How to determine who or what deletes a files on the system?


2016-11-16 13:04:39 UTC


2017-08-08 13:35:16 UTC


Was this article helpful?

Have more questions?

Submit a request

How to determine who or what deletes a files on the system?

Applicable to:

  • Plesk for Linux


How to determine who or what deletes a files on the system e.g. images from virtual host root?


There exists an application which can be used to watch files on a filye system for a variety of events (access, modification, attribute changes, etc.) called auditd .

  1. Install the package:


    # yum install audit


    # apt-get install auditd
  1. Configure the application:

    # vi /etc/audit/audit.rules
  2. Make sure only the following lines are present:

    -e 1
    -b 8192
    -r 0

Note: -e 0|1|2 flag can apparently be treated differently on some systems. It is recommended to test auditd on some file and see if it genereates messages with the flag value you specified.

Note: -e 2 locks the configuration of auditd until server restart . It may not be desirable on production systems.

  1. After that, you can add rules for each individual file manually or automatically:

Rules look like this (exaple shows a watch which will track write access and attribute access ):

    -w /path/to/file.jpg -p wa

More info on rules: OpenSuse docs (valid for any system). To add many files automatically, one can modify and use the following snippet:

    # find /var/www/vhosts/ | grep -i .jpg | sed 's/^\\(.*\\)$/-w \\1 -p wa/' >> /etc/audit/audit.rules

Here, the command lists all .jpg files and adds a rule for each individual file to auditd configuration.

  1. Restart service to apply changes:
    # service auditd restart

Note: Sometimes, auditd will show a warning on restart saying that it does not support relative paths. If you did not add any relative paths to ruleset, you may ignore this warning (it is incorrectly triggered by .. in file names).

  1. When the issue is reproduced, you can use ausearch to search logs for info about the missing files (here, a search by part of file name is performed):
    # ausearch -f .jpg

Entries like these will be displayed:

time->Wed Aug 13 09:00:37 2014
type=PATH msg=audit(1407938437.885:39847): item=1 name="/var/www/vhosts/" inode=1068503 dev=08:11 mode=0100644 ouid=10171 ogid=504 rdev=00:00 obj=system_u:object_r:httpd_sys_content_t:s0
type=PATH msg=audit(1407938437.885:39847): item=0 name="/var/www/vhosts/" inode=1068495 dev=08:11 mode=040755 ouid=10171 ogid=504 rdev=00:00 obj=system_u:object_r:httpd_sys_content_t:s0
type=CWD msg=audit(1407938437.885:39847): cwd="/var/www/vhosts/"
type=SYSCALL msg=audit(1407938437.885:39847): arch=c000003e syscall=87 success=yes exit=0 a0=7fff0ebebb98 a1=1 a2=2 a3=149a9bc0 items=2 ppid=13614 pid=21200 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=12918 comm="rm" exe="/bin/rm" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key="pics"

Here, for example, we can see that command comm="rm" exe="/bin/rm" was executed by uid=0 gid=0 ( root user) on 1407938437.885 (Unix time).

Note: auditd does NOT support recursive monitoring of a directory. Specifying a directory as the target will place a watch on directory itself as opposed to all its contents. Modify and use automatic command from point 4 instead.

More information on : auditd , auditctl .

Have more questions? Submit a request
Please sign in to leave a comment.