Audit File System Changes

From Wiki
Revision as of 18:00, 19 January 2016 by Admin (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

File system changes can be monitored using auditd in Linux.

yum install audit
chkconfig auditd on
service auditd start

To updated the auditd rules you can use the auditctl command or place them in the /etc/audit/audit.rules file.

For example, to monitor a directory for file creation/deletion add a line like this.

-a always,exit -F arch=x86_64 -S mkdir -S unlink -S unlinkat -S rename -S renameat -F path=/home/username/public_html/dir1 -F key=whodeletedit

To search audit records use the ausearch command.

ausearch -k whodeletedit

See the auditctl man page for more details.

References:

http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html

https://www.redhat.com/archives/redhat-list/2011-April/msg00001.html

https://www.centos.org/forums/viewtopic.php?t=30858