Linux audit files to see who made changes to a file

This is one of the key questions many new sys admin ask:

How do I audit file events such as read / write etc? How can I use audit to see who changed a file in Linux?

The answer is to use 2.6 kernel’s audit system. Modern Linux kernel (2.6.x) comes with auditd daemon. It’s responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. The default file is good enough to get started with auditd.

In order to use audit facility you need to use following utilities
=> auditctl – a command to assist controlling the kernel’s audit system. You can get status, and add or delete rules into kernel audit system. Setting a watch on a file is accomplished using this command:

=> ausearch – a command that can query the audit daemon logs based for events based on different search criteria.

=> aureport – a tool that produces summary reports of the audit system logs.

Note that following all instructions are tested on CentOS 4.x and Fedora Core and RHEL 4/5 Linux.

Task: install audit package

The audit package contains the user space utilities for storing and searching the audit records generate by the audit subsystem in the Linux 2.6 kernel. CentOS/Red Hat and Fedora core includes audit rpm package. Use yum or up2date command to install package
# yum install audit
# up2date install audit

Auto start auditd service on boot
# ntsysv
# chkconfig auditd on
Now start service:
# /etc/init.d/auditd start

How do I set a watch on a file for auditing?

Let us say you would like to audit a /etc/passwd file. You need to type command as follows:
# auditctl -w /etc/passwd -p war -k password-file


  • -w /etc/passwd : Insert a watch for the file system object at given path i.e. watch file called /etc/passwd
  • -p war : Set permissions filter for a file system watch. It can be r for read, w for write, x for execute, a for append.
  • -k password-file : Set a filter key on a /etc/passwd file (watch). The password-file is a filterkey (string of text that can be up to 31 bytes long). It can uniquely identify the audit records produced by the watch. You need to use password-file string or phrase while searching audit logs.

In short you are monitoring (read as watching) a /etc/passwd file for anyone (including syscall) that may perform a write, append or read operation on a file.

Wait for some time or as a normal user run command as follows:
$ grep 'something' /etc/passwd
$ vi /etc/passwd

Following are more examples:

File System audit rules

Add a watch on “/etc/shadow” with the arbitrary filterkey “shadow-file” that generates records for “reads, writes, executes, and appends” on “shadow”
# auditctl -w /etc/shadow -k shadow-file -p rwxa

syscall audit rule

The next rule suppresses auditing for mount syscall exits
# auditctl -a exit,never -S mount

File system audit rule

Add a watch “tmp” with a NULL filterkey that generates records “executes” on “/tmp” (good for a webserver)
# auditctl -w /tmp -p e -k webserver-watch-tmp

syscall audit rule using pid

To see all syscalls made by a program called sshd (pid – 1005):
# auditctl -a entry,always -S all -F pid=1005

How do I find out who changed or accessed a file /etc/passwd?

Use ausearch command as follows:
# ausearch -f /etc/passwd
# ausearch -f /etc/passwd | less
# ausearch -f /etc/passwd -i | less

  • -f /etc/passwd
  • : Only search for this file
  • -i : Interpret numeric entities into text. For example, uid is converted to account name.


type=PATH msg=audit(03/16/2007 14:52:59.985:55) : name=/etc/passwd flags=follow,open inode=23087346 dev=08:02 mode=file,644 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(03/16/2007 14:52:59.985:55) :  cwd=/webroot/home/lighttpd
type=FS_INODE msg=audit(03/16/2007 14:52:59.985:55) : inode=23087346 inode_uid=root inode_gid=root inode_dev=08:02 inode_rdev=00:00
type=FS_WATCH msg=audit(03/16/2007 14:52:59.985:55) : watch_inode=23087346 watch=passwd filterkey=password-file perm=read,write,append perm_mask=read
type=SYSCALL msg=audit(03/16/2007 14:52:59.985:55) : arch=x86_64 syscall=open success=yes exit=3 a0=7fbffffcb4 a1=0 a2=2 a3=6171d0 items=1 pid=12551 auid=unknown(4294967295) uid=lighttpd gid=lighttpd euid=lighttpd suid=lighttpd fsuid=lighttpd egid=lighttpd sgid=lighttpd fsgid=lighttpd comm=grep exe=/bin/grep

Let us try to understand output

  • audit(03/16/2007 14:52:59.985:55) : Audit log time
  • uid=lighttpd gid=lighttpd : User ids in numerical format. By passing -i option to command you can convert most of numeric data to human readable format. In our example user is lighttpd used grep command to open a file
  • exe=”/bin/grep” : Command grep used to access /etc/passwd file
  • perm_mask=read : File was open for read operation

So from log files you can clearly see who read file using grep or made changes to a file using vi/vim text editor. Log provides tons of other information. You need to read man pages and documentation to understand raw log format.

Other useful examples

Search for events with date and time stamps. if the date is omitted, today is assumed. If the time is omitted, now is assumed. Use 24 hour clock time rather than AM or PM to specify time. An example date is 10/24/05. An example of time is 18:00:00.
# ausearch -ts today -k password-file
# ausearch -ts 3/12/07 -k password-file

Search for an event matching the given executable name using -x option. For example find out who has accessed /etc/passwd using rm command:
# ausearch -ts today -k password-file -x rm
# ausearch -ts 3/12/07 -k password-file -x rm

Search for an event with the given user name (UID). For example find out if user vivek (uid 506) try to open /etc/passwd:
# ausearch -ts today -k password-file -x rm -ui 506
# ausearch -k password-file -ui 506

Other auditing related posts

Further readings

  • Read man pages – auditd, ausearch, auditctl

Updated for accuracy.

🐧 Please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on Linux, Open Source & DevOps via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
57 comments… add one
  • Magne Jan 27, 2017 @ 19:29


    Informative article 🙂

    I got one question.
    I want to know every file change recursive in a folder. So i have setup a watch with the path /var/…/httpdocs
    When i inspect the audit log, i can only see which folder a file has been changed in and not the actual filename.
    Any idea why? I want to monitor any file type, but php is the most important file.

  • Amandus Dec 4, 2015 @ 8:24

    If I type the command to see who modified files or password I get the output.

    What does this mean.? Does it means that audit trails ate not enabled to my system. I use redhat 6.

  • AL Nov 21, 2014 @ 19:23

    Is there a way to output this audit information to a syslog server?

  • whoopidido Aug 24, 2014 @ 14:09

    How do you send an email notification when a rule is hit on a server, any examples?

  • satan May 13, 2014 @ 18:21

    Option “a” doesn’t mean append. From official manual: a – change in the file’s or directory’s attribute.

  • AW Nov 14, 2013 @ 22:37

    How does one ensure that the logs send up in syslog?
    I regularly send the auth.* @IP address, what would be the equivalent in this case?

  • Sarfraz Sep 2, 2013 @ 12:27

    Do we enable file auditing for files accessed from SFTP like winscp tool?

  • Kirk Mar 26, 2013 @ 23:14

    Is it possible to write rules to detect modifications to any file in /var/www with the name settings.php? This doesn’t work, but it captures what I’d like to be able to do:

    auditctl -w /var/www/vhosts/*/settings.php -k config-watch -prwa


  • thomas Oct 19, 2012 @ 3:26

    i have set up my audit.rules file.

    when i start auditd, i get an output stating:

    the audit system is in immutable mode. no audit rules loaded.

    when i type auditctl -l it says no rules loaded.

    i thought when i set up my audit.rules file and started auditd, that’s all i had to do. after reading this article, i believe there is more i need to do.

    can someone elaborate on how the audit.rules file comes into play?

    • ibeam7 Nov 28, 2012 @ 23:20

      Check to see if you have
      -e 2
      at the end of your audit.rules file. If so, once you reload or restart your auditd service you will not be able to modify your rules file without bouncing the server. If doing testing, it’s best to use
      -e 1
      which just enables the rules but doesn’t lock them.

  • ritesh Jun 4, 2012 @ 11:46

    I configured samba as a file server. Server is running successfully. I wanted to see logs which user currently accessing a file and which file got deleted from user.
    Is this possible in samba ?
    Thanks in advacne.

  • John Gonzalez Nov 29, 2011 @ 23:55

    Thank You…!!!

  • ceooph Nov 21, 2011 @ 9:15

    Thanks for this article and your whole site. I have a problem with auditd.
    Can you audit a directory (yes) and all subdirectory ??
    I want to audit a complete map point with folder, sub-folder, sub-sub-folder, …

    Thanks a lot for your help

  • Funutation Oct 13, 2011 @ 17:45

    anyone know whether SELinux includes these features? I assume that it does, and does even more but I cannot find details (easily 🙂


  • dreamingkat Jul 9, 2011 @ 8:10

    according to the man page, a isn’t for append, it’s for attribute changes.

  • Tha_Duck May 26, 2011 @ 11:38

    # auditctl -w /tmp -p e -k webserver-watch-tmp

    Shouldn’t that be:
    # auditctl -w /tmp -p x -k webserver-watch-tmp


  • Cristian Rusu Apr 27, 2011 @ 7:52


    Is there any way to figure out what php script modified a file on the system?
    I got a bug where all the images in some folders are converted to an black empty png and I can’t figure out what does this for months.

    Thank you for any hint


    • David May 23, 2011 @ 21:35

      I’d change the permissions on the PNG files to read-only – possibly by changing the extended attributes if necessary – and see what breaks. Might have to change the directory permissions if the mysterious program is actually creating a new file and moving deleting the old one – as these steps don’t require file permissions, just directory permissions.

  • joe Mar 21, 2011 @ 17:43

    Daren Tay
    For SU install sudo and which uses su log.

  • DarenTay Feb 25, 2011 @ 8:04

    If a user su to root, how do we manage that? Can we identify who’s the original user?

  • Roumen Semov Dec 16, 2010 @ 0:39

    Hmmm, appending text to a watched file does not show up in the audit logs:
    echo ‘hello world’ >> /etc/passwd
    Any idea why?

    • RG May 27, 2011 @ 5:00

      You might need to turn auditing on by changing the default “yes” to “no”
      at the bottom of the file /etc/sysconfig/auditd:
      # This option disables syscall auditing by default. This can also be
      # accomplished by auditctl -e.
      Set to no for full audit functionality including file and directory watches and system call auditing.

  • Sandy Dec 12, 2010 @ 19:42

    Does auditd work over NFS ? . I mean, if any one read/write a file through NFS, The audit system will log them?? I have not been able to configure this. auditd captures read/write access from FTP and even CIFS – but not from NFS ? Anyone has any Clue ?

    • Prashant Oct 17, 2011 @ 5:48

      Hi Sandy,

      Were you about to get the answer for your query..
      As even I want to get statistics on NFS / CIFS / FTP etc..
      please let me know if you got any tips !


  • Aldian Nov 22, 2010 @ 10:34

    You forgot to explain how to stop monitoring once not needed anymore

  • Dave Marcus Oct 7, 2010 @ 21:07

    Is there anyway to place an audit on a directory? And yes it’s a very good article, I have it bookmarked.

    • Yzhar Nov 11, 2010 @ 10:27

      I’m a Varins inc eng that had research this stuff for a while.

      Unix (any), lacks such abilities and the best it can do is audit pre define objects.
      scale is poor and some file operations are missing.

      We have successfully build such framework (for about any unix platforms).
      it is running on hundreds production sites for 3 years now. and I can tell you it wasn’t easy.

      I don’t want to sound like a sales man (I’m not), but hope I can save you some time if you are looking for such solution.

      very nice article.

  • nima0102 Sep 21, 2010 @ 13:51

    Good Article :):)

  • Hello1971 Jul 14, 2010 @ 2:03

    Hi, Did this work on exported directory. I mean, if any one read/write a file through NFS, The audit system will log them??

  • Jagadeesh Jul 9, 2010 @ 5:07


    This is very nice article. In my company we have NFS mounted home directories. Anyone can access files from anybody’s home. This will help me monitoring who comes to my home 🙂

    Thanks for this article

  • Anonymous Jul 5, 2010 @ 21:04

    is it possible to use it from NIS.. we use ypcat

  • david Jan 6, 2010 @ 21:38

    @ Rodrigo

    compile a newer kernel, it takes about 2 hours or use a propietary software such as powerbroker from beyondtrust

  • asdasdsd Dec 22, 2009 @ 13:25

    # ausearch -f etc_passwd

    Had to escape the greater and less than sign because this comments section thought that it was some HTML!

  • asdasdsd Dec 22, 2009 @ 13:23

    # /etc/init.d/audit start
    # auditctl -w /etc/passwd -p war -k _etc_passwd
    # auditctl -w /etc/shadow -k etc_shadow -p rwxa
    # vipw (make a change)
    # ausearch -f etc_passwd

    Not a lot of use this idea… 🙁

  • sushil Dec 18, 2009 @ 17:15

    good article…………..

  • Stef Nov 12, 2009 @ 9:28


    thanks for this article. Helps me a lot!


  • Frans Jul 20, 2009 @ 6:40

    Is this also working on Vmware ESX server 3.5? Because this is a modified RedHat distrobution.

  • J.C. Denton Jul 3, 2009 @ 15:44

    After a system restart or a manual one (sudo /etc/init.d/auditd restart) all my file monitoring is gone. sudo auditctl -l says “no rules” then. do I have to save the rules to a textfile or something? Please help (using (X)ubuntu 8.04 LTS)! 😉

  • john May 9, 2009 @ 12:09

    Great article. I’ve checked the man pages and am still left with two questions:

    1. It doesn’t appear that the options to the “p” switch allow for logging file deletions? How do we log when a file is deleted?

    2. The kernel does not allow us set a watch on the / directory. If I wanted to log all file deletions, would I be best served by setting watches on all my top level directories (bin,boot,dev,etc…)?

    Thanks again for the great resource!
    – John

  • Relay Feb 11, 2009 @ 19:03

    In the description for the ‘-p’ option, ‘a’ is for “attribute”, not “append” the man page has a full explaination.

    -p war : Set permissions filter for a file system watch. It can be r for read, w for write, x for execute, a for append.

    • John Doe Apr 3, 2012 @ 0:51

      Newer versions seem to use ‘a’ for attribute changes, my manpage reads like this:

      -p [r|w|x|a]
      Set permissions filter for a file system watch. r=read, w=write, x=execute, a=attribute change.

      Nice article though, exactly what i needed. 🙂

  • Nguyen Dang Dec 14, 2008 @ 0:50

    Hi, thanks for the article.

    How do I redirect auditd to not generate log message but call a user-defined program (for an selected event)? Is it possible?

    Thank you very much.

  • Ken May 22, 2008 @ 11:11

    I got the same error:

    File system watches not supported

    Did you ever resolve this?

    Thanks John

  • ike Apr 27, 2008 @ 19:49

    🙂 Wow. This is great article.

  • tiger74 Jan 25, 2008 @ 2:23

    Thank you for such a great article.
    But, I’m confused, it seems that there is no man page for the audit.rules?

    You can use tripwire with similar function. It detects file changes.

  • Ken Sep 6, 2007 @ 22:40

    When I try to set up a file watch, it fails. When I do an auditctl -l, i get this at the bottom:

    File system watches not supported

    Any ideas on whats wrong?

    (btw, I’m guessing that I can get around this by tracing syscalls based on the files’ inode numbers, but thats messy, and hard to maintain…)

  • 🐧 nixCraft Mar 30, 2007 @ 17:26

    @motumboe, thanks for feedback 😀

    @Rodrigo you can write your own perl scripts

    • Stome Jan 24, 2014 @ 2:20

      Dear nixCraft,
      how can i change log file from /var/log/message? when i look to default configuration file in less /etc/audisp/audispd.conf
      q_depth = 120
      overflow_action = SYSLOG

      that is correct?

  • motumboe Mar 30, 2007 @ 7:22

    Found this article following this link:

    Two great blogs, my comps

  • Rodrigo Mar 28, 2007 @ 11:29

    Sadly the box running RH 7.3 is a live production box for a multinational company, I cant just get a new OS installed on that server, we will be at least another 6 months before migrating to a new system.

    Do you perhaps have an idea of what tool I could use to monitor files in a folder that have been accessed during a period of time?

    BTW… great site.

  • 🐧 nixCraft Mar 28, 2007 @ 5:54


    RH 7.3 does not support auditd; also a big security risk for such old disro.

    Get Cent OS 4.x or FC 6/7

  • Rodrigo Mar 27, 2007 @ 20:32

    Question, i need a file monitor to tell me which files are being used on a few folders, can i use auditd? is it compatible with Redhat 7.3? is there a GUI to use with this?

    If this is not what i need.. can you point me to what i need or something close?

  • 🐧 nixCraft Mar 22, 2007 @ 8:29


    Heh… I was suppose to use vim as an example but somehow I did pickup grep. Anyway post has been updated

    Appreciate your post.

  • GH Snijders Mar 22, 2007 @ 8:12

    Very interesting article, thanks alot.

    I did spot one small detail, though:

    “So from log files you can clearly see who made changes to a file using grep commands.”

    Grep is a tool to *read* files, not change them… 😉

    • Jawed Abbasi Feb 3, 2014 @ 17:21

      I know its old post but I don’t see anything wrong with this line quoted below
      “So from log files you can clearly see who made changes to a file using grep commands.”
      As I read it as you can look at auditd log files and clearly see who made any changes by grepping either usernames or files names or any other string from auditd log files.
      that does not say that someone used “grep” tool/utility to make changes.

  • 🐧 nixCraft Mar 21, 2007 @ 16:41


    Thanks for heads up, post has been updated.

  • James Musil Mar 21, 2007 @ 15:42

    In the line “auditctl -w /etc/passwd -k shadow-file -p rwxa” you mean /etc/shadow not /etc/passwd.

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Problem posting comment? Email me @