Alright, here’s a post for the advanced Linux users that doesn’t have time to mess around. Have you ever wanted to track what accesses a file on your server? Using the auditd daemon, you can do just that.
Is auditctl installed?
[[email protected] ] ~ # which auditctl
How to install auditctl
If your output is blank, or shows an error message, you may need to install the audit package.
[[email protected] ] ~ # yum -y install audit
Running auditd on boot
[[email protected] ] ~ # chkconfig auditd on
[[email protected] ] ~ # ntsysv
You’ll see a screen like this:
Just make sure auditd has a star, then hit once to go to the “Ok” button, and hit Enter to save.
After you save, be sure to start the auditd daemon by executing:
[[email protected]] ~ # /etc/init.d/auditd start
Starting auditd: [ OK ]
Setting up a file watch
To setup a file watch, you’ll need 3 things:
- The filename to watch
- A shadow file to record the changes
- A permission filter with at least one of these flags: a -> append, r -> read, w -> write, x -> execute
Once you have all of that, then go ahead and create your audit rule using the auditctl command like so:
[[email protected]] ~ # auditctl -w /path/to/my/file -k /path/to/my/shadow-file -p rwxa
For example i’m going to use a file called /root/notouchie:
[[email protected]] ~ # auditctl -w /root/notouchie -k /root/notouchie-shadow -p rwxa
You should then list your auditctl rules to verify that rule is in place.
[[email protected]] ~ # auditctl -l
LIST_RULES: exit,always watch=/root/notouchie perm=rwxa key=/root/notouchie-shadow
Then, against better judgement, we’re going to touch /root/notouchie like so:
[[email protected]] ~ # touch /root/notouchie
This should set off auditd, so now we search our audit database with ausearch and give it a few arguments.
[[email protected]] ~ # ausearch -i -f /root/notouchie
type=PATH msg=audit(07/14/2010 00:53:12.844:94) :
item=0 name=/root/notouchie inode=131757 dev=08:02 mode=file,644 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/14/2010 00:53:12.844:94) :
type=SYSCALL msg=audit(07/14/2010 00:53:12.844:94) :
arch=x86_64 syscall=open success=yes exit=0 a0=7fffcec7fa71 a1=941 a2=1b6 a3=0 items=1 ppid=27044 pid=18781 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4294967295 comm=touch exe=/bin/touch key=/root/notouchie-shadow
Now we see that uid=root executed /bin/touch and modified the file.
This is just the beginning of the possibilities of auditd, check out more options at the manpage: