Re: enable rm in delete event (Trusted System)

Aneesh Mohan · ‎04-10-2008

Hi ,

Query regarding auditing events on trusted system.

I couldn`t able to enable rm in audited event ,for tracing the users who are all using rm command to remove files/directories.I can see rmdir which is comming default in "delete" audited event .

Please do let me know if it is possible on 11.11 .

fyi:-

# uname -r
B.11.11

# what /usr/lbin/tsconvert
/usr/lbin/tsconvert:
$Revision: @(#) tsconvert R11.11_BL2007_0412_1 PATCH_11.11 PHCO_36329

Aneesh Mohan · ‎04-10-2008

Hi all ,

Any inputs to my questions.

Thanks in advance .

ANEESH

doug hosking · ‎04-13-2008

The 'unlink' system call is what really causes files to be deleted by the rm command. Do you have that enabled in your audit configuration? If so, then you should see unlink records, which will show you which files were deleted (or attempted to be deleted).

whiteknight · ‎04-13-2008

Aneesh,

See this url on the audited event

http://docs.hp.com/en/B2355-90950/ch08s09.html?btnNext=next%A0%BB

hope this help
WK

Problem never ends, you must know how to fix it

Aneesh Mohan · ‎04-14-2008

Many thanks Doug&Wk.

Enabled unlink,now I can get the rm information .But the path for the file is not listing ,is there any way to trace the path ?

Thanks again,
Aneesh

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: enable rm in delete event (Trusted System)

enable rm in delete event (Trusted System)