• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How to Audit File Access on Linux

by admin

On Linux there is an audit RPM named audit, which provides auditd service to monitor the processes and the commands as well. Using audit RPM we can audit some simple file operation like read, write and execution. This post will introduce a method to monitor the file access on the Linux system. Like “When the file was read/modified?”, “Who edit the specific file?”.

1. start the auditd service first if its not running.

# service auditd start       ### CentOS/RHEL 6
# systemctl start auditd     ### CentOS/RHEL 7

2. use auditctl command to specify which files you want to monitor:

# auditctl -w /etc/hosts -p war -k hostswrap

-w: specify the file you want to audit/watch.
-p: which operation/permission you want to audit/watch, r for read, w for write, x for execute, a for append.
-k: specify a keyword for this audit rule, when searching the audit log, you can search by this keyword

3. Please note that changes made to the running audit system by executing auditctl on the command line are not persistent across system restarts. To make changes persistent, add them to the /etc/audit/audit.rules file and, if they are not currently loaded into audit, restart the auditd service to load the modified rule set.

# vi /etc/audit.rules
-w /etc/hosts -p war -k hostswrap
# service auditd restart       ### CentOS/RHEL 6
# systemctl restart auditd     ### CentOS/RHEL 7

4. To list the current audit rules in auditd service, use the “l” option.

# auditctl -l
No rules
AUDIT_WATCH_LIST: dev=8:5, path=/etc/hosts, filterkey=hostswrap, perms=rwa, valid=0

5. check the audit log for any access to the file /etc/hosts.

# ausearch -f /etc/hosts -i | less
type=FS_WATCH msg=audit(05/28/18 11:21:27.216:10) : watch_inode=4313009 watch=hosts filterkey=hostswrap perm=read,write,append perm_mask=read
type=SYSCALL msg=audit(05/28/18 11:21:46.251:19) : arch=i386 syscall=open success=yes exit=5 a0=c679b5 a1=0 a2=1b6 a3=0 items=1 pid=16056 aui
d=unset uid=oracle gid=dba euid=oracle suid=oracle fsuid=oracle egid=dba sgid=dba fsgid=dba comm=ons exe=/home/oracle/oracle/product/10.2.0/c
rs_1/opmn/bin/ons
----
type=PATH msg=audit(05/28/18 11:21:38.697:11) : name=/etc/hosts flags=follow,access inode=4313009 dev=08:05 mode=file,644 ouid=root ogid=root
 rdev=00:00
type=CWD msg=audit(05/28/18 11:21:38.697:11) :  cwd=/newspace/TAR/May
type=FS_INODE msg=audit(05/28/18 11:21:38.697:11) : inode=4313009 inode_uid=root inode_gid=root inode_dev=08:05 inode_rdev=00:00
type=FS_WATCH msg=audit(05/28/18 11:21:38.697:11) : watch_inode=4313009 watch=hosts filterkey=hostswrap perm=read,write,append perm_mask=writ
e
.....

The log shows the operation time, the processed/command to read/write the file, uid, etc.

Filed Under: Linux

Some more articles you might also be interested in …

  1. How to take mailbox backup of Zimbra Account from CLI
  2. Beginners Guide to NFS in CentOS / RHEL
  3. e2fsck Command Examples in Linux
  4. How to Install dmg File on Mac from Command Line
  5. CentOS / RHEL : How to move a Volume Group from one system to another
  6. Shell/Bash Script to Find Prime Numbers in Linux
  7. Comparing NET-TOOLS V/s IPROUTE Package Commands (ip Vs ifconfig command comparison)
  8. Linux OS Service ‘hplip’
  9. Supported and Recommended File Systems on Linux
  10. mkpasswd Command Examples in Linux

You May Also Like

Primary Sidebar

Recent Posts

  • What are /dev/zero and /dev/null files in Linux
  • grpck command – Remove corrupt or duplicate entries in the /etc/group and /etc/gshadow files.
  • xxd command – Expressed in hexadecimal form
  • sesearch: command not found

© 2022 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright