HPE Community
Operating System - HP-UX
1834953 Members
2001 Online
110071 Solutions
New Discussion

Way to log who removed file?

 
Stefan Bergkvist
Advisor

‎11-27-2001 07:11 AM

‎11-27-2001 07:11 AM

Way to log who removed file?

Is there a way to log files that are removed
by users and applications on a hp-ux 10.20 and
11.0 system?
0 Kudos
Reply
6 REPLIES 6
Rainer von Bongartz
Honored Contributor

‎11-27-2001 07:15 AM

‎11-27-2001 07:15 AM

Re: Way to log who removed file?

convert to a trusted system or install the product IDS9000 from HP.

Both ways give you an option to monitor files and trace who removed a file

Regards
Rainer
He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎11-27-2001 07:27 AM

‎11-27-2001 07:27 AM

Re: Way to log who removed file?

Hi Stefan,

1. Start accounting. Using this you can determine the users that used rm commands and the number of times they used.
2. Or start auditing and audit events like delete, modaccess etc.,. But this needs your system to be converted as trusted.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎11-27-2001 07:32 AM

‎11-27-2001 07:32 AM

Re: Way to log who removed file?

The best way to prevent this is to be proactive and keep users out of any unix shell. Additionally, you need to set the proper permissions to prevent it, and follow the other posts advice.

live free or die
harry
Live Free or Die
0 Kudos
Reply
Roger Baptiste
Honored Contributor

‎11-27-2001 08:00 AM

‎11-27-2001 08:00 AM

Re: Way to log who removed file?

Stefan,

The easiest way is to track their history files. ( .sh_history in the homedirectories; this assumes setting HISTFILE=$HOME/.sh_history in their .profile file). Ofcourse users have the option of deleting their history files too ;-)

Accounting and other tools to log these actions involves more space, resources. So, the question comes back to - prevention.
Set the appropriate directory & file permissions which authorises users to live within their zones and not go around making mischief. Remember to set the umask too in the .profile file, which imposes a stricter definition of file permissions for new files.

HTH
raj
Take it easy.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎11-27-2001 08:40 AM

‎11-27-2001 08:40 AM

Re: Way to log who removed file?

Another technique (assuming users are running Unix commands like rm) is to 'wrapper' the rm (and mv too) commands. Here's an example wrapper:

#!/sbin/sh
# log all rm activities
MYID=$(/usr/bin/id -nu)
FIRST150=$(echo $@ | /usr/bin/cut -c 1-150)
/usr/bin/logger -t "rm-trace" -p user.warn "$MYID: rm $FIRST150"
exec /usr/bin/rm.real $@

and similarly for mv:

#!/sbin/sh
# log all mv activities
MYID=$(/usr/bin/id -nu)
FIRST150=$(echo $@ | /usr/bin/cut -c 1-150)
/usr/bin/logger -t "mv-trace" -p user.warn "$MYID: mv $FIRST150"
exec /usr/bin/mv.real $@

To install the wrappers, cut-n-paste the above scripts into something like rmwrapper amd mvwrapper, then:

# cp -p /usr/bin/rm /usr/bin/rm.real
# cp -p /sbin/rm /sbin/rm.real
# cp rmwrapper /usr/bin/rm
# cp rmwrapper /sbin/rm
# chmod 555 /usr/bin/rm /sbin/rm
# chown bin:bin /usr/bin/rm /sbin/rm

and for mv:

# cp -p /usr/bin/mv /usr/bin/mv.real
# cp -p /sbin/mv /sbin/mv.real
# cp mvwrapper /usr/bin/mv
# cp mvwrapper /sbin/mv
# chmod 555 /usr/bin/mv /sbin/mv
# chown bin:bin /usr/bin/mv /sbin/mv

Now test the command by:

# touch xyzabc
# mv xyzabc abcxyz
# rm abcxyz
# tail /var/adm/syslog/syslog.log

You should see entries like:

Nov 27 11:38:18 freedom mv-trace: root: mv xyzabc abcxyz
Nov 27 11:38:27 freedom rm-trace: root: rm abcxyz


Bill Hassell, sysadmin
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎11-27-2001 09:33 AM

‎11-27-2001 09:33 AM

Re: Way to log who removed file?

One problem with the method suggested by Bill is if the user uses /usr/bin/rm.real to remove the files, it will not be logged.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.