Audit File System Changes

From Wiki
Jump to: navigation, search

File system changes can be monitored using auditd in Linux.

yum install audit
chkconfig auditd on
service auditd start

To updated the auditd rules you can use the auditctl command or place them in the /etc/audit/audit.rules file.

For example, to monitor a directory for file creation/deletion add a line like this.

-a always,exit -F arch=x86_64 -S mkdir -S unlink -S unlinkat -S rename -S renameat -F path=/home/username/public_html/dir1 -F key=whodeletedit

To search audit records use the ausearch command.

ausearch -k whodeletedit

See the auditctl man page for more details.

References:

http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html

https://www.redhat.com/archives/redhat-list/2011-April/msg00001.html

https://www.centos.org/forums/viewtopic.php?t=30858