Alright, here’s a post for the advanced Linux users that doesn’t have time to mess around. Have you ever wanted to track what accesses a file on your server? Using the auditd daemon, you can do just that.
Is auditctl installed?
How to install auditctl
If your output is blank, or shows an error message, you may need to install the audit package.
Running auditd on boot
[root@eclipse ] ~ # chkconfig auditd on
[root@eclipse ] ~ # ntsysv
You’ll see a screen like this:
Just make sure auditd has a star, then hit once to go to the “Ok” button, and hit Enter to save.
After you save, be sure to start the auditd daemon by executing:
Starting auditd: [ OK ]
Setting up a file watch
To setup a file watch, you’ll need 3 things:
- The filename to watch
- A shadow file to record the changes
- A permission filter with at least one of these flags: a -> append, r -> read, w -> write, x -> execute
Once you have all of that, then go ahead and create your audit rule using the auditctl command like so:
For example i’m going to use a file called /root/notouchie:
You should then list your auditctl rules to verify that rule is in place.
LIST_RULES: exit,always watch=/root/notouchie perm=rwxa key=/root/notouchie-shadow
Then, against better judgement, we’re going to touch /root/notouchie like so:
This should set off auditd, so now we search our audit database with ausearch and give it a few arguments.
type=PATH msg=audit(07/14/2010 00:53:12.844:94) :
item=0 name=/root/notouchie inode=131757 dev=08:02 mode=file,644 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/14/2010 00:53:12.844:94) :
type=SYSCALL msg=audit(07/14/2010 00:53:12.844:94) :
arch=x86_64 syscall=open success=yes exit=0 a0=7fffcec7fa71 a1=941 a2=1b6 a3=0 items=1 ppid=27044 pid=18781 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4294967295 comm=touch exe=/bin/touch key=/root/notouchie-shadow
Now we see that uid=root executed /bin/touch and modified the file.
This is just the beginning of the possibilities of auditd, check out more options at the manpage: