed by
uid=0 gid=0 (
root user) on
1407938437.885 (Unix time).
auditd does NOT support recursive monitoring of a directory. Specifying a directory as the target will place a watch on directory itself as opposed to all its contents. Modify and use automatic command from point 4 instead.