Overview

“On Linux there is an audit RPM named audit, which provides auditd service to monitor the processes and the commands as well. Using audit RPM we can audit some simple file operation like read, write and execution. This post will introduce a method to monitor the file access on the Linux system. Like “When the file was read/modified?”, “Who edit the specific file?””

Step

start the auditd service first if its not running.

# service auditd start ### CentOS/RHEL 6

# systemctl start auditd ### CentOS/RHEL 7

use auditctlcommand to specify which files you want to monitor:

# auditctl -w /etc/hosts -p war -k hostswrap

-w: specify the file you want to audit/watch.
-p: which operation/permission you want to audit/watch, r for read, w for write, x for execute, a for append.
-k: specify a keyword for this audit rule, when searching the audit log, you can search by this keyword

Please note that changes made to the running audit system by executing auditctl on the command line are not persistent across system restarts. To make changes persistent, add them to the /etc/audit/audit.rulesfile and, if they are not currently loaded into audit, restart the auditd service to load the modified rule set.

# vi /etc/audit.rules -w /etc/hosts -p war -k hostswrap # systemctl restart auditd ### CentOS/RHEL 7

To list the current audit rules in auditd service, use the “l” option.

# auditctl -l

check the audit log for any access to the file /etc/hosts.

# ausearch -f /etc/hosts -i | less

Browser not supported