• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Geek Diary

HowTos | Basics | Concepts

  • Solaris
    • Solaris 11
    • SVM
    • ZFS
    • Zones
    • LDOMs
    • Hardware
  • Linux
    • CentOS/RHEL 7
    • RHCSA notes
    • SuSE Linux Enterprise
    • Linux Services
  • VCS
    • VxVM
  • Interview Questions
  • oracle
    • ASM
    • mysql
    • RAC
    • oracle 12c
    • Data Guard
  • DevOps
    • Docker
    • Shell Scripting
  • Hadoop
    • Hortonworks HDP
      • HDPCA
    • Cloudera
      • CCA 131

How to Audit for Modifications to files and Executions of Files in Linux

By admin

Auditd is the userspace component to the Linux Auditing System. It’s responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities. Configuring the audit rules is done with the auditctl utility. During startup, the rules in /etc/audit/rules.d/audit.rules are read by auditctl. The audit daemon itself has some configuration options that the admin may wish to customize. They are found in the /etc/audit/rules.d/auditd.conf file.

On CentOS/RHEL 6, the configuration file is /etc/audit/audit.rules instead of /etc/audit/rules.d/audit.rules.

This post will outline steps to enable Linux OS auditd service to track file events such as execute, read, write, etc. For example, if you want to track /etc/hosts file follow the steps outlined below.

1. Check the auditd service is started.

# service auditd status 
auditd (pid 2311) is running... 

2. If not running, start it:

# service auditd start

3. run the auditctl command to start auditing the /etc/hosts file. The sytax is as shown below:

# auditctl -w /etc/hosts -p war -k hosts-file

Here,
-w – point to a file (use full path) to watch/audit.
-p – set the permission to audit, r for read, w for write, x for execute, a for append.
-k – a key word to record the audit information.

4. Lets verify if the audit rule is prperly set. Read and write some new entry to the /etc/hosts file, and then check the audit inforamtion in /var/log/messages

# vi /etc/hosts
# ausearch -i -f /etc/hosts
.....
type=PATH msg=audit(05/22/08 18:24:01.071:83) : name=/etc/hosts flags=follow,open inode=4313009 dev=08:05 mode=file,644 ouid=root ogid=root rdev=00:00
type=FS_INODE msg=audit(05/22/08 18:24:01.071:83) : inode=4313009 inode_uid=root inode_gid=root inode_dev=08:05 inode_rdev=00:00
type=FS_WATCH msg=audit(05/22/08 18:24:01.071:83) : watch_inode=4313009 watch=hosts filterkey=testhost perm=read,write,append perm_mask=read
....
How To Identify User Deleting Files From A Given Directory in Linux

Filed Under: Linux

Some more articles you might also be interested in …

  1. iSCSI connection command examples (Cheat Sheet)
  2. Installing CentOS / RHEL 7 (step by step with screen shots)
  3. How to Remove a Dead Mulitpath Device without Reboot in CentOS/RHEL
  4. CentOS / RHEL 7 : Shutting Down, Suspending, or Rebooting Commands (systemctl)
  5. CentOS / RHE 7 : How to Prevent Users from Using the Last 10 Passwords
  6. MySQL Server Error – “Can’t Create A New Thread (errno 11)”
  7. “mount.nfs: access denied by server while mounting” – how to resolve
  8. Linux OS Service ‘scsi_reserve’
  9. How to Back Up and Restore XFS File Systems (xfsdump / xfsrestore)
  10. How to configure Partitioned Block Devices (Non-ASMLIB) And Assign Them To ASM

You May Also Like

Primary Sidebar

Recent Posts

  • How to change the default IP address of docker bridge
  • “su: Authentication failure” – in Docker
  • How to Pause and Resume Docker Containers
  • How to find docker storage device and its size (device mapper storage driver)
  • Understanding “docker stats” Command Output
  • Archives
  • Contact Us
  • Copyright

© 2019 · The Geek Diary