Main menu

Linux audit for file changes

As a system admin, i need to know which user deleted the files, or copied it or moved and the answer is Linux audit tool. It’s built in Linux kernel. Linux audit tool have capability log and track file, directory, resources and even a system calls. Let’s Linux audit for file changes

You can create audit rules, and track changes on your file systems. Audit tool provide three mail utilities.

  • auditctl : Create, edit audit rules.
  • ausearch : Query audit logs.
  • aureport : Produce summery reports.

Installing audit tool in CentOS/Red

# yum install audit

Enabling audit on boot time.

# chkconfig auditd on 
# systemctl enable auditd

Now start service:

# /etc/init.d/auditd start 
# systemctl start auditd

Let’s understand the audit configuration
Audit configuration is stored in  /etc/audit/auditd.conf configuration file. All of the setting are self explanatory .

log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
freq = 20
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 6
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key

 Creating audit rules.

There are three basic rules you can create

  •     File and directory watches
  •     Basic system audits
  •     System call audits

Note: Please careful while creating rules, auditing everything will cause heavy load on server and large log file can fill disk space.

There can be two ways to configure audit rules. Modify the configuration file or use built in command auditctl.

Open your rules file /etc/audit/audit.rules and append this

# some file and directory watches
-w /etc/passwd -p rwxa -k password_file

-w flag specify the file or directory.
-p flag enable to permission filtering as it’s for read, write, execute and attribute changes.
-k specify the key which we can use for filtering the logs.

You also can set the watch from command

# auditctl -w /etc/passwd -p rwxa -k password_file

Creating audit for system calls.

# auditctl -a entry,always -S umask
# auditctl -a exit,never -S mount

-a added system calls list and log even when system calls entry or always is used.
-S name of your system calls.

Using audit log reports.

audit logs stored in /var/log/audit/audit.log log file in raw format which is hard to understand. aureports tool provide a way to filter and generate a report in more readable formats.
Brief summery about the audit like logins, process, events, configuration changes etc.

# aureport --summary

same as the summery reports but only the success events.

# aureport --success

same as the summery reports but only the failed events.

# aureport --failed

Login related events

# aureport -l

Process related events.

# aureport -p

file related evetns.

# aureport -f

which users are running what executable s on your system

# aureport -u

Using ausearch for granular searching.

while aureport help us to generate reports auseach used for custom reports and searching. i.e

# ausearch -f /etc/passwd -i | more

-f : Filename
-i : changes numeric data to human readable data. Like convert userid to username.

Search logs based on user id. i.e. auseach -ul apache will show all the process and activity owned by apache users.

# ausearch -ul login_id

Search based on file name. i.e. auseach -f /root/passwd will show all read and modification based on file name.

# ausearch -f filename

Search based on audit key. As we created the audit keys we can search based on those key to show only related events.

# ausearch -k key

Someuseful examples.

Let’s find out who deleted the files on particular directory

# ausearch -k password-file -x rm

Time based search

 # ausearch -ts today -k your_key
 # ausearch -ts 19/04/15 -k your_key

Granular search : Search today for a key with filename if user 1050 try to moved that file.

# ausearch -ts today -k your_key -f filename -x mv -ui 1050

Granular search : Search 19/04/15 for a key on a directory for read,write and attribute changes from user 1050.

 # ausearch -ts 19/04/15 -k your_key -w /home/ -p war -ui 1050

There are many other options are available your can check the auditd manual.