Linux audit files
How to audit file events such as read / write etc? How can you use audit to see who changed a file in Linux?
Installation
[root@power tmp]# yum install audit
Loaded plugins: refresh-packagekit
Setting up Install Process
Resolving Dependencies
--> Running transaction check
Run service
[root@power tmp]# service auditd start
Starting auditd: [ OK ]
[root@power tmp]# tail /var/log/audit/audit.log
type=SYSCALL msg=audit(1266218420.349:82): arch=40000003 syscall=5 success=yes exit=3 a0=8223f9 a1=80000 a2=1b6 a3=80000 items=1 ppid=4782 pid=4787 auid=0 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=pts3 ses=1 comm="auditd" exe="/bin/bash" key="password-file"
type=CWD msg=audit(1266218420.349:82): cwd="/"
type=PATH msg=audit(1266218420.349:82): item=0 name="/etc/passwd" inode=663090 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CONFIG_CHANGE msg=audit(1266218420.478:83): auid=0 ses=1 op=remove rule key="password-file" list=4 res=1
type=CONFIG_CHANGE msg=audit(1266218420.478:84): auid=0 ses=1 op=remove rule key="Test-File" list=4 res=1
type=CONFIG_CHANGE msg=audit(1266218420.479:85): audit_backlog_limit=320 old=320 auid=0 ses=1 res=1
type=DAEMON_END msg=audit(1266218426.492:8804): auditd normal halt, sending auid=? pid=? subj=? res=success
type=DAEMON_START msg=audit(1266218428.846:6213): auditd start, ver=1.7.12 format=raw kernel=2.6.29.4-167.fc11.i686.PAE auid=0 pid=4826 res=success
type=CONFIG_CHANGE msg=audit(1266218428.956:88): audit_enabled=1 old=1 auid=0 ses=1 res=1
type=CONFIG_CHANGE msg=audit(1266218428.957:89): audit_backlog_limit=320 old=320 auid=0 ses=1 res=1
Enanble audit for specific file.
[root@power tmp]# auditctl -w /etc/passwd -p war -k password-file
- -w /etc/passwd : Insert a watch for the file system object at given path i.e. watch file called /etc/passwd
- -p war : Set permissions filter for a file system watch. It can be r for read, w for write, x for execute, a for append.
- -k password-file : Set a filter key on a /etc/passwd file (watch). The password-file is a filterkey (string of text that can be up to 31 bytes long). It can uniquely identify the audit records produced by the watch. You need to use password-file string or phrase while searching audit logs.
Now check audit is working
run
[root@power tmp]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
[root@power ~]# tail -f /var/log/audit/audit.log
type=SYSCALL msg=audit(1266218686.568:91): arch=40000003 syscall=5 success=yes exit=3 a0=bf9ce50d a1=8000 a2=0 a3=bf9cd46c items=1 ppid=4639 pid=4867 auid=0 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=pts3 ses=1 comm="cat" exe="/bin/cat" key="password-file"
type=CWD msg=audit(1266218686.568:91): cwd="/tmp"
type=PATH msg=audit(1266218686.568:91): item=0 name="/etc/passwd" inode=663090 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00
or run
vi /etc/passwd
[root@power ~]# tail -f /var/log/audit/audit.log
type=SYSCALL msg=audit(1266218832.550:95): arch=40000003 syscall=5 success=yes exit=3 a0=9673f9 a1=80000 a2=1b6 a3=80000 items=1 ppid=4639 pid=4876 auid=0 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=pts3 ses=1 comm="vi" exe="/bin/vi" key="password-file"
type=CWD msg=audit(1266218832.550:95): cwd="/tmp"
type=PATH msg=audit(1266218832.550:95): item=0 name="/etc/passwd" inode=663090 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=SYSCALL msg=audit(1266218832.550:96): arch=40000003 syscall=5 success=yes exit=3 a0=9365828 a1=8000 a2=0 a3=1 items=1 ppid=4639 pid=4876 auid=0 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=pts3 ses=1 comm="vi" exe="/bin/vi" key="password-file"
type=CWD msg=audit(1266218832.550:96): cwd="/tmp"
type=PATH msg=audit(1266218832.550:96): item=0 name="/etc/passwd" inode=663090 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=SYSCALL msg=audit(1266218832.550:97): arch=40000003 syscall=85 success=no exit=-22 a0=bfcece6c a1=bfcede6c a2=fff a3=1 items=1 ppid=4639 pid=4876 auid=0 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=pts3 ses=1 comm="vi" exe="/bin/vi" key="password-file"
type=CWD msg=audit(1266218832.550:97): cwd="/tmp"
type=PATH msg=audit(1266218832.550:97): item=0 name="/etc/passwd" inode=663090 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00
[root@power ~]# ausearch -f /etc/passwd
time->Mon Feb 15 12:09:17 2010
type=PATH msg=audit(1266217757.230:40): item=0 name="/etc/passwd" inode=663089 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1266217757.230:40): cwd="/home/abbas"
type=SYSCALL msg=audit(1266217757.230:40): arch=40000003 syscall=5 success=yes exit=3 a0=9c3d7e8 a1=8000 a2=0 a3=1 items=1 ppid=4639 pid=4669 auid=0 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=pts3 ses=1 comm="vi" exe="/bin/vi" key="password-file"
time->Mon Feb 15 12:09:17 2010
type=PATH msg=audit(1266217757.230:39): item=0 name="/etc/passwd" inode=663089 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1266217757.230:39): cwd="/home/abbas"
type=SYSCALL msg=audit(1266217757.230:39): arch=40000003 syscall=5 success=yes exit=3 a0=1273f9 a1=80000 a2=1b6 a3=80000 items=1 ppid=4639 pid=4669 auid=0 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=pts3 ses=1 comm="vi" exe="/bin/vi" key="password-file"
aureport
aureport is a tool that produces summary reports of the audit system logs.
[root@power ~]# aureport
Summary Report
===============
Range of time in logs: 12/18/2009 10:54:25.260 - 02/17/2010 10:01:01.315
Selected time for report: 12/18/2009 10:54:25 - 02/17/2010 10:01:01.315
Number of changes in configuration: 68
Number of changes to accounts, groups, or roles: 10
Number of logins: 65
Number of failed logins: 95
Number of authentications: 87
Number of failed authentications: 90
Number of users: 2
Number of terminals: 18
Number of host names: 4
Number of executables: 35
Number of files: 6
Number of AVC’s: 1
Number of MAC events: 4
Number of failed syscalls: 5
Number of anomaly events: 236
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of keys: 2
Number of process IDs: 832
Number of events: 3259