This is one of the key questions many new sys admin ask:
How do I audit file events such as read / write etc? How can I use audit to see who changed a file in Linux?
The answer is to use 2.6 kernel’s audit system. Modern Linux kernel (2.6.x) comes with auditd daemon. It’s responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. The default file is good enough to get started with auditd.
In order to use audit facility you need to use following utilities
=> auditctl - a command to assist controlling the kernel’s audit system. You can get status, and add or delete rules into kernel audit system. Setting a watch on a file is accomplished using this command:
=> ausearch - a command that can query the audit daemon logs based for events based on different search criteria.
=> aureport - a tool that produces summary reports of the audit system logs.
Note that following all instructions are tested on CentOS 4.x and Fedora Core and RHEL 4/5 Linux.
Task: install audit package
The audit package contains the user space utilities for storing and searching the audit records generate by the audit subsystem in the Linux 2.6 kernel. CentOS/Red Hat and Fedora core includes audit rpm package. Use yum or up2date command to install package
# yum install audit
or
# up2date install audit
Auto start auditd service on boot
# ntsysv
OR
# chkconfig auditd on
Now start service:
# /etc/init.d/auditd start
How do I set a watch on a file for auditing?
Let us say you would like to audit a /etc/passwd file. You need to type command as follows:
# auditctl -w /etc/passwd -p war -k password-file
Where,
- -w /etc/passwd : Insert a watch for the file system object at given path i.e. watch file called /etc/passwd
- -p war : Set permissions filter for a file system watch. It can be r for read, w for write, x for execute, a for append.
- -k password-file : Set a filter key on a /etc/passwd file (watch). The password-file is a filterkey (string of text that can be up to 31 bytes long). It can uniquely identify the audit records produced by the watch. You need to use password-file string or phrase while searching audit logs.
In short you are monitoring (read as watching) a /etc/passwd file for anyone (including syscall) that may perform a write, append or read operation on a file.
Wait for some time or as a normal user run command as follows:
$ grep 'something' /etc/passwd
$ vi /etc/passwd
Following are more examples:
File System audit rules
Add a watch on "/etc/shadow" with the arbitrary filterkey "shadow-file" that generates records for "reads, writes, executes, and appends" on "shadow"
# auditctl -w /etc/shadow -k shadow-file -p rwxa
syscall audit rule
The next rule suppresses auditing for mount syscall exits
# auditctl -a exit,never -S mount
File system audit rule
Add a watch "tmp" with a NULL filterkey that generates records "executes" on "/tmp" (good for a webserver)
# auditctl -w /tmp -p e -k webserver-watch-tmp
syscall audit rule using pid
To see all syscalls made by a program called sshd (pid - 1005):
# auditctl -a entry,always -S all -F pid=1005
How do I find out who changed or accessed a file /etc/passwd?
Use ausearch command as follows:
# ausearch -f /etc/passwd
OR
# ausearch -f /etc/passwd | less
OR
# ausearch -f /etc/passwd -i | less
Where,
- -f /etc/passwd : Only search for this file
- -i : Interpret numeric entities into text. For example, uid is converted to account name.
Output:
---- type=PATH msg=audit(03/16/2007 14:52:59.985:55) : name=/etc/passwd flags=follow,open inode=23087346 dev=08:02 mode=file,644 ouid=root ogid=root rdev=00:00 type=CWD msg=audit(03/16/2007 14:52:59.985:55) : cwd=/webroot/home/lighttpd type=FS_INODE msg=audit(03/16/2007 14:52:59.985:55) : inode=23087346 inode_uid=root inode_gid=root inode_dev=08:02 inode_rdev=00:00 type=FS_WATCH msg=audit(03/16/2007 14:52:59.985:55) : watch_inode=23087346 watch=passwd filterkey=password-file perm=read,write,append perm_mask=read type=SYSCALL msg=audit(03/16/2007 14:52:59.985:55) : arch=x86_64 syscall=open success=yes exit=3 a0=7fbffffcb4 a1=0 a2=2 a3=6171d0 items=1 pid=12551 auid=unknown(4294967295) uid=lighttpd gid=lighttpd euid=lighttpd suid=lighttpd fsuid=lighttpd egid=lighttpd sgid=lighttpd fsgid=lighttpd comm=grep exe=/bin/grep
Let us try to understand output
- audit(03/16/2007 14:52:59.985:55) : Audit log time
- uid=lighttpd gid=lighttpd : User ids in numerical format. By passing -i option to command you can convert most of numeric data to human readable format. In our example user is lighttpd used grep command to open a file
- exe="/bin/grep" : Command grep used to access /etc/passwd file
- perm_mask=read : File was open for read operation
So from log files you can clearly see who read file using grep or made changes to a file using vi/vim text editor. Log provides tons of other information. You need to read man pages and documentation to understand raw log format.
Other useful examples
Search for events with date and time stamps. if the date is omitted, today is assumed. If the time is omitted, now is assumed. Use 24 hour clock time rather than AM or PM to specify time. An example date is 10/24/05. An example of time is 18:00:00.
# ausearch -ts today -k password-file
# ausearch -ts 3/12/07 -k password-file
Search for an event matching the given executable name using -x option. For example find out who has accessed /etc/passwd using rm command:
# ausearch -ts today -k password-file -x rm
# ausearch -ts 3/12/07 -k password-file -x rm
Search for an event with the given user name (UID). For example find out if user vivek (uid 506) try to open /etc/passwd:
# ausearch -ts today -k password-file -x rm -ui 506
# ausearch -k password-file -ui 506
Other auditing related posts
- How to keep a detailed audit trail of what’s being done on your Linux systems
- How do I find out Linux CPU utilization?
- Linux Setting processor affinity for a certain task or process
Further readings
- Read man pages - auditd, ausearch, auditctl
Updated for accuracy.
- Email this to a friend
- Printable version
- Rss Feed
- Last Updated: Sep/7/2007
{ 2 trackbacks }
{ 17 comments… read them below or add one }
In the line “auditctl -w /etc/passwd -k shadow-file -p rwxa” you mean /etc/shadow not /etc/passwd.
James,
Thanks for heads up, post has been updated.
Very interesting article, thanks alot.
I did spot one small detail, though:
“So from log files you can clearly see who made changes to a file using grep commands.”
Grep is a tool to *read* files, not change them…
GH,
Heh… I was suppose to use vim as an example but somehow I did pickup grep. Anyway post has been updated
Appreciate your post.
Question, i need a file monitor to tell me which files are being used on a few folders, can i use auditd? is it compatible with Redhat 7.3? is there a GUI to use with this?
If this is not what i need.. can you point me to what i need or something close?
Rodrigo,
RH 7.3 does not support auditd; also a big security risk for such old disro.
Get Cent OS 4.x or FC 6/7
Sadly the box running RH 7.3 is a live production box for a multinational company, I cant just get a new OS installed on that server, we will be at least another 6 months before migrating to a new system.
Do you perhaps have an idea of what tool I could use to monitor files in a folder that have been accessed during a period of time?
BTW… great site.
Found this article following this link: http://beranger.org/index.php?article=2722
Two great blogs, my comps
@motumboe, thanks for feedback
@Rodrigo you can write your own perl scripts
When I try to set up a file watch, it fails. When I do an auditctl -l, i get this at the bottom:
File system watches not supported
Any ideas on whats wrong?
(btw, I’m guessing that I can get around this by tracing syscalls based on the files’ inode numbers, but thats messy, and hard to maintain…)
@nixcraft,
Thank you for such a great article.
But, I’m confused, it seems that there is no man page for the audit.rules?
@rodrigo,
You can use tripwire with similar function. It detects file changes.
I got the same error:
File system watches not supported
Did you ever resolve this?
Thanks John
Hi, thanks for the article.
How do I redirect auditd to not generate log message but call a user-defined program (for an selected event)? Is it possible?
Thank you very much.
In the description for the ‘-p’ option, ‘a’ is for “attribute”, not “append” the man page has a full explaination.
-p war : Set permissions filter for a file system watch. It can be r for read, w for write, x for execute, a for append.
Great article. I’ve checked the man pages and am still left with two questions:
1. It doesn’t appear that the options to the “p” switch allow for logging file deletions? How do we log when a file is deleted?
2. The kernel does not allow us set a watch on the / directory. If I wanted to log all file deletions, would I be best served by setting watches on all my top level directories (bin,boot,dev,etc…)?
Thanks again for the great resource!
- John
After a system restart or a manual one (sudo /etc/init.d/auditd restart) all my file monitoring is gone. sudo auditctl -l says “no rules” then. do I have to save the rules to a textfile or something? Please help (using (X)ubuntu 8.04 LTS)!