How to monitor permission, ownership or any other change to a particular directory or file?

Resolution

Red Hat Audit Lab Helper

We have an application that helps you generate Linux audit rules to monitor system activity and security events. Create file monitoring, process kill monitoring, NTP time change, and custom audit rules with step-by-step guidance and useful ausearch/aureport commands. If you would prefer to use this tool, please visit https://access.redhat.com/labs/audithelper/ .

For monitoring file deletion, please refer to How to configure audit to monitor file deletion in Red Hat Enterprise Linux?

• The Linux Audit system (audit package) can be used to accomplish this task.
• Ensure the auditd service is running and enabled to start at boot time.

• Set a watch on the required file to be monitored by using the auditctl command:

  # auditctl -w /etc/hosts -p war -k monitor-hosts
  

  • Where:
  • auditctl is the command used to add entries to the audit database.
  • -w inserts a watch for the file system object at path, i.e. /etc/hosts.
  • -p sets permissions filter for a file system watch.
  • The permission are any one of the following:
    • r - read of the file
    • w - write to the file
    • x - execute the file
    • a - change in the file's attribute
  • -k sets a filter key on an audit rule (up to 31 bytes long).

• In order for these rules to persist after a reboot, the below must be added to /etc/audit/rules.d/audit.rules in RHEL7 and later, or /etc/audit/audit.rules in RHEL 5 and 6:

  -w /etc/hosts -p a -k monitor-hosts
  

  Note: Please see the man pages for auditctl and audit.rules for further information.

• The auditd service must be restarted after any changes are made, also ensure that it is set to run on boot.

  # service auditd restart
  

• To check if auditd service is enabled, run the following command:

  • RHEL 7 and later: systemctl status auditd
  • RHEL 6: chkconfig --list auditd

• In the example below, a watch is placed on the /etc/hosts file for any syscalls which perform a write, read, or attribute change (-p war). This is logged with the key monitor-hosts. This key can be used to search through the audit logs to find these actions, using the ausearch command:

  # ausearch -ts today -k monitor-hosts
  time->Thu Jun 26 15:18:17 2025
  type=PROCTITLE msg=audit(1750951097.110:224): proctitle=76696D002F6574632F686F737473
  type=PATH msg=audit(1750951097.110:224): item=0 name="/etc/hosts" inode=520414 dev=fc:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
  type=CWD msg=audit(1750951097.110:224): cwd="/root"
  type=SYSCALL msg=audit(1750951097.110:224): arch=c000003e syscall=188 success=yes exit=0 a0=564664c05d20 a1=7fdb29ac8000 a2=564664f76140 a3=1c items=1 ppid=1754 pid=2884 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="vim" exe="/usr/bin/vim" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="monitor_hosts"
  

• From this trace, it can be seen that the file /etc/hosts was edited using the /usr/bin/vim command. The user that ran the command was running with the unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 SELinux context. Also, the timestamp can be converted into a human readable form:

  # date -d @1750951097.110
  Thu Jun 26 15:18:17 UTC 2025
  

• Specifying a -i to ausearch also interprets numeric entities into text, making the logs more readable.

• You can search for an event based on the given key string:

  # ausearch -k monitor-hosts
  

• You can also generate a report about the audit rule keys by running:

  # aureport -k