Daemon auditd that usually runs in the background and starts after the reboot by default logs those events into /var/log/audit.log file (or into other file if different syslog facility is specified). The common usage is to list all files which should be watched and search auditd’s logs from time to time. For example, I prefer to track any file changes into /etc/passwd, reading/writing of /etc/sudoers, executing of /bin/some/binary or just everything (read, write, attributes changes, executing) for my /very/important/file.
In order to configure that you’ll need two commands: auditctl and ausearch. First one is for configuring auditd daemon (e.g. setting a watch on a file), second one is for searching auditd logs (it’s possible to use grep against /var/log/audit.log too but ausearch command makes this task easier).
Install and start Linux Auditing System
==============================
sudo apt-get install auditor
sudo yum install audit
The next step is to make sure that auditd is running, if command ps ax | grep [a]udit shows nothing then start auditd using command:
/etc/init.d/auditd start
As soon as auditd daemon is started we can start configuring it for tracking file changes using auditctl command.
Make auditd to log all file changes
auditctl -w /etc/passwd -k passwd-ra -p ra
tail /etc/passwd
and then
[root@test ]# ausearch -k passwd-ra
----
time->Wed Jul 4 15:17:14 2012
type=CONFIG_CHANGE msg=audit(1341407834.821:207310): auid=500 ses=23783 op="add rule" key="passwd-ra" list=4 res=1
----
time->Wed Jul 4 15:17:20 2012
type=PATH msg=audit(1341407840.181:207311): item=0 name="/etc/passwd" inode=31982841 dev=09:02 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1341407840.181:207311): cwd="/home/artemn"
type=SYSCALL msg=audit(1341407840.181:207311): arch=c000003e syscall=2 success=yes exit=3 a0=7fffecd41817 a1=0 a2=0 a3=7fffecd40b40 items=1 ppid=642502 pid=521288 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=23783 comm="tail" exe="/usr/bin/tail" key="passwd-ra"
As you can see the output of second command shows that auditd has one record for filter key ‘passwd-ra’, it shows that root user (uid=0 gid=0) has read file /etc/passwd using command tail (comm=”tail” exe=”/usr/bin/tail”) at July 4, 2012 (time->Wed Jul 4 15:17:20 2012).
Utility ausearch is pretty powerful so I recommend to read output of man ausearch, in the meantime here are some useful examples:
ausearch -x /bin/grep
ausearch -x rm
This approach allows to scan auditd records for certain executable, e.g. if you’d like to see if any of watched files was deleted (or not) using command rm then you should use second command of above two.
This one will show you all records for certain UID (username).
ausearch -ui 1000
===============================================================================================
