Hi
No update ? That's odd.
Some thoughts.
You could make the file immutable but that may cause you problems when ldap is updated.
Code:
sudo chattr +i /etc/ldap/ldap.conf
I think what i would personally look into is the package auditd. Try to work out which process and user is deleting the file (as something obviously is).
Code:
sudo apt-get install auditd
Set up a syscall watch along the lines of (this is an example only)
Code:
sudo auditctl -a exit,always -Farch=b64 -S unlink -S unlinkat -k "file-deleted"
Change arch=b64 to arch=b32 if you are using 32bit, or add both rules for a mixed environment.
This will log *all* deleted files.
After the file has been deleted, use ausearch to find out what happened to that file (someting along the lines of..).
Code:
sudo ausearch -k file-deleted -f ldap.conf
You'll need to do some reading up on auditd as it's pretty powerful, has many options and i may have got the instructions above wrong. It's been ages since i looked into auditd so please make sure you read up yourself.
Please post back on how you get on.
Kind regards
Bookmarks