[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to catch process that removes files?

On Mon, Jan 22, 2007 at 04:52:53PM +0200, WireSpot wrote:
> Can anyone recommend a piece of software that will watch a file or a
> directory and tell me what processes mess with the files in there? In
> particular, I'd like it to react when a file is removed.
> I tried dnotify but it only tells me that it happened, after it
> happened, not who did it.
> I need this because on this one Debian testing server I have a problem
> that's driving me mad: something comes around and periodically removes
> files from /var dirs, making certain services crash and burn: Samba
> tdb files, Apache SSL mutex, MySQL and Postgres runtime files and so
> on. And I can't figure out who the hell is doing that.

If it were me and I didn't know any better, I'd suspect a security
breach until proved otherwise.  I'm assuming that you haven't been
running something like samhain from day one.  Look at when this problem
started in relation to when a package got installed.  

As far as 'who' is doing this, I would guess that the only user with the
privledge to do this is root.  The problem of processes is that they
come and go.  You can look at all the running processes in /proc and
examine all the command lines and environments but it may not help.

To clarify, how do you mean "periodically"?  Do you mean periodically
like a cron job, or at random intervals (occasionally)?  


Reply to: