Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Software
User Name
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.


  Search this Thread
Old 01-27-2011, 10:28 AM   #1
LQ Newbie
Registered: Jan 2011
Posts: 2

Rep: Reputation: 0
File create/modify/delete monitoring with user account

We are looking to monitor and log selected application file systems for file create/modify/delete changes that will also include, user account that changed/deleted the file, file name and date and time of event. Everything I have looked at does not seem to provide all of the information that we need.

Inotify seems to monitor modify/create/delete but does not seem to provide the user account.

Auditd seems to monitor modify/create/append with user account, but not deletes.

We need to provide this information to auditing for Sarbane Oxley compliance.

Any software products available or ideas would greatly appreciated.

Thank you for your time.
Old 01-27-2011, 10:36 AM   #2
Senior Member
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,211

Rep: Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612
I thought 'auditd' watched for any modifications to files, including delete.
1 members found this post helpful.
Old 01-27-2011, 01:19 PM   #3
Nominal Animal
Senior Member
Registered: Dec 2010
Location: Finland
Distribution: Xubuntu, CentOS, LFS
Posts: 1,723
Blog Entries: 3

Rep: Reputation: 947Reputation: 947Reputation: 947Reputation: 947Reputation: 947Reputation: 947Reputation: 947Reputation: 947
Yes, auditd can monitor deletes, via the unlink and rmdir syscalls. (This does not include "deletes" via renaming.)

For a list of syscalls, see the man syscalls man page. Unfortunately that list is not exhaustive, and does not contain the *at variants; you should be prepared to audit those too.

To monitor file and directory access, I'd audit these syscalls:
  • Opening or creating a file or directory:
    open, openat, creat, link, linkat, mkdir, mkdirat, mknod, mknodat, symlink, symlinkat
  • Deletion and renaming:
    ftruncate, ftruncate64, rename, renameat, rmdir, truncate, truncate64, unlink, unlinkat
  • Modifying file or directory ownership
    chown, chown32, fchown, fchown32, fchownat, lchown, lchown32
  • Changing access mode or attributes
    chmod, fchmod, fchmodat, fremovexattr, fsetxattr, lremovexattr, lsetxattr, removexattr, setxattr
  • Modifying timestamps:
    futimesat, utime, utimensat, utimes
  • Directory traversal:
    chdir, fchdir
This list should be complete. Do check, though. I'd also personally appreciate if somebody notices some I'm not aware of.
Nominal Animal

Last edited by Nominal Animal; 03-21-2011 at 07:30 AM.
1 members found this post helpful.
Old 01-27-2011, 03:11 PM   #4
LQ Newbie
Registered: Jan 2011
Posts: 2

Original Poster
Rep: Reputation: 0
Thank you

Thank you very much for your time and the responses. This will give us what we are looking for.

Thanks again,


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to know if some users modify/delete/create files/directories in linux? b-RAM Linux - General 10 10-29-2010 04:58 AM
Access rights: allow create but not delete and modify gagou7 Linux - Newbie 3 06-21-2010 06:42 AM
[SOLVED] How to delete a user account ZAMO Solaris / OpenSolaris 5 04-28-2010 07:57 PM
cannot delete or modify the file k0nsole.c Linux - General 7 06-25-2007 09:07 PM
cant delete user account!!! farhanali Linux - General 7 04-29-2003 08:31 AM > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 09:22 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration