• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar

The Geek Diary

HowTos | Basics | Concepts

  • Solaris
    • Solaris 11
    • SVM
    • ZFS
    • Zones
    • LDOMs
    • Hardware
  • Linux
    • CentOS/RHEL 7
    • RHCSA notes
    • SuSE Linux Enterprise
    • Linux Services
  • VCS
    • VxVM
  • Interview Questions
  • oracle
    • ASM
    • mysql
    • RAC
    • oracle 12c
    • Data Guard
  • DevOps
    • Docker
    • Shell Scripting
  • Hadoop
    • Hortonworks HDP
      • HDPCA
    • Cloudera
      • CCA 131

How to Audit for Modifications to files and Executions of Files in Linux

By admin

Auditd is the userspace component to the Linux Auditing System. It’s responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities. Configuring the audit rules is done with the auditctl utility. During startup, the rules in /etc/audit/rules.d/audit.rules are read by auditctl. The audit daemon itself has some configuration options that the admin may wish to customize. They are found in the /etc/audit/rules.d/auditd.conf file.

On CentOS/RHEL 6, the configuration file is /etc/audit/audit.rules instead of /etc/audit/rules.d/audit.rules.

This post will outline steps to enable Linux OS auditd service to track file events such as execute, read, write, etc. For example, if you want to track /etc/hosts file follow the steps outlined below.

1. Check the auditd service is started.

# service auditd status 
auditd (pid 2311) is running... 

2. If not running, start it:

# service auditd start

3. run the auditctl command to start auditing the /etc/hosts file. The sytax is as shown below:

# auditctl -w /etc/hosts -p war -k hosts-file

Here,
-w – point to a file (use full path) to watch/audit.
-p – set the permission to audit, r for read, w for write, x for execute, a for append.
-k – a key word to record the audit information.

4. Lets verify if the audit rule is prperly set. Read and write some new entry to the /etc/hosts file, and then check the audit inforamtion in /var/log/messages

# vi /etc/hosts
# ausearch -i -f /etc/hosts
.....
type=PATH msg=audit(05/22/08 18:24:01.071:83) : name=/etc/hosts flags=follow,open inode=4313009 dev=08:05 mode=file,644 ouid=root ogid=root rdev=00:00
type=FS_INODE msg=audit(05/22/08 18:24:01.071:83) : inode=4313009 inode_uid=root inode_gid=root inode_dev=08:05 inode_rdev=00:00
type=FS_WATCH msg=audit(05/22/08 18:24:01.071:83) : watch_inode=4313009 watch=hosts filterkey=testhost perm=read,write,append perm_mask=read
....
How To Identify User Deleting Files From A Given Directory in Linux

Filed Under: Linux

Some more articles you might also be interested in …

  1. How to Install GUI for CentOS/RHEL 5,6,7
  2. Linux OS Service ‘squid’
  3. 18 Practical tcpdump Command Examples – A Network Sniffer Tool Primer
  4. Understanding TCP Wrappers (/etc/hosts.allow & /etc/hosts.deny) in Linux
  5. mdadm Command Shows State : active, degraded
  6. Audit Rule Configuration not Reflected – How to troubleshoot
  7. Understanding Failover in a Pacemaker Cluster
  8. How to troubleshoot NFS transfer latency issues using “nfsiostat” in CentOS / RHEL
  9. Slow SSH login due to unreachable rsyslog server
  10. Linux OS Service ‘acpid’

You May Also Like

Primary Sidebar

Recent Posts

  • How to disable firewalld and nftables and use iptables instead in CentOS/RHEL 8
  • How to add an Ethernet connection using nmcli in CentOS/RHEL 7
  • How to set the order to load certain modules in CentOS/RHEL 7 and 8
  • How to configure initrd / initramfs to including kernel modules in CentOS/RHEL
  • How to configure systemd.path to trigger an event when any changes made to a directory
  • Archives
  • Contact Us
  • Copyright

© 2019 · The Geek Diary