Files start coming up missing for me on a server and I get freaked out looking for security holes, but sometimes users and other utilities are spiking the bunch bowl. You can get serious with watching files with other utilities, but I went back to good ole auditd.
A simple test to track stuff getting trashed from an upload folder:
[code]auditctl -w /site-dir/wp-content/uploads/ -p wa -k upload_issue[/code]
A capital W will remove the rule:
[code]auditctl -W /site-dir/wp-content/uploads/ -p wa -k upload_issue[/code]
Do a quick search for issues with ausearch.
[code]ausearch -f wp-content/uploads[/code]
Now permanently add the rule on a redhat system by putting this line in /etc/audit/audit.rules. Just leave off the auditctl command.
[code] -w /site-dir/wp-content/uploads/ -p wa -k upload_issue[/code]
Of course you need to make sure your auditd process is running and using chkconfig, etc. Good ole check status like:
Here are a few of the resources I used:
Please forgive the RedHat auth-walls…