在Linux上监视/审计文件删除 [英] Monitor/audit file delete on Linux

问题描述

有没有一种方法可以监视或者审计一个文件，看看它被删除时会发生什么？

我正在使用RedHat发行版。

解决方案

是的，您可以使用审计守护进程。你没有说哪个Linux发行版。基于Red Hat的系统包含auditd，您可以使用auditctl来添加规则。

以递归方式观察目录以进行更改：

  auditctl -w / usr / local / someapp / -p wa 
  

要查看系统调用pid为2021的程序：

  auditctl -a exit，always -S all -F pid = 2021 
  

检查auditctl的手册页。

结果记录到 /var/log/audit/audit.log

确保它正在运行。

  /etc/init.d/auditd status 
  

为了更彻底的方法，您可以使用tripwire或OSSEC，但它们更适合入侵检测。

One of the .beam files of one of my application deps is being deleted and I am not sure by what/how.

Is there a way to monitor or audit a file to see what happens when it is deleted?

I'm using RedHat distro.

解决方案

Yes, you can use the audit daemon. You did't say which Linux distro. Red Hat based systems contain auditd, and you can use auditctl to add rules.

To watch a directory recursively for changes:

auditctl -w /usr/local/someapp/ -p wa

To watch system calls made by a program with pid of 2021:

auditctl -a exit,always -S all -F pid=2021

Check the man page for auditctl.

Results will be logged to /var/log/audit/audit.log

To ensure it's running.

/etc/init.d/auditd status

For a more thorough approach, you could use tripwire or OSSEC, but they're geared more toward intrusion detection.

这篇关于在Linux上监视/审计文件删除的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！