I have a server that has been running Fedora 16 ( 3.1.0-7.fc16.x86_64 ) for about a month now. I only log in every few days or weeks, but when I do, sometimes files are missing from my home directory. I don't keep any documents or whatever in there, so I can't say to what extent I have the problem, but I do know that the .bash_profile, .bashrc, and sometimes the contents of .ssh/ (keyfiles, config, authorized_keys) sometimes go missing. They just disappear (and not always all at once, today the bash files were gone, last week .ssh was empty). I can't seem to find anything about it online (it's not the problems people were having with clean installations and initial updates, insofar as the system gets updated regularly so the initial updates and installation issues should be over, not recurring).
# /etc/fstab
# ...
/dev/mapper/vg_host-lv_root / ext4 defaults 1 1
UUID=1e51ac20-4a4c-4060-b1d2-11a675d082f2 /boot ext4 defaults 1 2
UUID=8D78-47C0 /boot/efi vfat umask=0077,shortname=winnt 0 0
/dev/mapper/vg_host-lv_home /home ext4 defaults 1 2
/dev/mapper/vg_host-lv_swap swap swap defaults 0 0
I added both of these rules to audit.rules yesterday
-w /home/me/ -p wa -k homedir_watch
-w /home/me/ -k whodeletedit -p w
and today .bashrc is gone again, but when I search with either of these
ausearch -f /home/lockhart -k homedir_watch
ausearch -i -k whodeletedit
I get
<no matches>
However, I get the same when I add/recreate the missing files- there are still no matches.
Best Answer
If you have root-level access to the server you can install and enable
auditdwhich tracks filesystem-level changes and will help you identify what is responsible for removing the file.You'd then set up a watch for writes to your home directory (deleting a file from a directory requires writing to the directory containing it) possibly tagging it so you can keep it separate from other watches running:
When the file goes missing again
will tell you what changed your home directory.
This all assumes normal operation of the system and that the files aren't going missing due to drive corruption or the system being improperly shut down and losing data.