- Red Hat Enterprise Linux (RHEL)
- How to monitor the permission change and ownership change of a particular directory or file?
- How to configure
auditdto find how a file was modified in Red Hat Enterprise Linux?
- What tool can audit files at a directory level?
- How do I monitor files or directories using auditd in Red Hat Enterprise Linux ?
- How do I monitor a file or directory to see which user or program has accessed or modified data ?
- The Linux Audit system (
auditpackage) can be used to accomplish this task.
- Ensure the
auditdservice is running, and set to start on boot with
chkconfig auditd on
- Set a watch on the required file to be monitored by using the
# auditctl -w /etc/hosts -p war -k monitor-hosts
auditctlis the command used to add entries to the audit database.
-winserts a watch for the file system object at path, i.e.
-psets permissions filter for a file system watch.
- The permission are any one of the following:
r – read of the file
w – write to the file
x – execute the file
a – change in the file’s attribute
-ksets a filter key on an audit rule. The filter key is an arbitrary string of text that can be up to 31 bytes long. It can uniquely identify the audit records produced by a rule.
Note: In order for these rules to persist after a reboot, the below must be added to the relevant rule files,
-w /etc/hosts -p a -k monitor-hosts
RHEL 4: /etc/audit.rules RHEL 5: /etc/audit/audit.rules RHEL 6: /etc/audit/audit.rules RHEL 7: /etc/audit/rules.d/audit.rules
- Please see the man pages for “auditctl” and “audit.rules” for further information on syntax and swtiches.
- The auditd service must be restarted after any changes are made, also ensure that it is set to run on boot.
# service auditd restart # chkconfig --list auditd # chkconfig auditd on
- In this example, a watch is placed on the
/etc/hostsfile for any syscalls which perform a write, read, or attribute change (
-p war). This is logged with the key
monitor-hosts. This key can be used to search through the audit logs to find these actions, using the
# ausearch -ts today -k monitor-hosts ---- time->Sat Feb 3 07:32:20 2007 type=PATH msg=audit(1170451940.872:34): item=0 name="/etc/hosts" inode=1308742 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 type=CWD msg=audit(1170451940.872:34): cwd="/root" type=SYSCALL msg=audit(1170451940.872:34): arch=40000003 syscall=226 success=yes exit=0 a0=867c4b8 a1=458bcc4f a2=8686800 a3=1c items=1 ppid=3544 pid=3558 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="vim" exe="/usr/bin/vim" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key="monitor-hosts"
- From this trace, it can be seen that the file
/etc/hostswas edited using the
/usr/bin/vimcommand. The user that ran the command was running with the
root:system_r:unconfined_t:s0-s0:c0.c1023SELinux context. Also, the timestamp can be converted into readable form.
# date -d @1170451940 Sat Feb 3 05:32:20 CST 2007
- Specifying a
ausearchalso interprets numeric entities into text, making the logs more readable.
- You can search for an event based on the given key string:
# ausearch -k monitor-hosts
- You can also generate a report about the audit rule keys by running:
# aureport -k