How to use auditd to track file changes

Post author:g33kadmin
Post published:July 15, 2010
Post category:General Info

Alright, here’s a post for the advanced Linux users that doesn’t have time to mess around. Have you ever wanted to track what accesses a file on your server? Using the auditd daemon, you can do just that.

Is auditctl installed?
[root@eclipse ] ~ # which auditctl /sbin/auditctl

How to install auditctl
If your output is blank, or shows an error message, you may need to install the audit package.
[root@eclipse ] ~ # yum -y install audit Running auditd on boot [root@eclipse ] ~ # chkconfig auditd on [root@eclipse ] ~ # ntsysv
You’ll see a screen like this:

ntsysv

Just make sure auditd has a star, then hit once to go to the “Ok” button, and hit Enter to save.

After you save, be sure to start the auditd daemon by executing:
[root@eclipse] ~ # /etc/init.d/auditd start Starting auditd: [ OK ]

Setting up a file watch
To setup a file watch, you’ll need 3 things:

The filename to watch
A shadow file to record the changes
A permission filter with at least one of these flags: a -> append, r -> read, w -> write, x -> execute

Once you have all of that, then go ahead and create your audit rule using the auditctl command like so:
[root@eclipse] ~ # auditctl -w /path/to/my/file -k /path/to/my/shadow-file -p rwxa

For example i’m going to use a file called /root/notouchie:
[root@eclipse] ~ # auditctl -w /root/notouchie -k /root/notouchie-shadow -p rwxa

You should then list your auditctl rules to verify that rule is in place.
[root@eclipse] ~ # auditctl -l LIST_RULES: exit,always watch=/root/notouchie perm=rwxa key=/root/notouchie-shadow

Then, against better judgement, we’re going to touch /root/notouchie like so:
[root@eclipse] ~ # touch /root/notouchie

This should set off auditd, so now we search our audit database with ausearch and give it a few arguments.
[root@eclipse] ~ # ausearch -i -f /root/notouchie ---- type=PATH msg=audit(07/14/2010 00:53:12.844:94) : item=0 name=/root/notouchie inode=131757 dev=08:02 mode=file,644 ouid=root ogid=root rdev=00:00 type=CWD msg=audit(07/14/2010 00:53:12.844:94) : cwd=/root type=SYSCALL msg=audit(07/14/2010 00:53:12.844:94) : arch=x86_64 syscall=open success=yes exit=0 a0=7fffcec7fa71 a1=941 a2=1b6 a3=0 items=1 ppid=27044 pid=18781 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4294967295 comm=touch exe=/bin/touch key=/root/notouchie-shadow

Now we see that uid=root executed /bin/touch and modified the file.

This is just the beginning of the possibilities of auditd, check out more options at the manpage:

aureport(8)

g33kadmin

I am a g33k, Linux blogger, developer, student and Tech Writer for Liquidweb.com/kb. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....