[clug] logging "rm" usage

Rousak, Boris Boris.Rousak at actewagl.com.au
Thu Jul 10 11:39:48 EST 2003

Thanks to all who replied to this issue. Having had a look at the c hooks
into the OS that are required i think this really is overkill for my
purposes (which are: simple auditing). Also this has to be easily portable
to Tru64 which the c code isn't (as i am a novice in c :) ). Opting for a
second option of simple script substitution and also command aliasing the
following did the job:
alias rm='echo $(date --iso-8601=seconds) $(whoami) >> /tmp/logname &&
/bin/rm $1'

-----Original Message-----
From: Martin Pool [mailto:mbp at samba.org]
Sent: Wednesday, 9 July 2003 1:31 PM
To: Rousak, Boris
Cc: 'CLUG'
Subject: Re: [clug] logging "rm" usage

On  9 Jul 2003, "Rousak, Boris" <Boris.Rousak at actewagl.com.au> wrote:
> Good afternoon all,
> I am attempting to write a script/program that will write to a log file
> every time someone uses the "rm" command on a redhat 7.3 kernel
> In particular it will log, who used it, date/time of usage and what it was
> they actually deleted. Having googled for a bit most sites suggest either
> using a "script" command to log everything and then parse that log file or
> using a an alias script which logs everything and then invokes the real rm
> command, but these solutions aren't particularly elegant.

It depends on your point of view and what you're trying to achieve.
Is this for quotidian security auditing, or because you think the
machine is compromised, or to track down a problem, or something else?
A userspace solution that replaces /bin/rm and emits log messages is
simpler and more reliable than kernel hooks, and therefore arguably
more elegant.

> Thinking back to
> windows I seem to remember that there was a facility to trap events (calls
> to the OS). Question is as follows:
> Is there a similar trapping facility in linux or

Yes, several, e.g. systrace, etc.  But on any system doing this kind
of intrusive monitoring can cause performance or reliability problems.

> Is there a much easier way of doing this and I just haven't found it
> in this direction would also be much appreciated).

Get Rewted ;-) grsecurity allows you to configure this kind of logging
reasonable easily



*PLEASE NOTE*  This email and any attachments may
be confidential. If received in error, please delete all 
copies and advise the sender. The reproduction or 
dissemination of this email or its attachments is 
prohibited without the consent of the sender.

WARNING RE VIRUSES:  Our computer systems sweep
outgoing email to guard against viruses, but no warranty 
is given that this email or its attachments are virus free. 
Before opening or using attachments, please check for 
viruses.  Our liability is limited to the re-supply of any 
affected attachments.

Any views expressed in this message are those of the 
individual sender, except where the sender expressly,
and with authority, states them to be the views of the 

More information about the linux mailing list