Professional Documents
Culture Documents
ABOUT
FORUM
LOW GRAPHICS
SHELL SCRIPTS
RSS/FEED
you@example.com
Sign Up
This is one of the key questions many new sys admin ask:
How do I audit file events such as read / write etc? How can I use audit to
see who changed a file in Linux?
The answer is to use 2.6 kernels audit system. Modern Linux kernel
(2.6.x) comes with auditd daemon. Its responsible for writing audit records
to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open
/etc/audit.rules file and make changes such as setup audit file log location and other option.
The default file is good enough to get started with auditd.
In order to use audit facility you need to use following utilities
=> auditctl - a command to assist controlling the kernels audit system. You can get status,
and add or delete rules into kernel audit system. Setting a watch on a file is accomplished
using this command:
=> ausearch - a command that can query the audit daemon logs based for events based on
different search criteria.
=> aureport - a tool that produces summary reports of the audit system logs.
nixCraft
! !
! !
Note that following all instructions are tested on CentOS 4.x and Fedora Core and RHEL 4/5
Linux.
or
# up2date install audit
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html[5/11/2013 1:58:18 ]
OR
# chkconfig auditd on
Where,
-w /etc/passwd : Insert a watch for the file system object at given path i.e. watch file
called /etc/passwd
-p war : Set permissions filter for a file system watch. It can be r for read, w for write, x for
execute, a for append.
RELATED POSTS
How to keep a detailed audit trail of
whats being done on your Linux
systems
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html[5/11/2013 1:58:18 ]
OR
# ausearch -f /etc/passwd | less
OR
# ausearch -f /etc/passwd -i | less
Where,
-f /etc/passwd : Only search for this file
-i : Interpret numeric entities into text. For example, uid is converted to account name.
Output:
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html[5/11/2013 1:58:18 ]
Search for an event matching the given executable name using -x option. For example find out
who has accessed /etc/passwd using rm command:
# ausearch -ts today -k password-file -x rm
# ausearch -ts 3/12/07 -k password-file -x rm
Search for an event with the given user name (UID). For example find out if user vivek (uid
506) try to open /etc/passwd:
# ausearch -ts today -k password-file -x rm -ui 506
# ausearch -k password-file -ui 506
Further readings
Read man pages - auditd, ausearch, auditctl
Updated for accuracy.
Cosmote
www.cosmote.gr
HTC online Cosmote!
Tweet
44
11
308
If you would like to be kept up to date with our posts, you can follow us on Twitter,
Facebook, Google+, or even by subscribing to our RSS Feed.
Featured Articles:
30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
Top 30 Nmap Command Examples For Sys/Network Admins
25 PHP Security Best Practices For Sys Admins
20 Linux System Monitoring Tools Every SysAdmin Should Know
20 Linux Server Hardening Security Tips
Linux: 20 Iptables Examples For New SysAdmins
Top 20 OpenSSH Server Best Security Practices
Top 20 Nginx WebServer Best Security Practices
20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
15 Greatest Open Source Terminal Applications Of 2012
My 10 UNIX Command Line Mistakes
Top 10 Open Source Web-Based Project Management Software
Top 5 Email Client For Linux, Mac OS X, and Windows Users
The Novice Guide To Buying A Linux Laptop
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html[5/11/2013 1:58:18 ]
In the line auditctl -w /etc/passwd -k shadow-file -p rwxa you mean /etc/shadow not
/etc/passwd.
REPLY
nixCraft
James,
Thanks for heads up, post has been updated.
REPLY
GH Snijders
nixCraft
GH,
Heh I was suppose to use vim as an example but somehow I did pickup grep. Anyway post
has been updated
Appreciate your post.
REPLY
Rodrigo
Question, i need a file monitor to tell me which files are being used on a few folders, can i
use auditd? is it compatible with Redhat 7.3? is there a GUI to use with this?
If this is not what i need.. can you point me to what i need or something close?
REPLY
nixCraft
Rodrigo,
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html[5/11/2013 1:58:18 ]
RH 7.3 does not support auditd; also a big security risk for such old disro.
Get Cent OS 4.x or FC 6/7
REPLY
Rodrigo
Sadly the box running RH 7.3 is a live production box for a multinational company, I cant just
get a new OS installed on that server, we will be at least another 6 months before migrating
to a new system.
Do you perhaps have an idea of what tool I could use to monitor files in a folder that have
been accessed during a period of time?
BTW great site.
REPLY
motumboe
nixCraft
Ken
10
When I try to set up a file watch, it fails. When I do an auditctl -l, i get this at the bottom:
File system watches not supported
Any ideas on whats wrong?
(btw, Im guessing that I can get around this by tracing syscalls based on the files inode
numbers, but thats messy, and hard to maintain)
REPLY
tiger74
@nixcraft,
Thank you for such a great article.
But, Im confused, it seems that there is no man page for the audit.rules?
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html[5/11/2013 1:58:18 ]
11
@rodrigo,
You can use tripwire with similar function. It detects file changes.
REPLY
ike
12
Ken
13
Nguyen Dang
14
Relay
15
In the description for the -p option, a is for attribute, not append the man page has a full
explaination.
-p war : Set permissions filter for a file system watch. It can be r for read, w for write, x for
execute, a for append.
REPLY
John Doe
Newer versions seem to use a for attribute changes, my manpage reads like this:
-p [r|w|x|a]
Set permissions filter for a file system watch. r=read, w=write, x=execute, a=attribute
change.
Nice article though, exactly what i needed. :)
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html[5/11/2013 1:58:18 ]
16
REPLY
john
17
Great article. Ive checked the man pages and am still left with two questions:
1. It doesnt appear that the options to the p switch allow for logging file deletions? How do
we log when a file is deleted?
2. The kernel does not allow us set a watch on the / directory. If I wanted to log all file
deletions, would I be best served by setting watches on all my top level directories
(bin,boot,dev,etc)?
Thanks again for the great resource!
- John
REPLY
J.C. Denton
18
After a system restart or a manual one (sudo /etc/init.d/auditd restart) all my file monitoring is
gone. sudo auditctl -l says no rules then. do I have to save the rules to a textfile or
something? Please help (using (X)ubuntu 8.04 LTS)! ;-)
REPLY
Frans
19
Is this also working on Vmware ESX server 3.5? Because this is a modified RedHat
distrobution.
REPLY
Stef
20
Hi,
thanks for this article. Helps me a lot!
regards
REPLY
sushil
21
hello,
good article..
REPLY
asdasdsd
# /etc/init.d/audit start
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html[5/11/2013 1:58:18 ]
22
asdasdsd
23
/edit:
# ausearch -f etc_passwd
\
Had to escape the greater and less than sign because this comments section thought that it
was some HTML!
REPLY
Anonymous
24
Jagadeesh
25
Hi,
This is very nice article. In my company we have NFS mounted home directories. Anyone
can access files from anybodys home. This will help me monitoring who comes to my home
:-)
Thanks for this article
REPLY
Hello1971
26
Hi, Did this work on exported directory. I mean, if any one read/write a file through NFS, The
audit system will log them??
REPLY
nima0102
27
Dave Marcus
Is there anyway to place an audit on a directory? And yes its a very good article, I have it
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html[5/11/2013 1:58:18 ]
28
bookmarked.
REPLY
Yzhar
29
Im a Varins inc eng that had research this stuff for a while.
Unix (any), lacks such abilities and the best it can do is audit pre define objects.
scale is poor and some file operations are missing.
We have successfully build such framework (for about any unix platforms).
it is running on hundreds production sites for 3 years now. and I can tell you it wasnt
easy.
I dont want to sound like a sales man (Im not), but hope I can save you some time if
you are looking for such solution.
btw,
very nice article.
REPLY
Aldian
30
You forgot to explain how to stop monitoring once not needed anymore
REPLY
Sandy
31
Does auditd work over NFS ? . I mean, if any one read/write a file through NFS, The audit
system will log them?? I have not been able to configure this. auditd captures read/write
access from FTP and even CIFS but not from NFS ? Anyone has any Clue ?
REPLY
Prashant
32
Hi Sandy,
Were you about to get the answer for your query..
As even I want to get statistics on NFS / CIFS / FTP etc..
please let me know if you got any tips !
thnx
Prashant
REPLY
Roumen Semov
Hmmm, appending text to a watched file does not show up in the audit logs:
echo hello world >> /etc/passwd
Any idea why?
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html[5/11/2013 1:58:18 ]
33
RG
34
Set to no for full audit functionality including file and directory watches and system call
auditing.
REPLY
DarenTay
35
If a user su to root, how do we manage that? Can we identify whos the original user?
REPLY
joe
36
Daren Tay
For SU install sudo and which uses su log.
REPLY
Cristian Rusu
37
Hello
Is there any way to figure out what php script modified a file on the system?
I got a bug where all the images in some folders are converted to an black empty png and I
cant figure out what does this for months.
Thank you for any hint
Cris
REPLY
David
38
Id change the permissions on the PNG files to read-only possibly by changing the
extended attributes if necessary and see what breaks. Might have to change the
directory permissions if the mysterious program is actually creating a new file and moving
deleting the old one as these steps dont require file permissions, just directory
permissions.
REPLY
Tha_Duck
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html[5/11/2013 1:58:18 ]
39
dreamingkat
40
according to the man page, a isnt for append, its for attribute changes.
REPLY
Funutation
41
anyone know whether SELinux includes these features? I assume that it does, and does
even more but I cannot find details (easily :-)
thanx
REPLY
ceooph
42
Hi,
Thanks for this article and your whole site. I have a problem with auditd.
Can you audit a directory (yes) and all subdirectory ??
I want to audit a complete map point with folder, sub-folder, sub-sub-folder,
Thanks a lot for your help
REPLY
John Gonzalez
43
Thank You!!!
REPLY
ritesh
44
HI,
I configured samba as a file server. Server is running successfully. I wanted to see logs
which user currently accessing a file and which file got deleted from user.
Is this possible in samba ?
Thanks in advacne.
Ritesh
REPLY
thomas
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html[5/11/2013 1:58:18 ]
45
ibeam7
46
thomas
Check to see if you have
-e 2
at the end of your audit.rules file. If so, once you reload or restart your auditd service you
will not be able to modify your rules file without bouncing the server. If doing testing, its
best to use
-e 1
which just enables the rules but doesnt lock them.
REPLY
Kirk
47
Is it possible to write rules to detect modifications to any file in /var/www with the name
settings.php? This doesnt work, but it captures what Id like to be able to do:
auditctl -w /var/www/vhosts/*/settings.php -k config-watch -prwa
Thanks.
REPLY
Sarfraz
Do we enable file auditing for files accessed from SFTP like winscp tool?
REPLY
Leave a Comment
Name *
E-mail *
Website
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html[5/11/2013 1:58:18 ]
48
You can use these H T M L tags and attributes for your code and commands: <strong> <em> <ol> <li> <u> <ul> <blockquote> <pre>
<a href="" title="">
Submit
Tagged as: audit daemon, audit package, audit records, audit system, auditctl command, ausearch command,
grep command, rhel, Sys admin, trace syscall, yum command
PREVIOUS POST:
Howto install & use Flash, Java, Real Player 32 bit plugins under 64 bit
Firefox
NEXT POST:
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html[5/11/2013 1:58:18 ]