This discussion is archived
1 Reply Latest reply: Mar 4, 2013 1:05 PM by Hodware RSS

Doubt on Solaris BSM (Want to track who are deteting my files)

Bulls123 Newbie
Currently Being Moderated
Hello all,

I have gone through about BSM online to some extend.

What all I need is just want to track "who all are deleting my files" by using Solaris BSM (audit)
I don't want to track anything else apart from this.

Also, please let me know how can I analyse audit files located at /var/audit/*

Thanks in advance.
  • 1. Re: Doubt on Solaris BSM (Want to track who are deteting my files)
    Hodware Newbie
    Currently Being Moderated
    I am not familiar with BSM, but you can use dtrace if you want to try it.
    Hopefully others will respond on BSM info.


    This file-monitor.d dscript takes filename as argument and will tell you the PID responsible for accessing or removing file.

    -----------------------

    #!/usr/sbin/dtrace -s
    fsinfo:genunix:: /strstr(args[0]->fi_pathname, $$1) != NULL/
    {
    printf("%Y pid %d ppid %d %s %s %s\n", walltimestamp, pid, ppid, execname, args[ 0]->fi_pathname, probefunc);
    }

    -----------------------
    example:

    bash-3.00# ./file-monitor.d test &
    [1] 4840
    bash-3.00# dtrace: script './file-monitor.d' matched 44 probes

    bash-3.00# touch /tmp/test

    bash-3.00#
    CPU ID FUNCTION:NAME
    0 368 fop_lookup:lookup 2011 Dec 19 11:51:42 pid 4841 ppid 4808 touch /tmp/test fop_lookup

    0 371 fop_getattr:getattr 2011 Dec 19 11:51:42 pid 4841 ppid 4808 touch /tmp/test fop_getattr

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points