This is a hack you can use to control file deletion and know exactly who deleted a file.
The trick is to add into the /etc/profile file this script:
[vinodh@linunix ~]$ rm () { echo `id` deleted the file $1 at `date` >> /tmp/.log; /bin/rm $1; }
The log file will show you this:
uid=500(vinodh) gid=500(vinodh) groups=500(vinodh) deleted the file test at Mon Nov 26 10:31:16 IST 2013
The trick is to add into the /etc/profile file this script:
[vinodh@linunix ~]$ rm () { echo `id` deleted the file $1 at `date` >> /tmp/.log; /bin/rm $1; }
The log file will show you this:
uid=500(vinodh) gid=500(vinodh) groups=500(vinodh) deleted the file test at Mon Nov 26 10:31:16 IST 2013
To print also the host name where the deletion has come from:
$ rm() { i=`tty | cut -d / -f 3,4`;host=`w | grep $i | awk '{print $3}'`;echo -e `id` deleted the file $1 at `date` coming from "$host\n" >> /tmp/.log;/bin/rm "$@";}
The output would be:
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),503(devel) deleted the file at Tue Nov 27 15:09:14 ART 2007 coming from linunix.in
0 comments:
Post a Comment