{"id":2736,"date":"2019-07-14T21:35:59","date_gmt":"2019-07-14T16:05:59","guid":{"rendered":"https:\/\/www.24x7serversupport.com\/blog\/?p=2736"},"modified":"2019-07-14T21:37:31","modified_gmt":"2019-07-14T16:07:31","slug":"track-file-changes-using-auditd","status":"publish","type":"post","link":"https:\/\/www.24x7serversupport.com\/blog\/track-file-changes-using-auditd\/","title":{"rendered":"Track file changes using auditd"},"content":{"rendered":"\n<p>Most of Linux distributions comes with <strong>Linux Auditing System<\/strong>  that makes it possible to track file changes, file accesses as well as  system calls. It\u2019s pretty useful functionality for sysadmins who wish to  know who and when accessed and\/or changed sensitive files like  \/etc\/passwd, \/etc\/sudoers or others.<\/p>\n\n\n\n<p>Daemon <strong>auditd<\/strong>\u00a0that  usually runs in background and starts after reboot by default logs  those events into \/var\/log\/audit.log file (or into other file if  different syslog facility is specified). The common usage is to list all  files which should be watched and search auditd\u2019s logs from time to  time. For example, I prefer to track any file changes into \/etc\/passwd,  reading\/writing of \/etc\/sudoers, executing of \/bin\/some\/binary or just  everything (read, write, attributes changes, executing) for my  \/very\/important\/file.<\/p>\n\n\n\n<p>In order to configure that you\u2019ll need two commands: <strong>auditctl<\/strong> and <strong>ausearch<\/strong>.\n First one is for configuring auditd daemon (e.g. setting a watch on a \nfile), second one is for searching auditd logs (it\u2019s possible to use \ngrep against \/var\/log\/audit.log too but <strong>ausearch<\/strong> command makes this task easier).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Install and start Linux Auditing System<\/h3>\n\n\n\n<p>If it happened that <strong>auditd<\/strong> daemon isn\u2019t installed in your system then you can fix this by one of below commands:<\/p>\n\n\n\n<table class=\"wp-block-table\"><tbody><tr><td><strong>sudo<\/strong> <strong>apt-get install<\/strong> audit<\/td><\/tr><\/tbody><\/table>\n\n\n\n<p>or<\/p>\n\n\n\n<table class=\"wp-block-table\"><tbody><tr><td><strong>sudo<\/strong> <strong>yum install<\/strong> audit<\/td><\/tr><\/tbody><\/table>\n\n\n\n<p>The next step is to make sure that <strong>auditd<\/strong> is running, if command ps ax | grep [a]udit&nbsp;shows nothing then start <strong>auditd<\/strong> using command:<\/p>\n\n\n\n<table class=\"wp-block-table\"><tbody><tr><td><strong>\/<\/strong>etc<strong>\/<\/strong>init.d<strong>\/<\/strong>auditd start<\/td><\/tr><\/tbody><\/table>\n\n\n\n<p>As soon as <strong>auditd<\/strong> daemon is started we can start configuring it for tracking file changes using <strong>auditctl<\/strong> command.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Make auditd to log all file changes<\/h3>\n\n\n\n<table class=\"wp-block-table\"><tbody><tr><td>auditctl -w <strong>\/<\/strong>etc<strong>\/<\/strong><strong>passwd<\/strong> -k passwd-ra -p ra<\/td><\/tr><\/tbody><\/table>\n\n\n\n<p>This command will add a rule for <strong>auditd<\/strong> daemon to monitor file <em>\/etc\/passwd<\/em> file (see option <strong>-w \/etc\/passwd<\/strong>) for reading or changing the atributes (see option <strong>-p ra<\/strong>, where <strong>r<\/strong> is for read, <strong>a<\/strong> is for attribute). Also this command specifies filter key (<strong>-k passwd-ra<\/strong>) that will uniquely identify auditd records in its logs files.<\/p>\n\n\n\n<p>Now let\u2019s test this rule: optput the last 20 lines of <em>\/etc\/passwd<\/em> file and then search audit log for corresponding records<\/p>\n\n\n\n<table class=\"wp-block-table\"><tbody><tr><td><strong>tail<\/strong> <strong>\/<\/strong>etc<strong>\/<\/strong><strong>passwd<\/strong><\/td><\/tr><\/tbody><\/table>\n\n\n\n<p>and then<\/p>\n\n\n\n<table class=\"wp-block-table\"><tbody><tr><td><strong>[<\/strong>root<strong>@test<\/strong> root<strong>]<\/strong><em># ausearch -k passwd-ra<\/em> &#8212;- time-<strong>&amp;<\/strong>gt;Wed Jul  4 15:17:14 2012 type=CONFIG_CHANGE msg=audit<strong>(<\/strong>1341407834.821:207310<strong>)<\/strong>: auid=500 ses=23783 op=&#8221;add rule&#8221; key=&#8221;passwd-ra&#8221; list=4 res=1 &#8212;- time-<strong>&amp;<\/strong>gt;Wed Jul  4 15:17:20 2012 type=PATH msg=audit<strong>(<\/strong>1341407840.181:207311<strong>)<\/strong>: item=0 name=&#8221;\/etc\/passwd&#8221; inode=31982841 dev=09:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 type=CWD msg=audit<strong>(<\/strong>1341407840.181:207311<strong>)<\/strong>:  cwd=&#8221;\/home\/artemn&#8221; type=SYSCALL msg=audit<strong>(<\/strong>1341407840.181:207311<strong>)<\/strong>: arch=c000003e syscall=2 success=<strong>yes<\/strong> exit=3 a0=7fffecd41817 a1=0 a2=0 a3=7fffecd40b40 items=1 ppid=642502 pid=521288 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=23783 comm=&#8221;tail&#8221; exe=&#8221;\/usr\/bin\/tail&#8221; key=&#8221;passwd-ra&#8221;<\/td><\/tr><\/tbody><\/table>\n\n\n\n<p>As you can see the output of second command shows that auditd has one\n record for filter key \u2018passwd-ra\u2019, it shows that root user (<strong>uid=0 gid=0<\/strong>) has read file <em>\/etc\/passwd<\/em> using command tail (<strong>comm=\u201dtail\u201d exe=\u201d\/usr\/bin\/tail\u201d<\/strong>) at July 4, 2012 (<strong>time-&gt;Wed Jul 4 15:17:20 2012<\/strong>).<\/p>\n\n\n\n<p>Utility <strong>ausearch<\/strong> is pretty powerful so I recommend to read output of&nbsp;man ausearch, in the meantime here are some useful examples:<\/p>\n\n\n\n<table class=\"wp-block-table\"><tbody><tr><td>ausearch -x <strong>\/<\/strong>bin<strong>\/<\/strong><strong>grep<\/strong>\nausearch -x <strong>rm<\/strong><\/td><\/tr><\/tbody><\/table>\n\n\n\n<p>This approach allows to scan <strong>auditd<\/strong> records for certain executable, e.g. if you\u2019d like to see if any of watched files was deleted (or not) using command rm then you should use second command of above two.<\/p>\n\n\n\n<p>This one will show you all records for certain UID (username).<\/p>\n\n\n\n<table class=\"wp-block-table\"><tbody><tr><td>ausearch -ui 1000<\/td><\/tr><\/tbody><\/table>\n","protected":false},"excerpt":{"rendered":"<p>Most of Linux distributions comes with Linux Auditing System that makes it possible to track file changes, file accesses as well as system calls. It\u2019s pretty useful functionality for sysadmins who wish to know who and when accessed and\/or changed sensitive files like \/etc\/passwd, \/etc\/sudoers or others. Daemon auditd\u00a0that usually runs in background and starts [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[34],"tags":[],"class_list":["post-2736","post","type-post","status-publish","format-standard","hentry","category-linux"],"jetpack_publicize_connections":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Track file changes using auditd | 24x7serversupport Blog<\/title>\n<meta name=\"description\" content=\"24x7serversupport Blog Linux Track file changes using auditd |\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.24x7serversupport.com\/blog\/track-file-changes-using-auditd\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Track file changes using auditd | 24x7serversupport Blog\" \/>\n<meta property=\"og:description\" content=\"24x7serversupport Blog Linux Track file changes using auditd |\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.24x7serversupport.com\/blog\/track-file-changes-using-auditd\/\" \/>\n<meta property=\"og:site_name\" content=\"24x7serversupport Blog\" \/>\n<meta property=\"article:published_time\" content=\"2019-07-14T16:05:59+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-07-14T16:07:31+00:00\" \/>\n<meta name=\"author\" content=\"24x7support\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@24x7serversuppo\" \/>\n<meta name=\"twitter:site\" content=\"@24x7serversuppo\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"24x7support\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.24x7serversupport.com\/blog\/track-file-changes-using-auditd\/\",\"url\":\"https:\/\/www.24x7serversupport.com\/blog\/track-file-changes-using-auditd\/\",\"name\":\"Track file changes using auditd | 24x7serversupport Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.24x7serversupport.com\/blog\/#website\"},\"datePublished\":\"2019-07-14T16:05:59+00:00\",\"dateModified\":\"2019-07-14T16:07:31+00:00\",\"author\":{\"@id\":\"https:\/\/www.24x7serversupport.com\/blog\/#\/schema\/person\/decfb5fad6bde6ac6822d4e965c6d401\"},\"description\":\"24x7serversupport Blog Linux Track file changes using auditd |\",\"breadcrumb\":{\"@id\":\"https:\/\/www.24x7serversupport.com\/blog\/track-file-changes-using-auditd\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.24x7serversupport.com\/blog\/track-file-changes-using-auditd\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.24x7serversupport.com\/blog\/track-file-changes-using-auditd\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.24x7serversupport.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Track file changes using auditd\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.24x7serversupport.com\/blog\/#website\",\"url\":\"https:\/\/www.24x7serversupport.com\/blog\/\",\"name\":\"24x7serversupport Blog\",\"description\":\"Linux | CPanel | WHM | webhosting| Plesk | DirectAdmin | CentOs | Debian | Ubuntu Blog\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.24x7serversupport.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.24x7serversupport.com\/blog\/#\/schema\/person\/decfb5fad6bde6ac6822d4e965c6d401\",\"name\":\"24x7support\",\"url\":\"https:\/\/www.24x7serversupport.com\/blog\/author\/24x7support\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Track file changes using auditd | 24x7serversupport Blog","description":"24x7serversupport Blog Linux Track file changes using auditd |","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.24x7serversupport.com\/blog\/track-file-changes-using-auditd\/","og_locale":"en_US","og_type":"article","og_title":"Track file changes using auditd | 24x7serversupport Blog","og_description":"24x7serversupport Blog Linux Track file changes using auditd |","og_url":"https:\/\/www.24x7serversupport.com\/blog\/track-file-changes-using-auditd\/","og_site_name":"24x7serversupport Blog","article_published_time":"2019-07-14T16:05:59+00:00","article_modified_time":"2019-07-14T16:07:31+00:00","author":"24x7support","twitter_card":"summary_large_image","twitter_creator":"@24x7serversuppo","twitter_site":"@24x7serversuppo","twitter_misc":{"Written by":"24x7support","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.24x7serversupport.com\/blog\/track-file-changes-using-auditd\/","url":"https:\/\/www.24x7serversupport.com\/blog\/track-file-changes-using-auditd\/","name":"Track file changes using auditd | 24x7serversupport Blog","isPartOf":{"@id":"https:\/\/www.24x7serversupport.com\/blog\/#website"},"datePublished":"2019-07-14T16:05:59+00:00","dateModified":"2019-07-14T16:07:31+00:00","author":{"@id":"https:\/\/www.24x7serversupport.com\/blog\/#\/schema\/person\/decfb5fad6bde6ac6822d4e965c6d401"},"description":"24x7serversupport Blog Linux Track file changes using auditd |","breadcrumb":{"@id":"https:\/\/www.24x7serversupport.com\/blog\/track-file-changes-using-auditd\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.24x7serversupport.com\/blog\/track-file-changes-using-auditd\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.24x7serversupport.com\/blog\/track-file-changes-using-auditd\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.24x7serversupport.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Track file changes using auditd"}]},{"@type":"WebSite","@id":"https:\/\/www.24x7serversupport.com\/blog\/#website","url":"https:\/\/www.24x7serversupport.com\/blog\/","name":"24x7serversupport Blog","description":"Linux | CPanel | WHM | webhosting| Plesk | DirectAdmin | CentOs | Debian | Ubuntu Blog","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.24x7serversupport.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.24x7serversupport.com\/blog\/#\/schema\/person\/decfb5fad6bde6ac6822d4e965c6d401","name":"24x7support","url":"https:\/\/www.24x7serversupport.com\/blog\/author\/24x7support\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/www.24x7serversupport.com\/blog\/wp-json\/wp\/v2\/posts\/2736","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.24x7serversupport.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.24x7serversupport.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.24x7serversupport.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.24x7serversupport.com\/blog\/wp-json\/wp\/v2\/comments?post=2736"}],"version-history":[{"count":2,"href":"https:\/\/www.24x7serversupport.com\/blog\/wp-json\/wp\/v2\/posts\/2736\/revisions"}],"predecessor-version":[{"id":2738,"href":"https:\/\/www.24x7serversupport.com\/blog\/wp-json\/wp\/v2\/posts\/2736\/revisions\/2738"}],"wp:attachment":[{"href":"https:\/\/www.24x7serversupport.com\/blog\/wp-json\/wp\/v2\/media?parent=2736"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.24x7serversupport.com\/blog\/wp-json\/wp\/v2\/categories?post=2736"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.24x7serversupport.com\/blog\/wp-json\/wp\/v2\/tags?post=2736"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}