My thanks to all who replied!
Original Question:
> Sorry but I forgot to indicate that we are also
> logging the mv command if someone tries to rename
> a file then delete it.
> Les
> -----
> We have replaced the original 'rm' command
> with a c pgm that logs all its use everytime
> it is invoked (SYSADMIN mag Nov/Dec 94).
>
> A file disappeared and it did not show up in our
> rm log files.
>
> My questions are:
> 1) Can files be deleted without using
> the 'rm' command?
> 2) Is there a way to log these alternate methods?
>
> Thanks,
>
> Lester Mayeda
> Cedars-Sinai Medical Center
> mayeda_at_csmc.edu
Summary of Replies:
Yes, people can delete without using the rm command.
1) use their own copy of the rm or mv command.
2) use the unlink call/command in a pgm, script, or system call.
Yes, auditing can be turned on depending on the operating system.
1) patch the kernel to log low level system calls.
2) turn on auditing (see O/S Security section).
Thanks again to everyone who replied!
Also many thanks for the sample programs/scripts provided.
Les
Received on Mon Oct 14 1996 - 19:32:08 NZDT