Re: How to catch process that removes files?

To: debian-user@lists.debian.org
Subject: Re: How to catch process that removes files?
From: Paul Johnson <baloo@ursine.ca>
Date: Tue, 23 Jan 2007 11:56:25 -0800
Message-id: <[🔎] 9s5i84xol6.ln2@ursa-major.ursine.ca>
References: <[🔎] b2d4b0380701220652x7cf71e73m5bbab5bd95fa5442@mail.gmail.com>

WireSpot wrote:

> Can anyone recommend a piece of software that will watch a file or a
> directory and tell me what processes mess with the files in there? In
> particular, I'd like it to react when a file is removed.

Tripwire can tell you that it's changed, but not who has changed it. 
There's a debian package by the same name for the free version (retired
product got GPL'd), though the change management features and auditing
support are way better if you're in a business environment with a budget to
go in on Tripwire Enterprise.

> I tried dnotify but it only tells me that it happened, after it
> happened, not who did it.

I know there's some kind of auditing option that you have to enable at the
kernel level to be able to pass that kind of auditing information to
programs like dnotify and tripwire, but they escape me right now.

> I need this because on this one Debian testing server I have a problem
> that's driving me mad: something comes around and periodically removes
> files from /var dirs, making certain services crash and burn: Samba
> tdb files, Apache SSL mutex, MySQL and Postgres runtime files and so
> on. And I can't figure out who the hell is doing that.

Is tmpreaper installed, but misconfigured?

Reply to:

References:
- How to catch process that removes files?
  - From: WireSpot <wirespot@gmail.com>

Prev by Date: Re: Manpages??
Next by Date: Re: help with C algorythm (find unique value in an array) could you please make changes
Previous by thread: Re: How to catch process that removes files?
Next by thread: Re: How to catch process that removes files?
Index(es):
- Date
- Thread