Files disappearing on linux server
Solution 1:
Solution 1: systemtap
You can use systemtap to show all PIDs that are trying to use unlink() on the inode of .bashrc and .bash_profile files.
Install systemtap and the debug symbols for your kernel.
Create a file with name unlink.stap with the following content:
probe syscall.unlink
{
printf ("%s(%d) unlink (%s) userID(%d)\n", execname(), pid(), argstr, uid())
}
Then run it with sudo stap unlink.stap
Solution 2: inotify
You can also use inotify to see when the file is deleted.
Solution 3: ftrace
Another solution is to use ftrace:
trace-cmd record -e \*unlink\*
Wait for the file to be deleted, press CTRL+C to stop trace-cmd record ..., then run:
trace-cmd report
Solution 4: bpftrace
Install bpftrace, then run:
bpftrace -e 'tracepoint:syscalls:sys_enter_unlink* { printf("%s %s\n", comm, str(args->pathname)); }'
Solution 2:
in addition to micea's answer, you can chattr +i the files as root and see if anything logs an error when trying to remove them.
Solution 3:
Are you absolutely sure the user himself is not (accidentally) deleting them ?
I had some clueless (Windows) users with the same problem. Turned out that they deleted those files themselves every time they visited their home-dir with a ftp client. They noticed the .xxxx files (the ftp client didn't hide them) and removed the "clutter".
It never occurred to me they did it to themselves until one of them complained about the spontaneously re-appearing files he had deleted several days before.
Solution 4:
We use bash logout scripts (~/.bash_logout) to clean out certain files upon logout - you might check to see if you have that setup, perhaps with a fat-fingered glob in it.
Solution 5:
More seems like an intruder, who is doing a find /home/user -name filename -exec rm -f {} \; after all his sneaking :). Just guessing, because you mentioned that the backup files are also getting deleted.