I've got 4 specific files that seem to keep disappearing from a user's home directory. As far as we know, there are no cronjobs or other automated tasks that would be removing them. I've setup auditd on them but the logs aren't really showing anything of interest. I can see our backup utility accessing them every night until the point they aren't there anymore, but nothing else. Is there anything that would be causing those files to be removed that would get around auditd?
The files in question are these:
/home/username/.bashrc
/home/username/.bash_profile
as well as a couple of files in that user's .ssh directory. Copies of these files placed into a subfolder called "keepers" get deleted at the same time as well. Changing the permissions on them to 000 and having them owned by root hasn't helped.
I've currently got inotifywait setup to log create,delete,move on that subfolder, so hopefully that will turn up something, although it doesn't log much aside from when it happened, not what caused it.
Best Answer
Solution 1: systemtap
You can use systemtap to show all PIDs that are trying to use unlink() on the inode of
.bashrcand.bash_profilefiles.Install systemtap and the debug symbols for your kernel.
Create a file with name
unlink.stapwith the following content:Then run it with
sudo stap unlink.stapSolution 2: inotify
You can also use inotify to see when the file is deleted.
Solution 3: ftrace
Another solution is to use ftrace:
Wait for the file to be deleted, press CTRL+C to stop
trace-cmd record ..., then run:Solution 4: bpftrace
Install
bpftrace, then run: