How can I use audit to see who changed a file in Red Hat Enterprise Linux 5?

Contributed by Andrew Ryan

Release Found: Red Hat Enterprise Linux 5

When creating a security policy for a server, it is sometimes necessary to see if a file has been changed unexpectedly. Using tools such as md5sum will show that a file has changed, but will not show who changed the file. Using the audit subsystem, it is possible to track the process that was responsible for changing the file.

Setting a watch on a file is accomplished using the auditctl command:

[root@host]# auditctl -w /etc/hosts -p war -k hosts-file

In this example, a watch is placed on the /etc/hosts file for any syscalls that would perform a write, read or attribute change (-p war). This is logged with the key hosts-file. This key can be used to search through the audit logs to find these actions, using the ausearch command:

[root@host]# ausearch -ts today -k hosts-file
----
time->Sat Feb  3 07:32:20 2007
type=PATH msg=audit(1170451940.872:34): item=0 name="/etc/hosts" inode=1308742 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
type=CWD msg=audit(1170451940.872:34): cwd="/root"
type=SYSCALL msg=audit(1170451940.872:34): arch=40000003 syscall=226 success=yes exit=0 a0=867c4b8 a1=458bcc4f a2=8686800 a3=1c items=1 ppid=3544 pid=3558 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="vim" exe="/usr/bin/vim" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key="hosts-files"
[root@host]#

From this trace, it can be seen that the file /etc/hosts was edited using the vim command, running from /usr/bin/vim. The user that ran the command was running with the root:system_r:unconfined_t:s0-s0:c0.c1023 context.

This entry was posted by The editorial team on Monday, March 26th, 2007 at 3:34 am and is filed under tips and tricks. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.