So you have a situation where a certain file gets deleted frequently and you need to investigate who deletes the file. It can be a use or a system process which can delete a file. The auditd service can be a perfect tool to investigate such file deletion issues. The post outlines the steps to install and configure auditd to monitor a file deletion of file /var/tmp/test_file.
Red Hat Enterprise Linux provides audit rules feature to log the file activities done by users or processes. This can be achieved by configuring audit rules.
1. Mostly, you will find auditd already installed on redhat based distributions. If not, install it using yum:
# yum install audit
2. Next, make sure the service is started on boot and start the service.
# systemctl enable auditd # systemctl start auditd
It is advised that you use “service” command instead of systemctl in CentOS/RHEL 7 while restarting the auditd service. If you use the systemctl command you may encounter the below error:
# systemctl restart auditd Failed to restart auditd.service: Operation refused, unit auditd.service may be requested by dependency only (it is configured to refuse manual start/stop). See system logs and 'systemctl status auditd.service' for details.
3. Check the status of the service:
# systemctl status auditd ● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2018-06-16 03:29:19 UTC; 8s ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 1951 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS) Process: 1946 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS) Main PID: 1947 (auditd) Tasks: 2 CGroup: /system.slice/auditd.service └─1947 /sbin/auditd
Configuring audit rules
1. To configure audit rules, add the following line in /etc/audit/rules.d/audit.rules file:
# vi /etc/audit/rules.d/audit.rules -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -k delete -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -k delete
The above rules monitor all files on the system for changes like unlink, rename, delete etc. Optionally, you can specify a full path of the directory to watch, for example, if you want to monitor the deletion of files only in a specific file system you can specify the mount point by adding the following field to the audit rule:
-F dir=[directory or mount point]
So the above defined rules will now become one single rule as shown below:
# vi /etc/audit/rules.d/audit.rules -a always,exit -F dir=/var/tmp -S unlink -S unlinkat -S rename -S renameat -S rmdir -k delete_var
Please note, that I have also modified the key in the rules.
2. You need to restart the auditd service in order for the rules to become effective.
# service auditd restart
3. Use the command ‘auditctl -l’ to view the currently active auditd rules.
# auditctl -l -a always,exit -S rename,rmdir,unlink,unlinkat,renameat -F dir=/var/tmp -F key=delete_var
Check audit logs for file deletion
1. You can now try deleting the file “/var/tmp/test_file” to see if the auditd rule we just created logs this event in the log file.
2. This will log the file deletion operations in the file /var/log/audit/audit.log, however we can use the command ausearch with the key specified in the audit rule (-k) for looking at the events:
# ausearch -k delete_var ... ---- time->Sat Jun 16 04:02:25 2018 type=PROCTITLE msg=audit(1529121745.550:323): proctitle=726D002D69002F7661722F746D702F746573745F66696C65 type=PATH msg=audit(1529121745.550:323): item=1 name="/var/tmp/test_file" inode=16934921 dev=ca:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1529121745.550:323): item=0 name="/var/tmp/" inode=16819564 dev=ca:01 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(1529121745.550:323): cwd="/root" type=SYSCALL msg=audit(1529121745.550:323): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=9930c0 a2=0 a3=7ffe9f8f2b20 items=2 ppid=2358 pid=2606 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="rm" exe="/usr/bin/rm" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="delete_var"
As you can see in the above log, the user root(uid=0) deleted(exe=”/usr/bin/rm”) the file /var/tmp/test_file.