• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How to Audit File Access on Linux

by admin

On Linux there is an audit RPM named audit, which provides auditd service to monitor the processes and the commands as well. Using audit RPM we can audit some simple file operation like read, write and execution. This post will introduce a method to monitor the file access on the Linux system. Like “When the file was read/modified?”, “Who edit the specific file?”.

1. start the auditd service first if its not running.

# service auditd start       ### CentOS/RHEL 6
# systemctl start auditd     ### CentOS/RHEL 7

2. use auditctl command to specify which files you want to monitor:

# auditctl -w /etc/hosts -p war -k hostswrap

-w: specify the file you want to audit/watch.
-p: which operation/permission you want to audit/watch, r for read, w for write, x for execute, a for append.
-k: specify a keyword for this audit rule, when searching the audit log, you can search by this keyword

3. Please note that changes made to the running audit system by executing auditctl on the command line are not persistent across system restarts. To make changes persistent, add them to the /etc/audit/audit.rules file and, if they are not currently loaded into audit, restart the auditd service to load the modified rule set.

# vi /etc/audit.rules
-w /etc/hosts -p war -k hostswrap
# service auditd restart       ### CentOS/RHEL 6
# systemctl restart auditd     ### CentOS/RHEL 7

4. To list the current audit rules in auditd service, use the “l” option.

# auditctl -l
No rules
AUDIT_WATCH_LIST: dev=8:5, path=/etc/hosts, filterkey=hostswrap, perms=rwa, valid=0

5. check the audit log for any access to the file /etc/hosts.

# ausearch -f /etc/hosts -i | less
type=FS_WATCH msg=audit(05/28/18 11:21:27.216:10) : watch_inode=4313009 watch=hosts filterkey=hostswrap perm=read,write,append perm_mask=read
type=SYSCALL msg=audit(05/28/18 11:21:46.251:19) : arch=i386 syscall=open success=yes exit=5 a0=c679b5 a1=0 a2=1b6 a3=0 items=1 pid=16056 aui
d=unset uid=oracle gid=dba euid=oracle suid=oracle fsuid=oracle egid=dba sgid=dba fsgid=dba comm=ons exe=/home/oracle/oracle/product/10.2.0/c
rs_1/opmn/bin/ons
----
type=PATH msg=audit(05/28/18 11:21:38.697:11) : name=/etc/hosts flags=follow,access inode=4313009 dev=08:05 mode=file,644 ouid=root ogid=root
 rdev=00:00
type=CWD msg=audit(05/28/18 11:21:38.697:11) :  cwd=/newspace/TAR/May
type=FS_INODE msg=audit(05/28/18 11:21:38.697:11) : inode=4313009 inode_uid=root inode_gid=root inode_dev=08:05 inode_rdev=00:00
type=FS_WATCH msg=audit(05/28/18 11:21:38.697:11) : watch_inode=4313009 watch=hosts filterkey=hostswrap perm=read,write,append perm_mask=writ
e
.....

The log shows the operation time, the processed/command to read/write the file, uid, etc.

Filed Under: Linux

Some more articles you might also be interested in …

  1. What are different Samba Server Types
  2. How to configure VNC Server on Oracle Linux 6
  3. namei: command not found
  4. How to create partitions inside loopback device
  5. CentOS / RHEL 7 : How to check the status of a service using systemd
  6. pacman –files Command Examples
  7. How to Enable IPv6 In CentOS / RHEL 5
  8. wc Command Examples in Linux
  9. How to uninstall ssh software package from Ubuntu
  10. 5 Useful Command Examples to Monitor User Activity under Linux

You May Also Like

Primary Sidebar

Recent Posts

  • powertop Command Examples in Linux
  • powertop: command not found
  • powerstat: command not found
  • powerstat Command Examples in Linux

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright