LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (http://www.linuxquestions.org/questions/linux-general-1/)
-   -   How to know if some users modify/delete/create files/directories in linux? (http://www.linuxquestions.org/questions/linux-general-1/how-to-know-if-some-users-modify-delete-create-files-directories-in-linux-840422/)

b-RAM 10-25-2010 09:00 PM

How to know if some users modify/delete/create files/directories in linux?
 
Guys, i've been wondering how do i know if some users create/modify/delete file/directory in linux, i've been using pyinotify in python script.
this script like the example from the manual:
Code:

#!/usr/bin/python
import pyinotify, os, time
from stat import ST_UID
wm = pyinotify.WatchManager()
mask = pyinotify.IN_CREATE | pyinotify.IN_DELETE
class HandleEvent(pyinotify.ProcessEvent):
    def process_IN_CREATE(self, event):
        print "create: ", event.pathname, os.stat(event.pathname)[ST_UID], time.asctime()
    def process_IN_DELETE(self, event):
        print "delete: ", event.pathname, time.asctime()
p = HandleEvent()
notifier = pyinotify.Notifier(wm, p)
wmm = wm.add_watch("/home", mask, rec=True)
notifier.loop()

like the code above i just add os.stat module to know who(uid) create file/directories but i don't know how to add who delete the files, is there any advice about this issue.
And i've been trying to use auditctl but got a confused about using it
when i use:
Code:

auditctl -w /etc/home -p war -k home-file
the output not show any kind of error so i try to type ausearch but it give me some error "config file/etc/audit/auditd.conf doesn't exists, skipping"
from the first time i use this machine the audit daemon had been installed so i just want to use it, it is true using audit, i will be monitoring file and the users who accessed the file/dir?

Need advice please, thank's a lot.

quanta 10-25-2010 09:38 PM

Quote:

Originally Posted by b-RAM (Post 4139212)
And i've been trying to use auditctl but got a confused about using it
when i use:
Code:

auditctl -w /etc/home -p war -k home-file
the output not show any kind of error so i try to type ausearch but it give me some error "config file/etc/audit/auditd.conf doesn't exists, skipping"
from the first time i use this machine the audit daemon had been installed so i just want to use it, it is true using audit, i will be monitoring file and the users who accessed the file/dir?

You can create it with below content: (default in my server)
Code:

log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 5
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd


b-RAM 10-25-2010 09:50 PM

Thank's for your reply quanta, it is meant i must add the command auditctl in files /etc/auditd.conf ?, what bothering me is the file auditd.conf is on /etc/ not in /etc/audit/ cause the directory audit itself not exist in system.

Sorry for disturbing your time,

Thank's a lot

quanta 10-25-2010 10:00 PM

Which distro are you using? Post your init script please (/etc/init.d/auditd)?

b-RAM 10-25-2010 10:17 PM

The distro is OpenSuse 10.2, and here's the script auditd in /etc/init.d:
Code:

#! /bin/sh
# Copyright (c) 1995-2004 SUSE Linux AG, Nuernberg, Germany.
# All rights reserved.
#
# Author: Kurt Garloff
# Please send feedback to http://www.suse.de/feedback/
#
# /etc/init.d/auditd
#  and its symbolic link
# /(usr/)sbin/rcauditd
#
# Template system startup script for some example service/daemon auditd
#
# LSB compatible service control script; see http://www.linuxbase.org/spec/
#
# Note: This template uses functions rc_XXX defined in /etc/rc.status on
# UnitedLinux (UL) based Linux distributions. If you want to base your
# script on this template and ensure that it works on non UL based LSB
# compliant Linux distributions, you either have to provide the rc.status
# functions from UL or change the script to work without them.
#
### BEGIN INIT INFO
# Provides:          auditd
# Required-Start:    $syslog
# Should-Start:
# Required-Stop:    $syslog
# Should-Stop:
# Default-Start:    3 5
# Default-Stop:      0 1 2 6
# Short-Description: auditd daemon providing core auditing services
# Description:      Starts the auditing subsystem.
### END INIT INFO
#
# A registry has been set up to manage the init script namespace.
# http://www.lanana.org/
# Please use the names already registered or register one or use a
# vendor prefix.


# Check for missing binaries (stale symlinks should not happen)
# Note: Special treatment of stop for LSB conformance
AUDITD_BIN=/sbin/auditd
test -x $AUDITD_BIN || { echo "$AUDITD_BIN not installed";
        if [ "$1" = "stop" ]; then exit 0;
        else exit 5; fi; }

# Check for existence of needed config file and read it
AUDITD_CONFIG=/etc/sysconfig/auditd
test -r $AUDITD_CONFIG || { echo "$AUDITD_CONFIG not existing";
        if [ "$1" = "stop" ]; then exit 0;
        else exit 6; fi; }

# Read config       
. $AUDITD_CONFIG

# Source LSB init functions
# providing start_daemon, killproc, pidofproc,
# log_success_msg, log_failure_msg and log_warning_msg.
# This is currently not used by UnitedLinux based distributions and
# not needed for init scripts for UnitedLinux only. If it is used,
# the functions from rc.status should not be sourced or used.
#. /lib/lsb/init-functions

# Shell functions sourced from /etc/rc.status:
#      rc_check        check and set local and overall rc status
#      rc_status        check and set local and overall rc status
#      rc_status -v    be verbose in local rc status and clear it afterwards
#      rc_status -v -r  ditto and clear both the local and overall rc status
#      rc_status -s    display "skipped" and exit with status 3
#      rc_status -u    display "unused" and exit with status 3
#      rc_failed        set local and overall rc status to failed
#      rc_failed <num>  set local and overall rc status to <num>
#      rc_reset        clear both the local and overall rc status
#      rc_exit          exit appropriate to overall rc status
#      rc_active        checks whether a service is activated by symlinks
#      rc_splash arg    sets the boot splash screen to arg (if active)
. /etc/rc.status

# Reset status of this service
rc_reset

# Return values acc. to LSB for all commands but status:
# 0          - success
# 1      - generic or unspecified error
# 2      - invalid or excess argument(s)
# 3      - unimplemented feature (e.g. "reload")
# 4      - user had insufficient privileges
# 5      - program is not installed
# 6      - program is not configured
# 7      - program is not running
# 8--199  - reserved (8--99 LSB, 100--149 distrib, 150--199 appl)
#
# Note that starting an already running service, stopping
# or restarting a not-running service as well as the restart
# with force-reload (in case signaling is not supported) are
# considered a success.

case "$1" in
    start)
        echo -n "Starting auditd "
        if [ "$AUDITD_DISABLE_CONTEXTS" == "yes" ] ; then
                EXTRAOPTIONS="$EXTRAOPTIONS -n"
        fi
        ## Start daemon with startproc(8). If this fails
        ## the return value is set appropriately by startproc.
        startproc $AUDITD_BIN $EXTRAOPTIONS
        test -f /etc/audit.rules && /sbin/auditctl -R /etc/audit.rules >/dev/null

        # Remember status and be verbose
        rc_status -v
        ;;
    stop)
        echo -n "Shutting down auditd "
        ## Stop daemon with killproc(8) and if this fails
        ## killproc sets the return value according to LSB.

        killproc -TERM $AUDITD_BIN

        # Remember status and be verbose
        rc_status -v
        ;;
    try-restart|condrestart)
        ## Do a restart only if the service was active before.
        ## Note: try-restart is now part of LSB (as of 1.9).
        ## RH has a similar command named condrestart.
        if test "$1" = "condrestart"; then
                echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart
${warn}(RH)${norm}"
        fi
        $0 status
        if test $? = 0; then
                $0 restart
        else
                rc_reset        # Not running is not a failure.
        fi
        # Remember status and be quiet
        rc_status
        ;;
    restart)
        ## Stop the service and regardless of whether it was
        ## running or not, start it again.
        $0 stop
        $0 start

        # Remember status and be quiet
        rc_status
        ;;
    force-reload)
        ## Signal the daemon to reload its config. Most daemons
        ## do this on signal 1 (SIGHUP).
        ## If it does not support it, restart.

        echo -n "Reload service AUDITD "
        ## if it supports it:
        killproc -HUP $AUDITD_BIN
        #touch /var/run/auditd.pid
        rc_status -v

        ## Otherwise:
        #$0 try-restart
        #rc_status
        ;;
    reload)
        ## Like force-reload, but if daemon does not support
        ## signaling, do nothing (!)

        # If it supports signaling:
        echo -n "Reload service auditd "
        killproc -HUP $AUDITD_BIN
        #touch /var/run/auditd.pid
        rc_status -v
       
        ## Otherwise if it does not support reload:
        #rc_failed 3
        #rc_status -v
        ;;
    status)
        echo -n "Checking for service auditd "
        ## Check status with checkproc(8), if process is running
        ## checkproc will return with exit status 0.

        # Return value is slightly different for the status command:
        # 0 - service up and running
        # 1 - service dead, but /var/run/  pid  file exists
        # 2 - service dead, but /var/lock/ lock file exists
        # 3 - service not running (unused)
        # 4 - service status unknown :-(
        # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)
       
        # NOTE: checkproc returns LSB compliant status values.
        checkproc $AUDITD_BIN
        # NOTE: rc_status knows that we called this init script with
        # "status" option and adapts its messages accordingly.
        rc_status -v
        ;;
    probe)
        ## Optional: Probe for the necessity of a reload, print out the
        ## argument to this init script which is required for a reload.
        ## Note: probe is not (yet) part of LSB (as of 1.9)

        test /etc/auditd.conf -nt /var/run/auditd.pid && echo reload
        ;;
    *)
        echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
        exit 1
        ;;
esac
rc_exit

quanta, from what i read in file auditd init script it show that only read from /etc/audit.conf(correct me if i'm wrong), so it is something else i need to do, please advise.
Thank's a lot

quanta 10-26-2010 09:50 AM

I'm not familiar with openSUSE but your problem is quite strange to me. I suggest you open up 2 consoles: the first to start auditd in the foreground `auditd -f -l` and the second run the ausearch command to see what happen. Paste the full command you use and the output you get here.

b-RAM 10-26-2010 08:40 PM

quanta, thank's for your reply, i must first add rules like instruction in your previous post(/etc/auditd.conf)isn't it?, after that i run ausearch based rules i add in /etc/auditd.conf.
Cause based on tutorial i got from http://www.cyberciti.biz/tips/linux-...to-a-file.html, it just tell to run auditctl first and after that i can try ausearch based on auditctl i watch.
please correct me if i'm wrong,

Thank's a lot.

quanta 10-26-2010 09:39 PM

Quote:

Originally Posted by b-RAM (Post 4140383)
quanta, thank's for your reply, i must first add rules like instruction in your previous post(/etc/auditd.conf)isn't it?, after that i run ausearch based rules i add in /etc/auditd.conf.

No no. auditd.conf is a configuration file.
Quote:

Originally Posted by b-RAM (Post 4140383)
Cause based on tutorial i got from http://www.cyberciti.biz/tips/linux-...to-a-file.html, it just tell to run auditctl first and after that i can try ausearch based on auditctl i watch.
please correct me if i'm wrong,

There are 2 ways to add the audit rules:

- The first is running auditctl from command line. But these rules will disappear when restarting auditd unless you set AUDITD_CLEAN_STOP="no" in the /etc/sysconfig/auditd (on my CentOS, don't know the correlative file on openSUSE).

- The second is adding to the audit.rules (in this case, is on /etc), something like this:
Code:

-a exit,always -F path=/etc/my.cnf -F perm=wa -k /etc/my.cnf.auditd

b-RAM 10-26-2010 09:52 PM

Thank's quanta, i've try this command:
Code:

auditctl -w /home/test/test.txt -k /home/test/test-shadow -p rwxa
After i enter the command above, i dont have any error
and then i type:
Code:

ausearch -i -f /home/test/test.txt ,
it have error/warning config file /etc/audit/auditd.conf doesn't exists, skipping
<no matches>

Sorry for bothering you, but is kinda weird, when i read file /etc/init.d/auditd it should read on /etc/auditd.conf or there's something missing in auditd.conf.

Thank's a lot

quanta 10-27-2010 02:26 AM

ps -ef | grep auditd?

Try to make a symlink and run the ausearch command again to see what happen:
Code:

mkdir /etc/audit
ln -s /etc/auditd.conf /etc/audit/


b-RAM 10-29-2010 04:58 AM

Thank's quanta, that's work.
I've been trying to do some test.


Thank's a lot.


All times are GMT -5. The time now is 10:01 PM.