Child pages
  • Tracking Changes in the Linux Filesystem
Skip to end of metadata
Go to start of metadata

There are a few tools available which can be used to track modifications to the filesystem in Linux. One of the more popular and widely supported utilities for this is known as audit.  Audit will allow a system administrator to monitor when certain files or directories are accessed or modified.

When monitoring, Audit runs in the background as a daemon and by default logs changes to it’s monitored files at /etc/log/audit.log. There are two important commands to be familiar with when using audit: auditctl and ausearch.

auditctl is used for configuring the auditd daemon.

ausearch is used for conveniently searching the auditd logs.

 

Install and run Audit

Ubuntu/Debian: sudo apt-get install audit

CentOS/RHEL: yum install audit

After installation, start the service with:

/etc/init.d/auditd start

 

Begin logging!

Auditd is often used for monitoring access and changes to the /etc/passwd file:

auditctl -w /etc/passwd -k passwd-ra -p ra

This command will create a rule telling auditd to watch the /etc/passwd (-w /etc/passwd) file for read access or attribute changes (-p ra) and it will label these logs specifically with the identifier key “passwd-ra” (-k passwd-ra).

 

Rules created with auditctl will be lost when either the service or server is restarted. Permanent audit rules should stored in /etc/audit/audit.rules which is loaded from each time the service starts.

 

Now if you are to read the file (cat, tail, etc.) or edit the files attributes (chattr), the action will be logged to /etc/log/audit.log…

Read file:

tail /etc/passwd

Search log for ‘read’ events:

 

root@dev:~# ausearch -k passwd-ra

----

time->Wed Oct 29 18:44:44 2014

type=CONFIG_CHANGE msg=audit(1414601084.452:3846): auid=0 ses=3 op="add rule" key="passwd-ra" list=4 res=1

----

time->Wed Oct 29 18:45:19 2014

type=PATH msg=audit(1414601119.795:3847): item=0 name="/etc/passwd" inode=206639 dev=ca:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL

type=CWD msg=audit(1414601119.795:3847):  cwd="/root"

type=SYSCALL msg=audit(1414601119.795:3847): arch=c000003e syscall=2 success=yes exit=3 a0=7fff717d48fe a1=0 a2=0 a3=7fff717d33a0 items=1 ppid=12461 pid=12498 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=3 tty=pts0 comm="<b>tail</b>" exe="/usr/bin/<b>tail</b>" key="passwd-ra"

 

You can see from this output that there is one entry with identifier ‘passwd-ra’ showing that the root user (uid=0 gid=0) read the file /etc/passwdusing the command tail (comm=”tail” exe=”/usr/bin/tail”) on Oct 29, 2014 (time->Wed Oct 29 18:45:19 2014).

 

Basic Switches & Flags

# auditctl

-w [filepath] Insert watch for the file system object at filepath.

-l List active rules.

-k [key] Set identifier (aka filter key). Identifies logs produced by this rule.

-p [r|w|x|a] Define permission access type trigger.

user Used to filter messages from a specific user as defined by uid, auid, gid, pid, etc.

-A [list,action] Add rule to beginning of defined list with defined action. (Default list is /etc/audit/audit.rules)

-d [list,action] Remove rule from list with action.

-D delete all rules and watches. Accepts key (-k) option too.

-b [size] Set backlog buffer size. Default 64kb. May need to increase if there is a high rate of logging.

-r [rate] Set limit in messages/sec. Logging fails if rate exceeds this limit.

# ausearch

-f [filename] Search for an event based on the given filename.

-gi [gid] Search for an event based on group ID.

-ui [uid] Search for an event based on User ID.

-hn [hostname] Search for an event with the given hostname.

-i Interpret numeric IDs into text, i.e. convert uid to username.

-if [logfile] Specify alternate logfile source.

-k [keyname] Filter from specific key identifier.

-p [process-id] Filter from specific process-id.

-pp [parent-pid] Filter from specific parent pid.

-w [word] Search for specific word string in filename, hostname, terminal and SE Linux context.

-x [executable] Search for specific executable name (i.e. /bin/grep or rm).