Environment
- Red Hat Enterprise Linux (RHEL)
- 4
- 5
- 6
- 7
Issue
- How to monitor the permission change and ownership change of a particular directory or file?
- How to configure
auditd
to find how a file was modified in Red Hat Enterprise Linux? - What tool can audit files at a directory level?
- How do I monitor files or directories using auditd in Red Hat Enterprise Linux ?
- How do I monitor a file or directory to see which user or program has accessed or modified data ?
Resolution
- The Linux Audit system (
audit
package) can be used to accomplish this task. - Ensure the
auditd
service is running, and set to start on boot withchkconfig auditd on
- Set a watch on the required file to be monitored by using the
auditctl
command:
# auditctl -w /etc/hosts -p war -k monitor-hosts
- where:
auditctl
is the command used to add entries to the audit database.-w
inserts a watch for the file system object at path, i.e./etc/shadow
.-p
sets permissions filter for a file system watch.- The permission are any one of the following:
r – read of the file
w – write to the file
x – execute the file
a – change in the file’s attribute -k
sets a filter key on an audit rule. The filter key is an arbitrary string of text that can be up to 31 bytes long. It can uniquely identify the audit records produced by a rule.
Note: In order for these rules to persist after a reboot, the below must be added to the relevant rule files,
-w /etc/hosts -p a -k monitor-hosts
which are:
RHEL 4: /etc/audit.rules
RHEL 5: /etc/audit/audit.rules
RHEL 6: /etc/audit/audit.rules
RHEL 7: /etc/audit/rules.d/audit.rules
- Please see the man pages for “auditctl” and “audit.rules” for further information on syntax and swtiches.
- The auditd service must be restarted after any changes are made, also ensure that it is set to run on boot.
# service auditd restart
# chkconfig --list auditd
# chkconfig auditd on
- In this example, a watch is placed on the
/etc/hosts
file for any syscalls which perform a write, read, or attribute change (-p war
). This is logged with the keymonitor-hosts
. This key can be used to search through the audit logs to find these actions, using theausearch
command:
# ausearch -ts today -k monitor-hosts
----
time->Sat Feb 3 07:32:20 2007
type=PATH msg=audit(1170451940.872:34): item=0 name="/etc/hosts" inode=1308742 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
type=CWD msg=audit(1170451940.872:34): cwd="/root"
type=SYSCALL msg=audit(1170451940.872:34): arch=40000003 syscall=226 success=yes exit=0 a0=867c4b8 a1=458bcc4f a2=8686800 a3=1c items=1 ppid=3544 pid=3558 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="vim" exe="/usr/bin/vim" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key="monitor-hosts"
- From this trace, it can be seen that the file
/etc/hosts
was edited using the/usr/bin/vim
command. The user that ran the command was running with theroot:system_r:unconfined_t:s0-s0:c0.c1023
SELinux context. Also, the timestamp can be converted into readable form.
# date -d @1170451940
Sat Feb 3 05:32:20 CST 2007
- Specifying a
-i
toausearch
also interprets numeric entities into text, making the logs more readable. - You can search for an event based on the given key string:
# ausearch -k monitor-hosts
- You can also generate a report about the audit rule keys by running:
# aureport -k