RHEL - Audit File Access

 How to monitor permission, ownership or any other change to a particular directory or file


Issue

- How to monitor the permission change and ownership change of a particular directory or file?
- How to configure auditd to find how a file was modified in Red Hat Enterprise Linux?
- What tool can audit files at a directory level?
- How do I monitor files or directories using auditd in Red Hat Enterprise Linux ?
- How do I monitor a file or directory to see which user or program has accessed or modified data ?

Resolution
- The Linux Audit system (audit package) can be used to accomplish this task.
- Ensure the auditd service is running, and set to start on boot with chkconfig auditd on
- Set a watch on the required file to be monitored by using the auditctl command:

# auditctl -w /etc/hosts -p war -k monitor-hosts

where:
- auditctl is the command used to add entries to the audit database.
  -w inserts a watch for the file system object at path, i.e. /etc/shadow.
  -p sets permissions filter for a file system watch.
  The permission are any one of the following:
    r - read of the file
    w - write to the file
    x - execute the file
    a - change in the file's attribute

  -k sets a filter key on an audit rule. The filter key is an arbitrary string of text that can be up to 31 bytes long. It can uniquely identify the audit records produced by a rule.


Note: The change made using auditctl is not persistent across system reboot. To make it persistent, add entry to /etc/audit/audit.rules

# vi /etc/audit.rules or /etc/audit/rules.d/audit.rules
-w /etc/hosts -p a -k monitor-hosts

Restart the service
# systemctl restart audit

check man page for "auditctl" and "audit.rules for detail
# man 5 auditd.conf

# grep -E 'max_log_file|max_log_file_action|num_logs' /etc/audit/auditd.conf

list the current audit rules in place
# auditctl -l


check the audit log for any access to the file /etc/hosts.
# ausearch -f /etc/hosts -i | less


# ausearch -ts today -k monitor-hosts




Generate a report about the audit rule keys by running:

# aureport -k


--------------------

# ausearch -ts today -k monitor-hosts
----
time->Sat Feb  3 07:32:20 2007
type=PATH msg=audit(1170451940.872:34): item=0 name="/etc/hosts" inode=1308742 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
type=CWD msg=audit(1170451940.872:34): cwd="/root"
type=SYSCALL msg=audit(1170451940.872:34): arch=40000003 syscall=226 success=yes exit=0 a0=867c4b8 a1=458bcc4f a2=8686800 a3=1c items=1 ppid=3544 pid=3558 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="vim" exe="/usr/bin/vim" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key="monitor-hosts"

    From this trace, it can be seen that the file /etc/hosts was edited using the /usr/bin/vim command. The user that ran the command was running with the root:system_r:unconfined_t:s0-s0:c0.c1023 SELinux context. Also, the timestamp can be converted into readable form.

Raw

# date -d @1170451940
Sat Feb  3 05:32:20 CST 2007

    Specifying a -i to ausearch also interprets numeric entities into text, making the logs more readable.
    You can search for an event based on the given key string:

Raw

# ausearch -k monitor-hosts

    You can also generate a report about the audit rule keys by running:



https://access.redhat.com/solutions/10107