How to monitor file access on Linux using auditd


# install
$ sudo apt-get install install auditd | yum install auditd
$ chkconfig auditd on | systemctl enable auditd.service ; systemctl start auditd.service

# watch/audit a /etc/passwd file for war=write+append+read and w/ filterkey=password-file
$ auditctl -w /etc/passwd -p war -k password-file
# audit /etc/shadow for read+write+execute+append w/ filterkey=shadow-file
$ auditctl -w /etc/shadow -k shadow-file -p rwxa
# suppress auditing for mount syscall exits
$ auditctl -a exit,never -S mount
# audit executes to /tmp
$ auditctl -w /tmp -p e -k webserver-watch-tmp
# audit all syscalls by pid 1005
$ auditctl -a entry,always -S all -F pid=1005

# log is in /var/log/audit/audit.log but can use ausearch instead, see

# find out who changed or accessed a file /etc/passwd
$ ausearch -f /etc/passwd
type=PATH msg=audit(03/16/2007 14:52:59.985:55) : name=/etc/passwd flags=follow,open inode=23087346 dev=08:02 mode=file,644 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(03/16/2007 14:52:59.985:55) :  cwd=/webroot/home/lighttpd
type=FS_INODE msg=audit(03/16/2007 14:52:59.985:55) : inode=23087346 inode_uid=root inode_gid=root inode_dev=08:02 inode_rdev=00:00
type=FS_WATCH msg=audit(03/16/2007 14:52:59.985:55) : watch_inode=23087346 watch=passwd filterkey=password-file perm=read,write,append perm_mask=read
type=SYSCALL msg=audit(03/16/2007 14:52:59.985:55) : arch=x86_64 syscall=open success=yes exit=3 a0=7fbffffcb4 a1=0 a2=2 a3=6171d0 items=1 pid=12551 auid=unknown(4294967295) uid=lighttpd gid=lighttpd euid=lighttpd suid=lighttpd fsuid=lighttpd egid=lighttpd sgid=lighttpd fsgid=lighttpd comm=grep exe=/bin/grep

# same but by date and filterkey and using command rm
$ ausearch -ts today -k password-file -x rm

# list active rules
$ auditctl -l
(using audit rules in file)
$ cat /etc/audit/audit.rules
# first rule - delete all, and increase buffer
-b 1024
# monitor unlink/rmdir/open syscalls
-a exit,always -S unlink -S rmdir -S open
# monitor write+  and change in file properties (read/write/execute) of the following files.
-w /etc/group -p wa
-w /etc/passwd -p wa
-w /etc/shadow -p wa
-w /etc/sudoers -p wa
# lock the audit configuration to prevent any modification of this file.
-e 2
$ service auditd restart

# non-recursive directory audit
# watch is really a syscall rule in disguise
$ auditctl -w /home/raven/public_html -p war -k raven-pubhtmlwatch
-a exit,always -F dir=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch
# use this instead
-a exit,always -F path=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch

# daily rotate log
$ service auditd rotate

from Howto monitor file access on Linux using auditd and Linux audit files to see who made changes to a file


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s