How to Audit File Access on Linux

On Linux there is an audit RPM named audit, which provides auditd service to monitor the processes and the commands as well. Using audit RPM we can audit some simple file operation like read, write and execution. This post will introduce a method to monitor the file access on the Linux system. Like “When the file was read/modified?”, “Who edit the specific file?”.

1. start the auditd service first if its not running.

# service auditd start       ### CentOS/RHEL 6
# systemctl start auditd     ### CentOS/RHEL 7

2. use auditctl command to specify which files you want to monitor:

# auditctl -w /etc/hosts -p war -k hostswrap

-w: specify the file you want to audit/watch.
-p: which operation/permission you want to audit/watch, r for read, w for write, x for execute, a for append.
-k: specify a keyword for this audit rule, when searching the audit log, you can search by this keyword

3. Please note that changes made to the running audit system by executing auditctl on the command line are not persistent across system restarts. To make changes persistent, add them to the /etc/audit/audit.rules file and, if they are not currently loaded into audit, restart the auditd service to load the modified rule set.

# vi /etc/audit.rules
-w /etc/hosts -p war -k hostswrap
# service auditd restart       ### CentOS/RHEL 6
# systemctl restart auditd     ### CentOS/RHEL 7

4. To list the current audit rules in auditd service, use the “l” option.

# auditctl -l
No rules
AUDIT_WATCH_LIST: dev=8:5, path=/etc/hosts, filterkey=hostswrap, perms=rwa, valid=0

5. check the audit log for any access to the file /etc/hosts.

# ausearch -f /etc/hosts -i | less
type=FS_WATCH msg=audit(05/28/18 11:21:27.216:10) : watch_inode=4313009 watch=hosts filterkey=hostswrap perm=read,write,append perm_mask=read
type=SYSCALL msg=audit(05/28/18 11:21:46.251:19) : arch=i386 syscall=open success=yes exit=5 a0=c679b5 a1=0 a2=1b6 a3=0 items=1 pid=16056 aui
d=unset uid=oracle gid=dba euid=oracle suid=oracle fsuid=oracle egid=dba sgid=dba fsgid=dba comm=ons exe=/home/oracle/oracle/product/10.2.0/c
rs_1/opmn/bin/ons
----
type=PATH msg=audit(05/28/18 11:21:38.697:11) : name=/etc/hosts flags=follow,access inode=4313009 dev=08:05 mode=file,644 ouid=root ogid=root
 rdev=00:00
type=CWD msg=audit(05/28/18 11:21:38.697:11) :  cwd=/newspace/TAR/May
type=FS_INODE msg=audit(05/28/18 11:21:38.697:11) : inode=4313009 inode_uid=root inode_gid=root inode_dev=08:05 inode_rdev=00:00
type=FS_WATCH msg=audit(05/28/18 11:21:38.697:11) : watch_inode=4313009 watch=hosts filterkey=hostswrap perm=read,write,append perm_mask=writ
e
.....

The log shows the operation time, the processed/command to read/write the file, uid, etc.

Related Post