Loading...
X

How to find out which process is modifying a file

Linux has an auditing platform that lets you know when files or/and folders is being accessed, modified, or executed. You can also monitor changes in entire directories.

How to install auditd (auditctl)

On Debian, Linux Mint, Kali Linux, Ubuntu and their derivatives, to install, run the command:

sudo apt install auditd

In Arch Linux, Manjaro, BlackArch and their derivatives, this package is called audit and is included in the core repository, therefore, it is preinstalled by default.

On CentOS to install, run the command:

yum install audit

How to start the file access and change monitor

You need to start by adding rules. The following command adds an access and change monitor to the /etc/resolv.conf file:

sudo auditctl -w /etc/resolv.conf -p wa

This is an example of a command with a different notation, but it performs the same action – it monitors all changes and access to the /etc/resolv.conf file:

sudo auditctl -a always,exit -F path=/etc/resolv.conf -F perm=wa

You can check which rules have been added with the following command:

sudo auditctl -l

Although the rule has been added, the audit service has not been started yet. To run it, run the command:

sudo systemctl start auditd.service

If you want to add this service to startup, then run:

sudo systemctl enable auditd.service

How to leave the audit daemon in the foreground

The previous command will start auditd as a daemon, that is, a service in the background. If you don't need this and want to run auditd in the foreground, then instead of using systemctl, run the following command:

sudo auditd -f

Option -f leaves the audit daemon in the foreground for debugging. Messages also go to stderr rather than the audit log.

In this case, all events with tracked files or folders will be displayed on standard output. In this case, the log file will not be kept.

This is useful when debugging rules, or if you need to track events in a short amount of time.

How to view the auditd log

The auditd log is stored in the /var/log/audit/audit.log file. But instead of viewing it directly, you can use the ausearch utility, for example:

sudo ausearch -f /etc/resolv.conf

If the output is

<no matches>

then this file has not yet been touched by any program.

If the events happened, there will be approximately the following entries:

----
time->Sun May 16 07:02:16 2021
type=PROCTITLE msg=audit(1621137736.023:543): proctitle=6765646974002F6574632F7265736F6C762E636F6E66
type=PATH msg=audit(1621137736.023:543): item=1 name="/etc/resolv.conf" inode=160660 dev=103:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1621137736.023:543): item=0 name="/etc/" inode=131073 dev=103:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1621137736.023:543): cwd="/home/mial"
type=SYSCALL msg=audit(1621137736.023:543): arch=c000003e syscall=257 success=no exit=-17 a0=ffffff9c a1=55da2dd00770 a2=800c1 a3=1b6 items=2 ppid=78750 pid=78751 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="pool-gedit" exe="/usr/bin/gedit" key=(null)
----
time->Sun May 16 07:02:16 2021
type=PROCTITLE msg=audit(1621137736.023:544): proctitle=6765646974002F6574632F7265736F6C762E636F6E66
type=PATH msg=audit(1621137736.023:544): item=1 name="/etc/resolv.conf" inode=160660 dev=103:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1621137736.023:544): item=0 name="/etc/" inode=131073 dev=103:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1621137736.023:544): cwd="/home/mial"
type=SYSCALL msg=audit(1621137736.023:544): arch=c000003e syscall=257 success=yes exit=11 a0=ffffff9c a1=55da2dd00770 a2=20041 a3=1b6 items=2 ppid=78750 pid=78751 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="pool-gedit" exe="/usr/bin/gedit" key=(null)
----
time->Sun May 16 07:02:16 2021
type=PROCTITLE msg=audit(1621137736.029:545): proctitle=6765646974002F6574632F7265736F6C762E636F6E66
type=PATH msg=audit(1621137736.029:545): item=4 name="/etc/resolv.conf" inode=163335 dev=103:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1621137736.029:545): item=3 name="/etc/resolv.conf" inode=160660 dev=103:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1621137736.029:545): item=2 name="/etc/.goutputstream-VQ4G30" inode=163335 dev=103:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1621137736.029:545): item=1 name="/etc/" inode=131073 dev=103:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1621137736.029:545): item=0 name="/etc/" inode=131073 dev=103:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1621137736.029:545): cwd="/home/mial"
type=SYSCALL msg=audit(1621137736.029:545): arch=c000003e syscall=82 success=yes exit=0 a0=7ff2a409a5a0 a1=7ff2a40a2da0 a2=0 a3=11 items=5 ppid=78750 pid=78751 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="pool-gedit" exe="/usr/bin/gedit" key=(null)

See the “exe=” line to find out which program performed the action.

How to stop auditd service

To remove a service from startup, run the command:

sudo systemctl disable auditd.service

If you try to stop the service with the following command:

sudo systemctl stop auditd.service

Then you will receive a message that it failed because the operation was rejected:

Failed to stop auditd.service: Operation refused, unit auditd.service may be requested by dependency only (it is configured to refuse manual start/stop).
See system logs and 'systemctl status auditd.service' for details.

To stop the service, run the command:

sudo auditctl --signal TERM

How to remove all change tracking rules for folders and files

To remove all rules at once, run the command:

sudo auditctl -D

It is possible to delete individual rules (both by the tracked event and by the associated identifier).

Error opening /var/log/audit/audit.log (No such file or directory)

If you get an error

Error opening /var/log/audit/audit.log (No such file or directory)

It means that the audit service was not started (you forgot to start it, it did not start due to an error, or you started it in the foreground).

Auditd Configuration Examples

To view all system calls made by a specific program:

sudo auditctl -a always,exit -S all -F pid=1005

To see files opened by a specific user:

sudo auditctl -a always,exit -S openat -F auid=510

To see failed openat calls:

sudo auditctl -a always,exit -S openat -F success=0

To track file changes (two ways of expression):

sudo auditctl -w /etc/shadow -p wa
sudo auditctl -a always,exit -F path=/etc/shadow -F perm=wa

To recursively monitor a directory for changes (two ways of expression):

sudo auditctl -w /etc/ -p wa
sudo auditctl -a always,exit -F dir=/etc/ -F perm=wa

To see if an administrator has access to a user's files:

sudo auditctl -a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid

Auditd files

  • /etc/audit/auditd.conf – configuration file for audit daemon
  • /etc/audit/audit.rules – audit rules to be loaded at startup
  • /etc/audit/rules.d/ – directory holding individual sets of rules to be compiled into one file by augenrules.
  • /etc/audit/plugins.d/ – directory holding individual plugin configuration files.
  • /var/run/auditd.state – report about internal state.

Auditd documentation

This article shows you how to get started using auditd to track file changes and track file access.

The capabilities of auditd are not limited to the examples shown, and there are several utilities with many settings and options that allow you to very flexibly configure the rules for monitoring what is happening in the file system, as well as perform other related actions.

Using man, you can check out the following documentation:

  • auditd.conf
  • auditd-plugins
  • ausearch
  • aureport
  • auditctl
  • augenrules
  • audit.rules

Leave Your Observation

Your email address will not be published. Required fields are marked *