How to use auditd to track file changes


Alright, here’s a post for the advanced Linux users that doesn’t have time to mess around. Have you ever wanted to track what accesses a file on your server? Using the auditd daemon, you can do just that.

Is auditctl installed?

[root@eclipse ] ~ # which auditctl

How to install auditctl
If your output is blank, or shows an error message, you may need to install the audit package.

[root@eclipse ] ~ # yum -y install audit
Running auditd on boot
[root@eclipse ] ~ # chkconfig auditd on
[root@eclipse ] ~ # ntsysv

You’ll see a screen like this:


Just make sure auditd has a star, then hit once to go to the “Ok” button, and hit Enter to save.

After you save, be sure to start the auditd daemon by executing:

[root@eclipse] ~ # /etc/init.d/auditd start
Starting auditd: [ OK ]

Setting up a file watch
To setup a file watch, you’ll need 3 things:

  • The filename to watch
  • A shadow file to record the changes
  • A permission filter with at least one of these flags: a -> append, r -> read, w -> write, x -> execute

Once you have all of that, then go ahead and create your audit rule using the auditctl command like so:
[root@eclipse] ~ # auditctl -w /path/to/my/file -k /path/to/my/shadow-file -p rwxa

For example i’m going to use a file called /root/notouchie:

[root@eclipse] ~ # auditctl -w /root/notouchie -k /root/notouchie-shadow -p rwxa

You should then list your auditctl rules to verify that rule is in place.

[root@eclipse] ~ # auditctl -l
LIST_RULES: exit,always watch=/root/notouchie perm=rwxa key=/root/notouchie-shadow

Then, against better judgement, we’re going to touch /root/notouchie like so:

[root@eclipse] ~ # touch /root/notouchie

This should set off auditd, so now we search our audit database with ausearch and give it a few arguments.

[root@eclipse] ~ # ausearch -i -f /root/notouchie
type=PATH msg=audit(07/14/2010 00:53:12.844:94) :
item=0 name=/root/notouchie inode=131757 dev=08:02 mode=file,644 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/14/2010 00:53:12.844:94) :
type=SYSCALL msg=audit(07/14/2010 00:53:12.844:94) :
arch=x86_64 syscall=open success=yes exit=0 a0=7fffcec7fa71 a1=941 a2=1b6 a3=0 items=1 ppid=27044 pid=18781 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4294967295 comm=touch exe=/bin/touch key=/root/notouchie-shadow

Now we see that uid=root executed /bin/touch and modified the file.

This is just the beginning of the possibilities of auditd, check out more options at the manpage:



I am a g33k, Linux blogger, developer, student and Tech Writer for My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....