2
rated 0 times
[
2]
[
0]
/ answers: 1 / hits: 1392
/ 2 Years ago, sun, february 13, 2022, 11:50:25
I have auditd
installed on 64-bit Ubuntu 12.04 to track down some unexpected deletes (nice discussion of auditd). This is my rule (tagging deletes with the deletes
keyword):
-a exit,always -F arch=b64 -S unlink -S rmdir -k deletes
auditctl -l
shows that it's configured:
LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=deletes syscall=rmdir,unlink
This works perfectly:
# mkdir xyx
# rmdir xyz
# ausearch -k deletes|grep 'xyz'
type=PATH msg=audit(1406147794.737:1880): item=1 name="xyz" inode=12386307 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
but this does not:
# touch xyx
# rm xyx
# ausearch -k deletes|grep 'xyz'
I can see that all sorts of other deletes are logged. What am I missing?
More From » logging