Cannot delete audit logs with sudo
5,100
Filename expansion is the cause of the problem.
The shell is expanding /var/log/audit/* as your current, non-root user.
As that user doesn't have read/exec access to /var/log/audit, rm is getting passed, instead of a list of files to delete that are all in that directory, the literal string
/var/log/audit/*
rm is correct - there IS no file named "*" in /var/log/audit - so it can't delete it.
Try this:
sudo 'rm /var/log/audit/*'
or maybe:
sudo sh -c 'rm /var/log/audit/*'
Related videos on Youtube
Author by
Franz Payer
Updated on September 18, 2022Comments
-
Franz Payer over 1 year
I am using auditctl to log all commands run on my Ubuntu system and I working on a script that parses the log into a more readable format. Since these logs tend to become very large, I want to periodically delete the logs. I found that by running
sudo rm /var/log/audit/*
I would get
rm: cannot remove `/var/log/audit/*': No such file or directory
however by running
sudo su rm /var/log/audit/*
The logs would be deleted without any problem. What could be the cause of this?