From owner-freebsd-questions@FreeBSD.ORG Mon Feb 9 20:02:43 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0FC1AE30 for ; Mon, 9 Feb 2015 20:02:43 +0000 (UTC) Received: from mx01.qsc.de (mx01.qsc.de [213.148.129.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C449E7D4 for ; Mon, 9 Feb 2015 20:02:42 +0000 (UTC) Received: from r56.edvax.de (port-92-195-63-165.dynamic.qsc.de [92.195.63.165]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx01.qsc.de (Postfix) with ESMTPS id 5A2F33CD85; Mon, 9 Feb 2015 21:02:39 +0100 (CET) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id t19K2dc7002946; Mon, 9 Feb 2015 21:02:39 +0100 (CET) (envelope-from freebsd@edvax.de) Date: Mon, 9 Feb 2015 21:02:39 +0100 From: Polytropon To: Jeremy Gransden Subject: Re: See which user is deleting files Message-Id: <20150209210239.fe545836.freebsd@edvax.de> In-Reply-To: References: Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2015 20:02:43 -0000 On Mon, 9 Feb 2015 14:55:59 -0500, Jeremy Gransden wrote: > Is there a way to log when files get deleted and by whom? A possible approach would be to make /bin/rm a script that logs the required information. Or, on a per-user or global basis, an alias (but this depends on the shell heavily). The idea with the script sounds a little better because it would already get the evaluated shell arguments, and all programs (!) that call /bin/rm would be "affected". Of course, if a program doesn't use /bin/rm, but instead calls unlink(), it doesn't work anymore. THis will probably be true for most UI-based programs (for example deleting from X file managers, or even with Midnight Commander's PF8). It's probably a better idea to use a file alteration monitor to track when files disappear. However, I don't know if those tools around have the ability to determine _who_ deleted files... Maybe there are accounting tools that track I/O activity in a way that they can capture the creation of files in the same way as their removal? -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...