Comments on: Linux audit files to see who made changes to a file

By: John Gonzalez

John Gonzalez — Tue, 29 Nov 2011 23:55:07 +0000

Thank You…!!!

By: ceooph

ceooph — Mon, 21 Nov 2011 09:15:42 +0000

Hi,
Thanks for this article and your whole site. I have a problem with auditd.
Can you audit a directory (yes) and all subdirectory ??
I want to audit a complete map point with folder, sub-folder, sub-sub-folder, …

Thanks a lot for your help

By: Prashant

Prashant — Mon, 17 Oct 2011 05:48:23 +0000

Hi Sandy,

Were you about to get the answer for your query..
As even I want to get statistics on NFS / CIFS / FTP etc..
please let me know if you got any tips !

thnx
Prashant

By: Funutation

Funutation — Thu, 13 Oct 2011 17:45:04 +0000

anyone know whether SELinux includes these features? I assume that it does, and does even more but I cannot find details (easily :-)

thanx

By: dreamingkat

dreamingkat — Sat, 09 Jul 2011 08:10:32 +0000

according to the man page, a isn’t for append, it’s for attribute changes.

By: Tha_Duck

Tha_Duck — Thu, 26 May 2011 11:38:30 +0000

# auditctl -w /tmp -p e -k webserver-watch-tmp

Shouldn’t that be:
# auditctl -w /tmp -p x -k webserver-watch-tmp

By: David

David — Mon, 23 May 2011 21:35:09 +0000

I’d change the permissions on the PNG files to read-only – possibly by changing the extended attributes if necessary – and see what breaks. Might have to change the directory permissions if the mysterious program is actually creating a new file and moving deleting the old one – as these steps don’t require file permissions, just directory permissions.

By: Cristian Rusu

Cristian Rusu — Wed, 27 Apr 2011 07:52:36 +0000

Hello

Is there any way to figure out what php script modified a file on the system?
I got a bug where all the images in some folders are converted to an black empty png and I can’t figure out what does this for months.

Thank you for any hint

Cris

By: joe

joe — Mon, 21 Mar 2011 17:43:55 +0000

Daren Tay
For SU install sudo and which uses su log.

By: DarenTay

DarenTay — Fri, 25 Feb 2011 08:04:58 +0000

If a user su to root, how do we manage that? Can we identify who’s the original user?

By: Roumen Semov

Roumen Semov — Thu, 16 Dec 2010 00:39:18 +0000

Hmmm, appending text to a watched file does not show up in the audit logs:
echo ‘hello world’ >> /etc/passwd
Any idea why?

By: Sandy

Sandy — Sun, 12 Dec 2010 19:42:48 +0000

Does auditd work over NFS ? . I mean, if any one read/write a file through NFS, The audit system will log them?? I have not been able to configure this. auditd captures read/write access from FTP and even CIFS – but not from NFS ? Anyone has any Clue ?

By: Aldian

Aldian — Mon, 22 Nov 2010 10:34:23 +0000

You forgot to explain how to stop monitoring once not needed anymore

By: Yzhar

Yzhar — Thu, 11 Nov 2010 10:27:19 +0000

I’m a Varins inc eng that had research this stuff for a while.

Unix (any), lacks such abilities and the best it can do is audit pre define objects.
scale is poor and some file operations are missing.

We have successfully build such framework (for about any unix platforms).
it is running on hundreds production sites for 3 years now. and I can tell you it wasn’t easy.

I don’t want to sound like a sales man (I’m not), but hope I can save you some time if you are looking for such solution.

btw,
very nice article.

By: Dave Marcus

Dave Marcus — Thu, 07 Oct 2010 21:07:11 +0000

Is there anyway to place an audit on a directory? And yes it’s a very good article, I have it bookmarked.

By: nima0102

nima0102 — Tue, 21 Sep 2010 13:51:57 +0000

Good Article :):)

By: Hello1971

Hello1971 — Wed, 14 Jul 2010 02:03:30 +0000

Hi, Did this work on exported directory. I mean, if any one read/write a file through NFS, The audit system will log them??

By: Jagadeesh

Jagadeesh — Fri, 09 Jul 2010 05:07:05 +0000

Hi,

This is very nice article. In my company we have NFS mounted home directories. Anyone can access files from anybody’s home. This will help me monitoring who comes to my home :-)

Thanks for this article

By: Anonymous

Anonymous — Mon, 05 Jul 2010 21:04:14 +0000

is it possible to use it from NIS.. we use ypcat

By: asdasdsd

asdasdsd — Tue, 22 Dec 2009 13:25:00 +0000

/edit:
# ausearch -f etc_passwd
\

Had to escape the greater and less than sign because this comments section thought that it was some HTML!