Comments on: Linux audit files to see who made changes to a file

By: asdasdsd

asdasdsd — Tue, 22 Dec 2009 13:25:00 +0000

/edit:
# ausearch -f etc_passwd
\

Had to escape the greater and less than sign because this comments section thought that it was some HTML!

By: asdasdsd

asdasdsd — Tue, 22 Dec 2009 13:23:03 +0000

# /etc/init.d/audit start
# auditctl -w /etc/passwd -p war -k _etc_passwd
# auditctl -w /etc/shadow -k etc_shadow -p rwxa
# vipw (make a change)
# ausearch -f etc_passwd

Not a lot of use this idea… :(

By: sushil

sushil — Fri, 18 Dec 2009 17:15:14 +0000

hello,
good article…………..

By: Stef

Stef — Thu, 12 Nov 2009 09:28:57 +0000

Hi,

thanks for this article. Helps me a lot!

regards

By: Frans

Frans — Mon, 20 Jul 2009 06:40:28 +0000

Is this also working on Vmware ESX server 3.5? Because this is a modified RedHat distrobution.

By: J.C. Denton

J.C. Denton — Fri, 03 Jul 2009 15:44:51 +0000

After a system restart or a manual one (sudo /etc/init.d/auditd restart) all my file monitoring is gone. sudo auditctl -l says “no rules” then. do I have to save the rules to a textfile or something? Please help (using (X)ubuntu 8.04 LTS)! ;-)

By: john

john — Sat, 09 May 2009 12:09:45 +0000

Great article. I’ve checked the man pages and am still left with two questions:

1. It doesn’t appear that the options to the “p” switch allow for logging file deletions? How do we log when a file is deleted?

2. The kernel does not allow us set a watch on the / directory. If I wanted to log all file deletions, would I be best served by setting watches on all my top level directories (bin,boot,dev,etc…)?

Thanks again for the great resource!
- John

By: Relay

Relay — Wed, 11 Feb 2009 19:03:14 +0000

In the description for the ‘-p’ option, ‘a’ is for “attribute”, not “append” the man page has a full explaination.

-p war : Set permissions filter for a file system watch. It can be r for read, w for write, x for execute, a for append.

By: Nguyen Dang

Nguyen Dang — Sun, 14 Dec 2008 00:50:09 +0000

Hi, thanks for the article.

How do I redirect auditd to not generate log message but call a user-defined program (for an selected event)? Is it possible?

Thank you very much.

By: Ken

Ken — Thu, 22 May 2008 11:11:43 +0000

I got the same error:

File system watches not supported

Did you ever resolve this?

Thanks John

By: ike

ike — Sun, 27 Apr 2008 19:49:34 +0000

:-) Wow. This is great article.

By: tiger74

tiger74 — Fri, 25 Jan 2008 02:23:22 +0000

@nixcraft,
Thank you for such a great article.
But, I’m confused, it seems that there is no man page for the audit.rules?

@rodrigo,
You can use tripwire with similar function. It detects file changes.

By: Ken

Ken — Thu, 06 Sep 2007 22:40:41 +0000

When I try to set up a file watch, it fails. When I do an auditctl -l, i get this at the bottom:

File system watches not supported

Any ideas on whats wrong?

(btw, I’m guessing that I can get around this by tracing syscalls based on the files’ inode numbers, but thats messy, and hard to maintain…)

By: Linux Auditing Problems - log file getting large - nixCraft Linux Forum

Linux Auditing Problems - log file getting large - nixCraft Linux Forum — Thu, 17 May 2007 15:19:13 +0000

[...] two command and try following resources: Article about audit log visualization Audit System FAQ Linux audit files to see who made changes to a file | nixCraft Let me know if you need any further help! __________________ Vivek Play hard stay [...]

By: links for 2007-04-30 « Donghai Ma

links for 2007-04-30 « Donghai Ma — Mon, 30 Apr 2007 04:22:49 +0000

[...] Linux audit files to see who made changes to a file | nixCraft (tags: linux security tutorial) [...]

By: nixcraft

nixcraft — Fri, 30 Mar 2007 17:26:38 +0000

@motumboe, thanks for feedback :D

@Rodrigo you can write your own perl scripts

By: motumboe

motumboe — Fri, 30 Mar 2007 07:22:51 +0000

Found this article following this link: http://beranger.org/index.php?article=2722

Two great blogs, my comps
:-)

By: Rodrigo

Rodrigo — Wed, 28 Mar 2007 11:29:29 +0000

Sadly the box running RH 7.3 is a live production box for a multinational company, I cant just get a new OS installed on that server, we will be at least another 6 months before migrating to a new system.

Do you perhaps have an idea of what tool I could use to monitor files in a folder that have been accessed during a period of time?

BTW… great site.

By: nixcraft

nixcraft — Wed, 28 Mar 2007 05:54:16 +0000

Rodrigo,

RH 7.3 does not support auditd; also a big security risk for such old disro.

Get Cent OS 4.x or FC 6/7

By: Rodrigo

Rodrigo — Tue, 27 Mar 2007 20:32:42 +0000

Question, i need a file monitor to tell me which files are being used on a few folders, can i use auditd? is it compatible with Redhat 7.3? is there a GUI to use with this?

If this is not what i need.. can you point me to what i need or something close?