On 4/3/06, Mont Rothstein <mont.rothstein(a)gmail.com> wrote:
What syscall is used by rm? There is one for rmdir but I can't
figure out
how to audit when a file is deleted.
Try:
# touch test
# strace rm test
Toward the bottom you should see a call to unlink().
:-Dustin
[dustin@t41p tmp]$ strace rm test
execve("/bin/rm", ["rm", "test"], [/* 40 vars */]) = 0
brk(0) = 0xa048000
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0xb7f09000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=89873, ...}) = 0
old_mmap(NULL, 89873, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef3000
close(3) = 0
open("/lib/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\212\316"..., 512) =
512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1485672, ...}) = 0
old_mmap(0xbc8000, 1215452, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xbc8000
old_mmap(0xceb000, 16384, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x123000) = 0xceb000
old_mmap(0xcef000, 7132, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xcef000
close(3) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0xb7ef2000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7ef26c0,
limit:1048575, seg_32bit:1, contents:0, read_exec_only:0,
limit_in_pages:1, seg_not_present:0, useable:1}) = 0
mprotect(0xceb000, 8192, PROT_READ) = 0
mprotect(0xbc4000, 4096, PROT_READ) = 0
munmap(0xb7ef3000, 89873) = 0
brk(0) = 0xa048000
brk(0xa069000) = 0xa069000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=49610336, ...}) = 0
mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7cf2000
close(3) = 0
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
lstat64("test", {st_mode=S_IFREG|0664, st_size=8, ...}) = 0
access("test", W_OK) = 0
unlink("test") = 0
exit_group(0) = ?