Cannot delete audit logs with sudo
5,100
Filename expansion is the cause of the problem.
The shell is expanding /var/log/audit/* as your current, non-root user.
As that user doesn't have read/exec access to /var/log/audit, rm is getting passed, instead of a list of files to delete that are all in that directory, the literal string
/var/log/audit/*
rm is correct - there IS no file named "*" in /var/log/audit - so it can't delete it.
Try this:
sudo 'rm /var/log/audit/*'
or maybe:
sudo sh -c 'rm /var/log/audit/*'
Related videos on Youtube
02 : 07
How to work the discord audit log
02 : 43
Delete Audit logs
05 : 50
Delete Old Auditing Logs using script
01 : 51
Cannot delete audit logs with sudo
17 : 12
Managing Ubuntu: User Auditing
Author by
Franz Payer
Updated on September 18, 2022Comments
-
Franz Payer over 1 year
I am using auditctl to log all commands run on my Ubuntu system and I working on a script that parses the log into a more readable format. Since these logs tend to become very large, I want to periodically delete the logs. I found that by running
sudo rm /var/log/audit/*I would get
rm: cannot remove `/var/log/audit/*': No such file or directoryhowever by running
sudo su rm /var/log/audit/*The logs would be deleted without any problem. What could be the cause of this?