Date: Mon, 9 Feb 2015 21:02:39 +0100 From: Polytropon <freebsd@edvax.de> To: Jeremy Gransden <jeremy.gransden@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: See which user is deleting files Message-ID: <20150209210239.fe545836.freebsd@edvax.de> In-Reply-To: <CALi7Q_oFPNWYGMD7Je_H3vv-6ma3iP55K97_oofpyQndTvQqmQ@mail.gmail.com> References: <CALi7Q_oFPNWYGMD7Je_H3vv-6ma3iP55K97_oofpyQndTvQqmQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 9 Feb 2015 14:55:59 -0500, Jeremy Gransden wrote: > Is there a way to log when files get deleted and by whom? A possible approach would be to make /bin/rm a script that logs the required information. Or, on a per-user or global basis, an alias (but this depends on the shell heavily). The idea with the script sounds a little better because it would already get the evaluated shell arguments, and all programs (!) that call /bin/rm would be "affected". Of course, if a program doesn't use /bin/rm, but instead calls unlink(), it doesn't work anymore. THis will probably be true for most UI-based programs (for example deleting from X file managers, or even with Midnight Commander's PF8). It's probably a better idea to use a file alteration monitor to track when files disappear. However, I don't know if those tools around have the ability to determine _who_ deleted files... Maybe there are accounting tools that track I/O activity in a way that they can capture the creation of files in the same way as their removal? -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150209210239.fe545836.freebsd>