1 Reply Latest reply: Mar 4, 2013 3:05 PM by Steve H -Oracle RSS

    Doubt on Solaris BSM (Want to track who are deteting my files)

    Bulls123
      Hello all,

      I have gone through about BSM online to some extend.

      What all I need is just want to track "who all are deleting my files" by using Solaris BSM (audit)
      I don't want to track anything else apart from this.

      Also, please let me know how can I analyse audit files located at /var/audit/*

      Thanks in advance.
        • 1. Re: Doubt on Solaris BSM (Want to track who are deteting my files)
          Steve H -Oracle
          I am not familiar with BSM, but you can use dtrace if you want to try it.
          Hopefully others will respond on BSM info.


          This file-monitor.d dscript takes filename as argument and will tell you the PID responsible for accessing or removing file.

          -----------------------

          #!/usr/sbin/dtrace -s
          fsinfo:genunix:: /strstr(args[0]->fi_pathname, $$1) != NULL/
          {
          printf("%Y pid %d ppid %d %s %s %s\n", walltimestamp, pid, ppid, execname, args[ 0]->fi_pathname, probefunc);
          }

          -----------------------
          example:

          bash-3.00# ./file-monitor.d test &
          [1] 4840
          bash-3.00# dtrace: script './file-monitor.d' matched 44 probes

          bash-3.00# touch /tmp/test

          bash-3.00#
          CPU ID FUNCTION:NAME
          0 368 fop_lookup:lookup 2011 Dec 19 11:51:42 pid 4841 ppid 4808 touch /tmp/test fop_lookup

          0 371 fop_getattr:getattr 2011 Dec 19 11:51:42 pid 4841 ppid 4808 touch /tmp/test fop_getattr