“On Linux there is an audit RPM named audit, which provides auditd service to monitor the processes and the commands as well. Using audit RPM we can audit some simple file operation like read, write and execution. This post will introduce a method to monitor the file access on the Linux system. Like “When the file was read/modified?”, “Who edit the specific file?””
# service auditd start ### CentOS/RHEL 6
# systemctl start auditd ### CentOS/RHEL 7
use auditctlcommand to specify which files you want to monitor:
# auditctl -w /etc/hosts -p war -k hostswrap
-w: specify the file you want to audit/watch.
-p: which operation/permission you want to audit/watch, r for read, w for write, x for execute, a for append.
-k: specify a keyword for this audit rule, when searching the audit log, you can search by this keyword
# vi /etc/audit.rules -w /etc/hosts -p war -k hostswrap # systemctl restart auditd ### CentOS/RHEL 7
# auditctl -l
# ausearch -f /etc/hosts -i | less