Article ID: 125910, created on Jun 17, 2015, last review on Sep 18, 2015

  • Applies to:
  • Plesk for Linux/Unix


How to determine who or what deletes a files on the system e.g. images from virtual host root?


There exists an application which can be used to watch files on a filye system for a variety of events (access, modification, attribute changes, etc.) called auditd.

  1. Install the package:


    # yum install audit


    # apt-get install auditd
  2. Configure the application:

    # vi /etc/audit/audit.rules
  3. Make sure only the following lines are present:

    -e 1
    -b 8192
    -r 0

    Note: -e 0|1|2 flag can apparently be treated differently on some systems. It is recommended to test auditd on some file and see if it genereates messages with the flag value you specified.

    Note: -e 2 locks the configuration of auditd until server restart. It may not be desirable on production systems.

  4. After that, you can add rules for each individual file manually or automatically:

    Rules look like this (exaple shows a watch which will track write access and attribute access):

    -w /path/to/file.jpg -p wa

    More info on rules: OpenSuse docs (valid for any system). To add many files automatically, one can modify and use the following snippet:

    # find /var/www/vhosts/ | grep -i .jpg | sed 's/^\(.*\)$/-w \1 -p wa/' >> /etc/audit/audit.rules

    Here, the command lists all .jpg files and adds a rule for each individual file to auditd configuration.

  5. Restart service to apply changes:

    # service auditd restart

    Note: Sometimes, auditd will show a warning on restart saying that it does not support relative paths. If you did not add any relative paths to ruleset, you may ignore this warning (it is incorrectly triggered by .. in file names).

  6. When the issue is reproduced, you can use ausearch to search logs for info about the missing files (here, a search by part of file name is performed):

    # ausearch -f .jpg

    Entries like these will be displayed:

    time->Wed Aug 13 09:00:37 2014
    type=PATH msg=audit(1407938437.885:39847): item=1 name="/var/www/vhosts/" inode=1068503 dev=08:11 mode=0100644 ouid=10171 ogid=504 rdev=00:00 obj=system_u:object_r:httpd_sys_content_t:s0
    type=PATH msg=audit(1407938437.885:39847): item=0 name="/var/www/vhosts/" inode=1068495 dev=08:11 mode=040755 ouid=10171 ogid=504 rdev=00:00 obj=system_u:object_r:httpd_sys_content_t:s0
    type=CWD msg=audit(1407938437.885:39847):  cwd="/var/www/vhosts/"
    type=SYSCALL msg=audit(1407938437.885:39847): arch=c000003e syscall=87 success=yes exit=0 a0=7fff0ebebb98 a1=1 a2=2 a3=149a9bc0 items=2 ppid=13614 pid=21200 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=12918 comm="rm" exe="/bin/rm" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key="pics"

    Here, for example, we can see that command comm="rm" exe="/bin/rm" was executed by uid=0 gid=0 (root user) on 1407938437.885 (Unix time).

Note: auditd does NOT support recursive monitoring of a directory. Specifying a directory as the target will place a watch on directory itself as opposed to all its contents. Modify and use automatic command from point 4 instead.

More information on auditd, auditctl.

Search Words



image disapear from editor



files deleted

29d1e90fd304f01e6420fbe60f66f838 56797cefb1efc9130f7c48a7d1db0f0c a914db3fdc7a53ddcfd1b2db8f5a1b9c

Email subscription for changes to this article
Save as PDF