Re: How to catch process that removes files?

From: Douglas Allan Tutty <dtutty@xxxxxxxxxxxxx>
Date: Sat, 27 Jan 2007 13:06:51 -0500

On Mon, Jan 22, 2007 at 04:52:53PM +0200, WireSpot wrote:

Can anyone recommend a piece of software that will watch a file or a
directory and tell me what processes mess with the files in there? In
particular, I'd like it to react when a file is removed.

I tried dnotify but it only tells me that it happened, after it
happened, not who did it.

I need this because on this one Debian testing server I have a problem
that's driving me mad: something comes around and periodically removes
files from /var dirs, making certain services crash and burn: Samba
tdb files, Apache SSL mutex, MySQL and Postgres runtime files and so
on. And I can't figure out who the hell is doing that.

If it were me and I didn't know any better, I'd suspect a security
breach until proved otherwise. I'm assuming that you haven't been
running something like samhain from day one. Look at when this problem
started in relation to when a package got installed.

As far as 'who' is doing this, I would guess that the only user with the
privledge to do this is root. The problem of processes is that they
come and go. You can look at all the running processes in /proc and
examine all the command lines and environments but it may not help.

To clarify, how do you mean "periodically"? Do you mean periodically
like a cron job, or at random intervals (occasionally)?

Doug.

--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx

Follow-Ups:
- Re: How to catch process that removes files?
  - From: WireSpot

References:
- How to catch process that removes files?
  - From: WireSpot

Prev by Date: Re: Doing administrative work
Next by Date: Re: Re: Debian, Iceweasle, Firefox!
Previous by thread: Re: How to catch process that removes files?
Next by thread: Re: How to catch process that removes files?
Index(es):
- Date
- Thread

Relevant Pages

Why my gtk problems can not act on key press sometime?
... And sometime, my app's windows just have no react when I key in something, but they does hung, they can react on mouse actions. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
(Debian-User)
Why my gtk problems can not act on key press sometime?
... And sometime, my app's windows just have no react when I key in something, but they does hung, they can react on mouse actions. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
(Debian-User)
Re: Using get_cwd inside a module.
... The basic problem is that you shouldn't call syscalls from kernelspace. ... Have you looked at dnotify to look for changed files instead? ... To unsubscribe from this list: send the line "unsubscribe linux-kernel" in ...
(Linux-Kernel)
Re: what applications use famd?
... It would appear that "dnotify" appears in the FAM source but ... "inotify" does not. ... Looking at how dnotify works, ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
(Debian-User)
Re: how to read /proc/net/arp properly?
... Watch ARP requests on the network as they come in and react ... Servus, ... To unsubscribe from this list: send the line "unsubscribe linux-kernel" in ...
(Linux-Kernel)