As a system admin, i need to know which user deleted the files, or copied it or moved and the answer is Linux audit tool. It’s built in Linux kernel. Linux audit tool have capability log and track file, directory, resources and even a system calls. Let’s Linux audit for file changes
You can create audit rules, and track changes on your file systems. Audit tool provide three mail utilities.
- auditctl : Create, edit audit rules.
- ausearch : Query audit logs.
- aureport : Produce summery reports.
Installing audit tool in CentOS/Red
# yum install audit
Enabling audit on boot time.
# chkconfig auditd on OR # systemctl enable auditd
Now start service:
# /etc/init.d/auditd start OR # systemctl start auditd
Let’s understand the audit configuration
Audit configuration is stored in /etc/audit/auditd.conf configuration file. All of the setting are self explanatory .
log_file = /var/log/audit/audit.log log_format = RAW log_group = root priority_boost = 4 flush = INCREMENTAL freq = 20 num_logs = 5 disp_qos = lossy dispatcher = /sbin/audispd name_format = NONE ##name = mydomain max_log_file = 6 max_log_file_action = ROTATE space_left = 75 space_left_action = SYSLOG action_mail_acct = root admin_space_left = 50 admin_space_left_action = SUSPEND disk_full_action = SUSPEND disk_error_action = SUSPEND ##tcp_listen_port = tcp_listen_queue = 5 tcp_max_per_addr = 1 ##tcp_client_ports = 1024-65535 tcp_client_max_idle = 0 enable_krb5 = no krb5_principal = auditd ##krb5_key_file = /etc/audit/audit.key
Creating audit rules.
There are three basic rules you can create
- File and directory watches
- Basic system audits
- System call audits
Note: Please careful while creating rules, auditing everything will cause heavy load on server and large log file can fill disk space.
There can be two ways to configure audit rules. Modify the configuration file or use built in command auditctl.
Open your rules file /etc/audit/audit.rules and append this
# some file and directory watches -D -w /etc/passwd -p rwxa -k password_file
-w flag specify the file or directory.
-p flag enable to permission filtering as it’s for read, write, execute and attribute changes.
-k specify the key which we can use for filtering the logs.
You also can set the watch from command
# auditctl -w /etc/passwd -p rwxa -k password_file
Creating audit for system calls.
# auditctl -a entry,always -S umask # auditctl -a exit,never -S mount
-a added system calls list and log even when system calls entry or always is used.
-S name of your system calls.
Using audit log reports.
audit logs stored in /var/log/audit/audit.log log file in raw format which is hard to understand. aureports tool provide a way to filter and generate a report in more readable formats.
Brief summery about the audit like logins, process, events, configuration changes etc.
# aureport --summary
same as the summery reports but only the success events.
# aureport --success
same as the summery reports but only the failed events.
# aureport --failed
Login related events
# aureport -l
Process related events.
# aureport -p
file related evetns.
# aureport -f
which users are running what executable s on your system
# aureport -u
Using ausearch for granular searching.
while aureport help us to generate reports auseach used for custom reports and searching. i.e
# ausearch -f /etc/passwd -i | more
-f : Filename
-i : changes numeric data to human readable data. Like convert userid to username.
Search logs based on user id. i.e. auseach -ul apache will show all the process and activity owned by apache users.
# ausearch -ul login_id
Search based on file name. i.e. auseach -f /root/passwd will show all read and modification based on file name.
# ausearch -f filename
Search based on audit key. As we created the audit keys we can search based on those key to show only related events.
# ausearch -k key
Let’s find out who deleted the files on particular directory
# ausearch -k password-file -x rm
Time based search
# ausearch -ts today -k your_key # ausearch -ts 19/04/15 -k your_key
Granular search : Search today for a key with filename if user 1050 try to moved that file.
# ausearch -ts today -k your_key -f filename -x mv -ui 1050
Granular search : Search 19/04/15 for a key on a directory for read,write and attribute changes from user 1050.
# ausearch -ts 19/04/15 -k your_key -w /home/ -p war -ui 1050
There are many other options are available your can check the auditd manual.