Can the timestamp and user+process that performed the file delete be tracked?
I have now setup solaris auditing and have made the following audit_control, audit_class and audit_event entries:
$ grep pf /etc/security/audit_control flags:pf,fd $ grep pf /etc/security/audit_event 6:AUE_UNLINK:unlink(2):fd,pf 48:AUE_RMDIR:rmdir(2):fd,pf 286:AUE_UNLINKAT:unlinkat(2):fd,pf 6182:AUE_filesystem_delete:delete filesystem:as,pf 6185:AUE_network_delete:delete network attributes:as,pf $ grep pf /etc/security/audit_class 0x10000000:pf:rems $ grep fd /etc/security/audit_class 0x00000020:fd:file delete
It seems to be able to successfully audit and log most file deletes but there are some file deletes that it fails to capture. A specific example is deletions performed from a Lavastorm app that we are using. Those are not logged.
User contributions licensed under CC BY-SA 3.0