Re: HELP - track deletion of a symbolic link
From: Thomas Vincent (thomasv_at_mac.com)
Date: 06/06/04
- Previous message: Thomas Vincent: "Re: Detecting hacking attempts - what should browsers *not* request?"
- In reply to: Mukesh: "HELP - track deletion of a symbolic link"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 6 Jun 2004 14:05:24 -0700
msabnis1@yahoo.com (Mukesh) wrote in message news:<6678e873.0406030703.661bf71d@posting.google.com>...
> Hello Guys,
>
> I have a symbolic link defined in our Unix system. But it gets deleted
> everyweek three or more time during the night. Is there anyway I can
> log/audit its deletion so that I can find out who is doing it?
>
> I will appreciate your help in this.
>
> Cheers.
Depending on what UNIX you are using, look into enabling C2 logging
capabilities. While the Orange book C2 standard has been replaced by
the Common Criteria set of standards and policies most vendors will
refer to it as C2 in the manual.
Otherwise you might look into either writing a shell script that
replaces the rm binary and records who is executing the command if you
think it is a actual user or a person.
Another solution is to run a cron job that monitors the symlink then
when it finds that it has dissapeared. Capturing the ps -ef or -aux
output to see who the likely culprit might be.
If this is a commercial UNIX then you might call support, and they
MIGHT give you a library that could monitor any calls to replace that
symlink.
Cheers,
Tom Vincent
http://www.ipwrangler.com
- Previous message: Thomas Vincent: "Re: Detecting hacking attempts - what should browsers *not* request?"
- In reply to: Mukesh: "HELP - track deletion of a symbolic link"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
