Monitoring the permission change and ownership change of a particular directory or file in Linux Server
1. Use the audit package to accomplish this task.2. Ensure the auditd service is running, and set to start on boot chkconfig auditd on3. Set a watch on the required file to be monitored by using the auditctl command:
# auditctl -w /etc/passwd -p war -k monitor-passwdhere:
auditctl :the command used to add entries to the audit database.
-w :Insert a watch for the file system object at path, i.e. /etc/shadow.
-p :Set permissions filter for a file system watch. r=read, w=write, x=execute, a=attribute change.
-k : Set a filter key on an audit rule. The filter key is an arbitrary string of text that can be up to 31 bytes long.
It can uniquely identify the audit records produced by a rule.
Note that you must add the rule to /etc/audit/audit.rules on RHEL5 or RHEL6 in order for them to persist after reboot.
You can place the watch rule in the /etc/audit/audit.rules file to set permanently:
-w /etc/passwd -p a -k monitor-passwd
Check auditd service and if it is stopped, start it.
# service auditd status
# chkconfig --list auditd
# chkconfig auditd on
In this example, a watch is placed on the /etc/passwd file for any syscalls which perform a write, read, or attribute change
(-p war). This is logged with the key monitor-passwd. This key can be used to search through the audit logs to find these actions,
using the ausearch command:
# ausearch -ts today -k monitor-passwd
----
time->Sat May 3 07:32:20 2009
type=PATH msg=audit(117045140.872:34): item=0 name="/etc/passwd" inode=1308742 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
type=CWD msg=audit(117045140.872:34): cwd="/root"
type=SYSCALL msg=audit(117045140.872:34): arch=40000003 syscall=226 success=yes exit=0 a0=867c4b8 a1=458bcc4f a2=8686800 a3=1c
items=1 ppid=3544 pid=3558 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="vim" exe="/usr/bin/vim"
subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key="monitor-passwd"
From this trace, it can be seen that the file /etc/resolve.conf was edited using the /usr/bin/vim command. The user that ran the command was running with the root:system_r:unconfined_t:s0-s0:c0.c1023 SELinux context. And, the timestamp can be converted into readable form.
# date -d @117045140
Sat May 3 05:32:20 CST 2009
You can search for an event based on the given key string
# ausearch -k monitor-passwd
For a clearly view, you can generate report base on audit rule keys
# aureport -k
No comments:
Post a Comment