How to Audit for Modifications to files and Executions of Files in Linux

Auditd is the userspace component to the Linux Auditing System. It’s responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities. Configuring the audit rules is done with the auditctl utility. During startup, the rules in /etc/audit/rules.d/audit.rules are read by auditctl. The audit daemon itself has some configuration options that the admin may wish to customize. They are found in the /etc/audit/rules.d/auditd.conf file.

On CentOS/RHEL 6, the configuration file is /etc/audit/audit.rules instead of /etc/audit/rules.d/audit.rules.

This post will outline steps to enable Linux OS auditd service to track file events such as execute, read, write, etc. For example, if you want to track /etc/hosts file follow the steps outlined below.

1. Check the auditd service is started.

# service auditd status 
auditd (pid 2311) is running... 

2. If not running, start it:

# service auditd start

3. run the auditctl command to start auditing the /etc/hosts file. The sytax is as shown below:

# auditctl -w /etc/hosts -p war -k hosts-file

Here,
-w – point to a file (use full path) to watch/audit.
-p – set the permission to audit, r for read, w for write, x for execute, a for append.
-k – a key word to record the audit information.

4. Lets verify if the audit rule is prperly set. Read and write some new entry to the /etc/hosts file, and then check the audit inforamtion in /var/log/messages

# vi /etc/hosts
# ausearch -i -f /etc/hosts
.....
type=PATH msg=audit(05/22/08 18:24:01.071:83) : name=/etc/hosts flags=follow,open inode=4313009 dev=08:05 mode=file,644 ouid=root ogid=root rdev=00:00
type=FS_INODE msg=audit(05/22/08 18:24:01.071:83) : inode=4313009 inode_uid=root inode_gid=root inode_dev=08:05 inode_rdev=00:00
type=FS_WATCH msg=audit(05/22/08 18:24:01.071:83) : watch_inode=4313009 watch=hosts filterkey=testhost perm=read,write,append perm_mask=read
....
Related Post