Log for deleted files

You could also create a wrapper script. And replace /bin/rm with it. So that if a user
on the system run 'rm' to remove files, the entry would be written to a log file of you
choice. The following is a quick hack.

#!/bin/bash
PS=/bin/ps
PS_OPTIONS=" -p $$ -o uid=EffectiveUser,user,ruid=RealUserName,ruser,args,uid"
ECHO=/bin/echo
RM=/bin/rm.real # The real rm(1) command.
LOGFILE=/tmp/hold
${PS} ${PS_OPTIONS} >> ${LOGFILE} 
${RM} ${1}

$ rm testfile1
$ cat /tmp/hold
EffectiveUser USER RealUserName RUSER ARGS UID
 501 andya 501 andya /bin/bash rm testfile1 501

Not built-into the OS. Check in the Unix forum under OS X Technologies for constructing a script you can make to do this. Do note however that you'd probably run out of time perusing it, so why bother? Sounds too much like a Big Brother thing.

Good luck, then.

Have a look at the Common Criteria Tools and the auditing discussed starting on [page 370 here|http://images.apple.com/server/macosx/docs/ServerSecurity_Configv10.6.pdf], and the auditing chapter starting on [page 57 here|https://ssl.apple.com/support/security/commoncriteria/CommonCriteriaAdminG uide.pdf], and have a look at the auditing and audit_class man pages. (For practical purposes, delete access is the same as write access; write and overwrite and delete aren't particularly different.)

That would only log invocations of rm in a shell, and then only by the first user to invoke it, unless the log file were created in advance with suitable permissions. There are other ways to delete a file, including a really strange one that I use occasionally: moving it to the Trash in the Finder and emptying. But I may be the only person who does such weird things.

Another strange thing that a person could do would be to add a folder action to the Trash to log items added or removed - not that I have ever done anything like that, though.