How to find out who is deleting files on a Linux server?
We have a Linux server which is Ext4 and another Linux Server which has an ISCSI where Windows clients have shared folders.I need to
- Allow users to modify files and not delete them. A user has permission to modify content, but cannot delete the files itself.
- Audit all file add/delete/modify operations in a English like log format.
- Send alerts if attempts are bieng made to delete
Solution 1:
If windows clients are mounting Samba/CIFS shares then you should check out full_audit.so module for Samba.
Samba: Logging User Activity
Samba - file audit log with full_audit
Google Search - samba full_audit
Solution 2:
I would recommend checking out audit - http://people.redhat.com/sgrubb/audit/
It can monitor just about anything and everything that goes on with the kernel - you define your own rules to match the type of syscall activity you'd like to have audited.
Solution 3:
Check out inotify tools, or if you're a programmer, you could roll your own that fits. It's not that hard to do; the most difficult part is keeping track of all the subdirectories, and dealing with directory additions/deletions/renames.
I have inotify-based programs running on a few of my servers. For example, on the one that stores my scanned private documents (bills, receipts et al), I have a program that watches for new files in a directory tree. When a new document is created, it is immediately PGP-encrypted (unless the new document IS pgp-encrypted, of course). Another, similar program, sends any changes in a particular tree to another server, far away.
I could see modifying one of those to simply write to an audit file that could then be reviewed as need be. The most difficult part I see in that, is making sure the audit file doesn't grow too large.
I will review one of these to see if it's public-ready. If it is, I will find a place to share it.