HomeForumsArticlesMarketplaceDownloadsHostingFreebiesJobs
Applications|Desktop|Installation|Misc|Multimedia|Network|Programming|Reviews|Security|Servers
Welcome to Linux Forums! With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.
Find the answer to your Linux question:
Site Navigation
Linux Forums
Linux Articles
Product Showcase
Linux Downloads
Linux Hosting
Free Magazines
Job Board
IRC Chat
RSS Feeds
Free Publications


Linux Audit files

User Score User Score
Editor Score Editor Score
Contributed by: Syed Asim Abbas
Category: Security
Distribution: Red Hat
Views: 6514
License: Linux Forums Article License
Posted: 29 April, 2010
ToolsTools »
 BookmarkShare
 
How to audit file events such as read / write etc? How can you use audit to see who changed a file in Linux?

Linux Auditing Howto. By Syed Asim Abbas
Date: 15-02-2009

asimabbas31@gmail.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it



Installation
-----------
[root@power tmp]# yum install audit

Loaded plugins: refresh-packagekit
Setting up Install Process
Resolving Dependencies
--> Running transaction check


Run service
[root@power tmp]# service auditd start
Starting auditd:                                           [  OK  ]

[root@power tmp]# tail /var/log/audit/audit.log
type=SYSCALL msg=audit(1266218420.349:82): arch=40000003 syscall=5 success=yes exit=3 a0=8223f9 a1=80000 a2=1b6 a3=80000 items=1 ppid=4782 pid=4787 auid=0 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=pts3 ses=1 comm="auditd" exe="/bin/bash" key="password-file"
type=CWD msg=audit(1266218420.349:82):  cwd="/"
type=PATH msg=audit(1266218420.349:82): item=0 name="/etc/passwd" inode=663090 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CONFIG_CHANGE msg=audit(1266218420.478:83): auid=0 ses=1 op=remove rule key="password-file" list=4 res=1
type=CONFIG_CHANGE msg=audit(1266218420.478:84): auid=0 ses=1 op=remove rule key="Test-File" list=4 res=1
type=CONFIG_CHANGE msg=audit(1266218420.479:85): audit_backlog_limit=320 old=320 auid=0 ses=1 res=1
type=DAEMON_END msg=audit(1266218426.492:8804): auditd normal halt, sending auid=? pid=? subj=? res=success
type=DAEMON_START msg=audit(1266218428.846:6213): auditd start, ver=1.7.12 format=raw kernel=2.6.29.4-167.fc11.i686.PAE auid=0 pid=4826 res=success
type=CONFIG_CHANGE msg=audit(1266218428.956:88): audit_enabled=1 old=1 auid=0 ses=1 res=1
type=CONFIG_CHANGE msg=audit(1266218428.957:89): audit_backlog_limit=320 old=320 auid=0 ses=1 res=1





Enanble audit for specific file.
--------------------------------


[root@power tmp]# auditctl -w /etc/passwd -p war -k password-file

* -w /etc/passwd : Insert a watch for the file system object at given path i.e. watch file called /etc/passwd
* -p war : Set permissions filter for a file system watch. It can be r for read, w for write, x for execute, a for append.
* -k password-file : Set a filter key on a /etc/passwd file (watch). The password-file is a filterkey (string of text that can be up to 31 bytes long). It can uniquely identify the audit records produced by the watch. You need to use password-file string or phrase while searching audit logs.


Now check audit is working

run

[root@power tmp]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash




[root@power ~]# tail -f /var/log/audit/audit.log


type=SYSCALL msg=audit(1266218686.568:91): arch=40000003 syscall=5 success=yes exit=3 a0=bf9ce50d a1=8000 a2=0 a3=bf9cd46c items=1 ppid=4639 pid=4867 auid=0 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=pts3 ses=1 comm="cat" exe="/bin/cat" key="password-file"
type=CWD msg=audit(1266218686.568:91):  cwd="/tmp"
type=PATH msg=audit(1266218686.568:91): item=0 name="/etc/passwd" inode=663090 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00


or run

vi /etc/passwd



[root@power ~]# tail -f /var/log/audit/audit.log




type=SYSCALL msg=audit(1266218832.550:95): arch=40000003 syscall=5 success=yes exit=3 a0=9673f9 a1=80000 a2=1b6 a3=80000 items=1 ppid=4639 pid=4876 auid=0 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=pts3 ses=1 comm="vi" exe="/bin/vi" key="password-file"
type=CWD msg=audit(1266218832.550:95):  cwd="/tmp"
type=PATH msg=audit(1266218832.550:95): item=0 name="/etc/passwd" inode=663090 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=SYSCALL msg=audit(1266218832.550:96): arch=40000003 syscall=5 success=yes exit=3 a0=9365828 a1=8000 a2=0 a3=1 items=1 ppid=4639 pid=4876 auid=0 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=pts3 ses=1 comm="vi" exe="/bin/vi" key="password-file"
type=CWD msg=audit(1266218832.550:96):  cwd="/tmp"
type=PATH msg=audit(1266218832.550:96): item=0 name="/etc/passwd" inode=663090 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=SYSCALL msg=audit(1266218832.550:97): arch=40000003 syscall=85 success=no exit=-22 a0=bfcece6c a1=bfcede6c a2=fff a3=1 items=1 ppid=4639 pid=4876 auid=0 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=pts3 ses=1 comm="vi" exe="/bin/vi" key="password-file"
type=CWD msg=audit(1266218832.550:97):  cwd="/tmp"
type=PATH msg=audit(1266218832.550:97): item=0 name="/etc/passwd" inode=663090 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00


----




[root@power ~]# ausearch -f /etc/passwd               
----                                                  
time->Mon Feb 15 12:09:17 2010                        
type=PATH msg=audit(1266217757.230:40): item=0 name="/etc/passwd" inode=663089 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1266217757.230:40):  cwd="/home/abbas"                                                                    
type=SYSCALL msg=audit(1266217757.230:40): arch=40000003 syscall=5 success=yes exit=3 a0=9c3d7e8 a1=8000 a2=0 a3=1 items=1 ppid=4639 pid=4669 auid=0 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=pts3 ses=1 comm="vi" exe="/bin/vi" key="password-file"              
----                                                                                                                                          
time->Mon Feb 15 12:09:17 2010                                                                                                                
type=PATH msg=audit(1266217757.230:39): item=0 name="/etc/passwd" inode=663089 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00                
type=CWD msg=audit(1266217757.230:39):  cwd="/home/abbas"                                                                                     
type=SYSCALL msg=audit(1266217757.230:39): arch=40000003 syscall=5 success=yes exit=3 a0=1273f9 a1=80000 a2=1b6 a3=80000 items=1 ppid=4639 pid=4669 auid=0 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=pts3 ses=1 comm="vi" exe="/bin/vi" key="password-file"        
----                                                                                                                                          


aureport

aureport  is a tool that produces summary reports of the audit system logs.

[root@power ~]# aureport

Summary Report
======================
Range of time in logs: 12/18/2009 10:54:25.260 - 02/17/2010 10:01:01.315
Selected time for report: 12/18/2009 10:54:25 - 02/17/2010 10:01:01.315
Number of changes in configuration: 68
Number of changes to accounts, groups, or roles: 10
Number of logins: 65
Number of failed logins: 95
Number of authentications: 87
Number of failed authentications: 90
Number of users: 2
Number of terminals: 18
Number of host names: 4
Number of executables: 35
Number of files: 6
Number of AVC's: 1
Number of MAC events: 4
Number of failed syscalls: 5
Number of anomaly events: 236
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of keys: 2
Number of process IDs: 832
Number of events: 3259




Rate This Article: poorexcellent
 
Comments about this article

Comment title: * please do not put your response text here