I had an openSUSE 12.3 LAMP server that this past weekend it started deleting user folders in the /home directory, or portions of them. I initially thought the system was hacked, till I decided to wipe it out and rebuild the system using openSUSE 13.2. Now the new install is doing the same thing. The only thing I now can figure is that maybe an update may be doing this. This machine is running as a guest vm on a openSUSE 13.2 xen host. The host has 2 updates outstanding, and is not exhibiting the systems the guests have.
The outstanding updates are a security patch for flash-player, and a recommended update for subversion.
Not sure I can help other then to say an update does not and should not touch your home. LAMP is pretty complex are you sure that you are fully locked down? I assume that it is the home in the VM not the host that is seeing the problem.
Your assumption is correct, it is the /home in the guest and not the host thus far. I am primarily only using apache2. I agree nothing should touch home, but I’m having a hard time accounting it to anything else.
You could install audit, start it, configure a suitable rule to watch /home and later on view it.
For example:
zypper in -y audit
systemctl start auditd
auditctl -w /home -p w -k snoopevilguys
auditctl -l
And it would log ALL writes, changes etc. to /home for all users. Note, rules do not survive restart of auditd nor reboot - for permanent rules, you need to add them to /etc/audit/audit.rules
ausearch -i -k snoopevilguys would print these out.
Be warned: if you have a busy system that logfile would be very large. Please read the openSUSE docs regarding audit before you use it though - lots of great documentation online too.
I gave this a whirl, just to see what I could see. I think what part of the problem was that I was root when the files were copied into the folder, which meant the files were owned and grouped as root. Although I saw it delete files created by the user on this last rebuild. Go figure!