How to monitor permission, ownership or any other change to a particular directory or file

Resolution

NOTE: For monitoring file deletion, please refer to How to configure audit to monitor file deletion in Red Hat Enterprise Linux?

• The Linux Audit system (audit package) can be used to accomplish this task.
• Ensure the auditd service is running, and set to start on boot with chkconfig auditd on
• Set a watch on the required file to be monitored by using the auditctl command:

# auditctl -w /etc/hosts -p war -k monitor-hosts

• where:
  • auditctl is the command used to add entries to the audit database.
  • -w inserts a watch for the file system object at path, i.e. /etc/hosts.
  • -p sets permissions filter for a file system watch.
  • The permission are any one of the following:
           r - read of the file
           w - write to the file
           x - execute the file
           a - change in the file's attribute
  • -k sets a filter key on an audit rule. The filter key is an arbitrary string of text that can be up to 31 bytes long. It can uniquely identify the audit records produced by a rule.

Note: In order for these rules to persist after a reboot, the below must be added to the relevant rule files,

-w /etc/hosts -p a -k monitor-hosts

which are:

RHEL 4: /etc/audit.rules
RHEL 5: /etc/audit/audit.rules
RHEL 6: /etc/audit/audit.rules
RHEL 7: /etc/audit/rules.d/audit.rules
RHEL 8: /etc/audit/rules.d/audit.rules
RHEL 9: /etc/audit/rules.d/audit.rules

• Please see the man pages for "auditctl" and "audit.rules" for further information on syntax and swtiches.
  • The auditd service must be restarted after any changes are made, also ensure that it is set to run on boot.

# service auditd restart
# chkconfig auditd on

To check if auditd service is enabled, run the following command:
RHEL 6: chkconfig --list auditd
RHEL 7/8/9: systemctl status auditd

• In this example, a watch is placed on the /etc/hosts file for any syscalls which perform a write, read, or attribute change (-p war). This is logged with the key monitor-hosts. This key can be used to search through the audit logs to find these actions, using the ausearch command:

# ausearch -ts today -k monitor-hosts
----
time->Sat Feb  3 07:32:20 2007
type=PATH msg=audit(1170451940.872:34): item=0 name="/etc/hosts" inode=1308742 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
type=CWD msg=audit(1170451940.872:34): cwd="/root"
type=SYSCALL msg=audit(1170451940.872:34): arch=40000003 syscall=226 success=yes exit=0 a0=867c4b8 a1=458bcc4f a2=8686800 a3=1c items=1 ppid=3544 pid=3558 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="vim" exe="/usr/bin/vim" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key="monitor-hosts"

• From this trace, it can be seen that the file /etc/hosts was edited using the /usr/bin/vim command. The user that ran the command was running with the root:system_r:unconfined_t:s0-s0:c0.c1023 SELinux context. Also, the timestamp can be converted into readable form.

# date -d @1170451940
Sat Feb  3 05:32:20 CST 2007

• Specifying a -i to ausearch also interprets numeric entities into text, making the logs more readable.
• You can search for an event based on the given key string:

# ausearch -k monitor-hosts

• You can also generate a report about the audit rule keys by running:

# aureport -k