How To Check Who Changes or Modifies File or Directory on Linux|centos|ubuntu|RHEL

On a Linux system, we can easily track changes occur to files or directories by using auditd watch rule. This article will help to provide complete information on how to check who changes or modifies File or Directory on Linux|centos|ubuntu|RHEL.


Topic

  • How to check who Changes File or Directory on Linux|centos|ubuntu|RHEL?
  • Audit or track who Changes File or Directory on a Linux|centos|ubuntu|RHEL system
  • Audit or track file or directory changes on a Linux
  • Linux audit or track file or directory changes


Solution


Execute the following command to watch or monitor changes to files or directories on Linux system run time without restarting auditd service. Here we are monitoring changes to /etc/passwd file and /data/application directory.

auditctl -w /etc/passwd -p wa -k filechange
auditctl -w /data/application -p wa -k filechange

Make the above rules permanent by adding the following lines in /etc/audit/rules.d/audit.rules file.

# Track file change
-w /etc/passwd -p wa -k filechange
-w /data/application -p wa -k filechange

Restart auditd service and validate configuration.

# service auditd restart
# auditctl -l
-w /etc/passwd -p wa -k filechange
-w  /data/application -p wa -k filechange

Audit Logs For File/directory Change
# ausearch -k filechange

time->Sun Sep 15 02:05:53 2019
type=PROCTITLE msg=audit(1568493353.475:364): proctitle=7573657261646400746573746163
type=PATH msg=audit(1568493353.475:364): item=0 name="/etc/passwd" inode=4337587 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1568493353.475:364):  cwd="/root"
type=SYSCALL msg=audit(1568493353.475:364): arch=c000003e syscall=2 success=yes exit=5 a0=563b6c99fd80 a1=20902 a2=ffffff00 a3=2 items=1 ppid=1591 pid=2126 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="filechange"
----
time->Sun Sep 15 02:05:53 2019
type=CONFIG_CHANGE msg=audit(1568493353.488:367): auid=0 ses=1 op=updated_rules path="/etc/passwd" key="filechange" list=4 res=1
----
time->Sun Sep 15 02:05:53 2019
type=PROCTITLE msg=audit(1568493353.488:368): proctitle=7573657261646400746573746163
type=PATH msg=audit(1568493353.488:368): item=4 name="/etc/passwd" inode=4254286 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 objtype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1568493353.488:368): item=3 name="/etc/passwd" inode=4337587 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1568493353.488:368): item=2 name="/etc/passwd+" inode=4254286 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1568493353.488:368): item=1 name="/etc/" inode=4194369 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1568493353.488:368): item=0 name="/etc/" inode=4194369 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1568493353.488:368):  cwd="/root"
type=SYSCALL msg=audit(1568493353.488:368): arch=c000003e syscall=82 success=yes exit=0 a0=7ffed730ae00 a1=563b6c99fd80 a2=7ffed730ad70 a3=563b6d9fd050 items=5 ppid=1591 pid=2126 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="filechange"
----
time->Sun Sep 15 02:06:03 2019
type=PROCTITLE msg=audit(1568493363.023:373): proctitle=746F756368002F646174612F6170706C69636174696F6E2F616263642E747874
type=PATH msg=audit(1568493363.023:373): item=1 name="/data/application/abcd.txt" inode=12786382 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0 objtype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1568493363.023:373): item=0 name="/data/application/" inode=12786211 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1568493363.023:373):  cwd="/root"
type=SYSCALL msg=audit(1568493363.023:373): arch=c000003e syscall=2 success=yes exit=3 a0=7fff11e886e6 a1=941 a2=1b6 a3=7fff11e85de0 items=2 ppid=1591 pid=2136 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="touch" exe="/usr/bin/touch" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="filechange"

The above output notifies that root user created a new user which updated /etc/passwd file and also root user executed touch command to create a file in /data/application directory.


You May Also Like

avatar

About the Author: TekFik

TekFik is a technical blogging site helps techies and engineers to solve their day to day issues and also allows everyone to share knowledge and feedback. Please feel free to contact us at tekfik.rd@gmail.com if there is anything.

Leave a Reply

Your email address will not be published. Required fields are marked *