Welcome to Linux Forums! With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.
Find the answer to your Linux question:
Site Navigation
Linux Forums
Linux Articles
Product Showcase
Linux Downloads
Linux Hosting
Free Magazines
Job Board
IRC Chat
RSS Feeds
Free Publications


How to audit file events such as read / write etc? How can you use audit to see who changed a file in Linux?

Linux Auditing Howto. By Syed Asim Abbas
Date: 15-02-2009

asimabbas31@gmail.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it




Installation
-----------
[root@power tmp]# yum install audit

Loaded plugins: refresh-packagekit
Setting up Install Process
Resolving Dependencies
--> Running transaction check


Run service
[root@power tmp]# service auditd start
Starting auditd:                                           [  OK  ]

[root@power tmp]# tail /var/log/audit/audit.log
type=SYSCALL msg=audit(1266218420.349:82): arch=40000003 syscall=5 success=yes exit=3 a0=8223f9 a1=80000 a2=1b6 a3=80000 items=1 ppid=4782 pid=4787 auid=0 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=pts3 ses=1 comm="auditd" exe="/bin/bash" key="password-file"
type=CWD msg=audit(1266218420.349:82):  cwd="/"
type=PATH msg=audit(1266218420.349:82): item=0 name="/etc/passwd" inode=663090 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CONFIG_CHANGE msg=audit(1266218420.478:83): auid=0 ses=1 op=remove rule key="password-file" list=4 res=1
type=CONFIG_CHANGE msg=audit(1266218420.478:84): auid=0 ses=1 op=remove rule key="Test-File" list=4 res=1
type=CONFIG_CHANGE msg=audit(1266218420.479:85): audit_backlog_limit=320 old=320 auid=0 ses=1 res=1
type=DAEMON_END msg=audit(1266218426.492:8804): auditd normal halt, sending auid=? pid=? subj=? res=success
type=DAEMON_START msg=audit(1266218428.846:6213): auditd start, ver=1.7.12 format=raw kernel=2.6.29.4-167.fc11.i686.PAE auid=0 pid=4826 res=success
type=CONFIG_CHANGE msg=audit(1266218428.956:88): audit_enabled=1 old=1 auid=0 ses=1 res=1
type=CONFIG_CHANGE msg=audit(1266218428.957:89): audit_backlog_limit=320 old=320 auid=0 ses=1 res=1





Enanble audit for specific file.
--------------------------------


[root@power tmp]# auditctl -w /etc/passwd -p war -k password-file

* -w /etc/passwd : Insert a watch for the file system object at given path i.e. watch file called /etc/passwd
* -p war : Set permissions filter for a file system watch. It can be r for read, w for write, x for execute, a for append.
* -k password-file : Set a filter key on a /etc/passwd file (watch). The password-file is a filterkey (string of text that can be up to 31 bytes long). It can uniquely identify the audit records produced by the watch. You need to use password-file string or phrase while searching audit logs.


Now check audit is working

run

[root@power tmp]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash




[root@power ~]# tail -f /var/log/audit/audit.log


type=SYSCALL msg=audit(1266218686.568:91): arch=40000003 syscall=5 success=yes exit=3 a0=bf9ce50d a1=8000 a2=0 a3=bf9cd46c items=1 ppid=4639 pid=4867 auid=0 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=pts3 ses=1 comm="cat" exe="/bin/cat" key="password-file"
type=CWD msg=audit(1266218686.568:91):  cwd="/tmp"
type=PATH msg=audit(1266218686.568:91): item=0 name="/etc/passwd" inode=663090 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00


or run

vi /etc/passwd



[root@power ~]# tail -f /var/log/audit/audit.log




type=SYSCALL msg=audit(1266218832.550:95): arch=40000003 syscall=5 success=yes exit=3 a0=9673f9 a1=80000 a2=1b6 a3=80000 items=1 ppid=4639 pid=4876 auid=0 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=pts3 ses=1 comm="vi" exe="/bin/vi" key="password-file"
type=CWD msg=audit(1266218832.550:95):  cwd="/tmp"
type=PATH msg=audit(1266218832.550:95): item=0 name="/etc/passwd" inode=663090 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=SYSCALL msg=audit(1266218832.550:96): arch=40000003 syscall=5 success=yes exit=3 a0=9365828 a1=8000 a2=0 a3=1 items=1 ppid=4639 pid=4876 auid=0 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=pts3 ses=1 comm="vi" exe="/bin/vi" key="password-file"
type=CWD msg=audit(1266218832.550:96):  cwd="/tmp"
type=PATH msg=audit(1266218832.550:96): item=0 name="/etc/passwd" inode=663090 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=SYSCALL msg=audit(1266218832.550:97): arch=40000003 syscall=85 success=no exit=-22 a0=bfcece6c a1=bfcede6c a2=fff a3=1 items=1 ppid=4639 pid=4876 auid=0 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=pts3 ses=1 comm="vi" exe="/bin/vi" key="password-file"
type=CWD msg=audit(1266218832.550:97):  cwd="/tmp"
type=PATH msg=audit(1266218832.550:97): item=0 name="/etc/passwd" inode=663090 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00


----




[root@power ~]# ausearch -f /etc/passwd               
----                                                  
time->Mon Feb 15 12:09:17 2010                        
type=PATH msg=audit(1266217757.230:40): item=0 name="/etc/passwd" inode=663089 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1266217757.230:40):  cwd="/home/abbas"                                                                    
type=SYSCALL msg=audit(1266217757.230:40): arch=40000003 syscall=5 success=yes exit=3 a0=9c3d7e8 a1=8000 a2=0 a3=1 items=1 ppid=4639 pid=4669 auid=0 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=pts3 ses=1 comm="vi" exe="/bin/vi" key="password-file"              
----                                                                                                                                          
time->Mon Feb 15 12:09:17 2010                                                                                                                
type=PATH msg=audit(1266217757.230:39): item=0 name="/etc/passwd" inode=663089 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00                
type=CWD msg=audit(1266217757.230:39):  cwd="/home/abbas"                                                                                     
type=SYSCALL msg=audit(1266217757.230:39): arch=40000003 syscall=5 success=yes exit=3 a0=1273f9 a1=80000 a2=1b6 a3=80000 items=1 ppid=4639 pid=4669 auid=0 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=pts3 ses=1 comm="vi" exe="/bin/vi" key="password-file"        
----                                                                                                                                          


aureport

aureport  is a tool that produces summary reports of the audit system logs.

[root@power ~]# aureport

Summary Report
======================
Range of time in logs: 12/18/2009 10:54:25.260 - 02/17/2010 10:01:01.315
Selected time for report: 12/18/2009 10:54:25 - 02/17/2010 10:01:01.315
Number of changes in configuration: 68
Number of changes to accounts, groups, or roles: 10
Number of logins: 65
Number of failed logins: 95
Number of authentications: 87
Number of failed authentications: 90
Number of users: 2
Number of terminals: 18
Number of host names: 4
Number of executables: 35
Number of files: 6
Number of AVC's: 1
Number of MAC events: 4
Number of failed syscalls: 5
Number of anomaly events: 236
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of keys: 2
Number of process IDs: 832
Number of events: 3259




Rate This Article: poorexcellent
 
Comments about this article

Comment title: * please do not put your response text here