[clug] logging "rm" usage

Martin Pool mbp at samba.org
Wed Jul 9 13:30:47 EST 2003

On  9 Jul 2003, "Rousak, Boris" <Boris.Rousak at actewagl.com.au> wrote:
> Good afternoon all,
> I am attempting to write a script/program that will write to a log file
> every time someone uses the "rm" command on a redhat 7.3 kernel 2.4.20-18.7
> In particular it will log, who used it, date/time of usage and what it was
> they actually deleted. Having googled for a bit most sites suggest either
> using a "script" command to log everything and then parse that log file or
> using a an alias script which logs everything and then invokes the real rm
> command, but these solutions aren't particularly elegant.

It depends on your point of view and what you're trying to achieve.
Is this for quotidian security auditing, or because you think the
machine is compromised, or to track down a problem, or something else?
A userspace solution that replaces /bin/rm and emits log messages is
simpler and more reliable than kernel hooks, and therefore arguably
more elegant.

> Thinking back to
> windows I seem to remember that there was a facility to trap events (calls
> to the OS). Question is as follows:
> Is there a similar trapping facility in linux or

Yes, several, e.g. systrace, etc.  But on any system doing this kind
of intrusive monitoring can cause performance or reliability problems.

> Is there a much easier way of doing this and I just haven't found it (hints
> in this direction would also be much appreciated).

Get Rewted ;-) grsecurity allows you to configure this kind of logging
reasonable easily



More information about the linux mailing list