Have you ever needed to monitor a file for changes? Has a file been changing but you don’t know why? If you answered yes to either of those questions, the auditctl is the command you have been looking for. In this blog post, we will explore the basics of how to utilize auditctl to track down changes to files when the cause is unknown.
Introduction
The auditctl command is a command line utility used to configure Linux kernel options related to auditing. Auditctl is part of auditd which contains more related pieces. In this post, we will focus on getting set up, adding rules for monitoring files and directories, checking the loaded rules, looking at the results, and deleting rules. Be aware this requires sudo access or access to the root user.
Installation
To install the audit system the package will be audit or auditd in most package managers.
For Debian/Ubuntu
sudo apt install auditd
For most RPM-based systems
sudo apt install audit
Start and Enable
Once installed make sure to start and enable the service using service or systemctl (depending on what the system uses).
Init.d
sudo service auditd start
sudo service auditd enable
Systemd
sudo systemctl start auditd
sudo systemctl enable auditd
Note On Configuration
The audit configuration file is typically located at /etc/audit/auditd.conf.
Though for what we will be covering there is no need to make any configuration file changes.
Setting Up Rules
To set up a rule the syntax will be as follows:
sudo auditctl -w [file_name] -p [permissions] -k [name]
- [file_name] – is the full file path to the file you want to watch for changes on.
- [permissions] – This is what changes you want to watch for on the file.
- r – The r flag specifies you want to log anything reading the file.
- w – The w flag specifies you want to log anything writing to the file.
- x – The x flag specifies you want to watch for the file being run.
- a – The a flag specifies you want to watch for attribute changes.
Be aware that rules added this way are not persistent persist across reboots.
Examples
Here are a few examples once we put everything together:
sudo auditctl -w /etc/exim.conf -p wa -k exim-config
The above command is watching write and attribute changes.
sudo auditctl -w /etc/shadow -p rw -k user-accounts
The command above will watch /etc/shadow for read and write.
sudo auditctl -w /usr/bin -p x -k dir-watch
This will watch for files being executed within the directory /usr/bin.
Persistent Rules
To apply rules across reboots enter the rules in /etc/audit/rules.d/audit.rules or another .rules file in /etc/audit/rules.d/
To add the rule remove anything before and up to auditctl, meaning your rule should start with -w.
Using one of the above examples this is what you would /append to the file:
-w /usr/bin -p x -k dir-watch
Make sure to save and exit the file.
Then reload the rules.
sudo systemctl reload auditd
Checking For Rules
To see which rules are loaded aka the rule list run the following command:
auditctl -l
The results will show one of two things, either “No rules” indicating there are no rules set, or the rules that are currently in place.
Checking The Results
The two simplest ways to check the audit records are to filter on the watch name or the file both are shown below.
ausearch -k [name]
ausearch -f [file]
Deleting Existing Rules
To Delete an existing rule change the first -w to a capital -W.
Like so:
-W /usr/bin -p x -k dir-watch
Removing A Persistent Rule
To remove the rule, the entry from the associated file in /etc/audit/rules.d/.
Make sure to save and exit the file.
Then reload the rules.
sudo systemctl reload auditd
Conclusion
Auditd is the answer to “This file has been changing but I don’t know why”. In this blog post, we will explore the basics of how to utilize auditctl to track down changes to files when the cause is unknown. From getting things set up, setting up rules for monitoring files and directories, checking loaded rules, checking the results, and deleting rules.
Additional Links
Done reading and looking for additional links, why not check these out?
Embracing a lifelong passion for technology since childhood, CJ delved into the intricate workings of systems, captivated by the desire to understand the unknown. This innate curiosity led to his discovery of Linux, a revelation that resonated deeply. With more than 7 years of on the job experience, he’s honed his technical skills as a Geek and Senior Linux Systems Administrator.
Leave a Reply