Blog

Monitor changes made to a file using auditd

Tags: server monitoring

Published on: July 6, 2019 by Ruben Roy

Monitor changes made to a file using auditd

Scenario:

Modern Linux kernel comes with auditd daemon. It is responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. The default file is good enough to get started with auditd.

ausearch is a simple command line tool used to search the audit daemon log files based on events and different search criteria such as event identifier, key identifier, CPU architecture, command name, hostname, group name or group ID, syscall, messages and beyond. It also accepts raw data from stdin.

By default, ausearch queries the /var/log/audit/audit.log file, which you can view just like any other text file.

In order to use audit facility you need to use following utilities

auditctl    –   A command to assist controlling the kernels audit system. You can get status, and add or delete rules into kernel audit system. Setting a watch on a file is accomplished using this command

ausearch –   A command that can query the audit daemon logs based for events based on different search criteria.

aureport   –  A tool that produces summary reports of the audit system logs.

Step1: Install audit package

The audit package contains the user space utilities for storing and searching the audit records generate by the audit subsystem in the Linux 2.6 kernel.

root@sage16:/home/jackson# sudo apt-get update
root@sage16:/home/jackson# sudo apt-get install auditd
Reading package lists... Done
Building dependency tree      
Reading state information... Done

Now start service:

root@sage16:/home/jackson# /etc/init.d/auditd start 
[ ok ] Starting auditd (via systemctl): auditd.service.

How do I set a watch on a file for auditing?

Let us say you would like to audit a /etc/passwd file. You need to type command as follows:

#  auditctl -w /etc/passwd -p war -k password-file

Where,

-w /etc/passwd –   Insert a watch for the file system object at given path i.e. watch file called /etc/passwd

-p war –  Set permissions filter for a file system watch. It can be r for read, w for write, x for execute, a for append.

-k password-file – Set a filter key on a /etc/passwd file (watch). The password-file is a filterkey (string of text that can be up to 31 bytes long). It can uniquely identify the audit records produced by the watch. You need  to use password-file string or phrase while searching audit logs.

For Example let us see how do we find out who changed or accessed a file /etc/passwd?

Use ausearch command as follows:

# ausearch -f /etc/passwd 
OR 
# ausearch -f /etc/passwd | less 
OR 
# ausearch -f /etc/passwd -i | less

For example I have created the file and set a watchlog as  shown below

#  sudo auditctl -w /home/jackson/audit_test -p war

Now I am using ausearch command find out who changed or accessed a file

ausearch -f /home/jackson/audit_test

Please see the output as follows.

time->Sat May 18 18:36:57 2019 
type=PROCTITLE msg=audit(1558184817.050:210): proctitle="gedit" 
type=PATH msg=audit(1558184817.050:210): item=0 name="/home/jackson/audit_test" inode=13336667 dev=00:35 mode=0100664 ouid=10231 ogid=10231 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 
type=CWD msg=audit(1558184817.050:210): cwd="/home/jackson" 
type=SYSCALL msg=audit(1558184817.050:210): arch=c000003e syscall=2 success=yes exit=20 a0=1b57bc0 a1=0 a2=0 a3=aaaaaaaaaaaaaaab items=1 ppid=1568 pid=4084 auid=4294967295 uid=10231 gid=10231 euid=10231 suid=10231 fsuid=10231 egid=10231 sgid=10231 fsgid=10231 tty=(none) ses=4294967295 comm="pool" exe="/usr/bin/gedit" key=(null)

Find User Activity in Auditd Log File, Please note that the -ua is used to pass a username.

# ausearch -ua jackson 

OR 

# ausearch -ua ruben -i

Please see the output added below. From the results, we can check which file has been edited by ‘jackson’

---- time->Sat May 18 18:59:45 2019

type=USER_END msg=audit(1558186185.996:50): pid=10976 uid=10221 auid=4294967295 ses=4294967295 msg='op=PAM:session_close acct="root" exe="/bin/su" hostname=? addr=? terminal=/dev/pts/25 res=success'

----

time->Sat May 18 18:59:45 2019

type=CRED_DISP msg=audit(1558186185.996:51): pid=10976 uid=10221 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct="root" exe="/bin/su" hostname=? addr=? terminal=/dev/pts/25 res=success'

Conclusion

So in this blog we discussed about the auditctl command  that assist controlling the kernels audit system. You can get status, and add or delete rules into kernel audit system. Setting a watch on a file is accomplished using this command. Also, using ausearch command we  can query the audit daemon logs based for events based on different search criteria.

server monitoring

Category : Security, Server Monitoring

Ruben Roy

Ruben Roy

You may also read:

Comments

Add new commentSIGN IN

Let's Connect

Get new updates

Categories

$0.000 items