LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 10-25-2010, 10:00 PM   #1
b-RAM
Member
 
Registered: Apr 2009
Distribution: OpenSuse, Slackware
Posts: 70

Rep: Reputation: 15
How to know if some users modify/delete/create files/directories in linux?


Guys, i've been wondering how do i know if some users create/modify/delete file/directory in linux, i've been using pyinotify in python script.
this script like the example from the manual:
Code:
#!/usr/bin/python 
import pyinotify, os, time
from stat import ST_UID
wm = pyinotify.WatchManager()
mask = pyinotify.IN_CREATE | pyinotify.IN_DELETE
class HandleEvent(pyinotify.ProcessEvent):
    def process_IN_CREATE(self, event):
        print "create: ", event.pathname, os.stat(event.pathname)[ST_UID], time.asctime()
     def process_IN_DELETE(self, event):
         print "delete: ", event.pathname, time.asctime()
p = HandleEvent()
notifier = pyinotify.Notifier(wm, p)
wmm = wm.add_watch("/home", mask, rec=True)
notifier.loop()
like the code above i just add os.stat module to know who(uid) create file/directories but i don't know how to add who delete the files, is there any advice about this issue.
And i've been trying to use auditctl but got a confused about using it
when i use:
Code:
auditctl -w /etc/home -p war -k home-file
the output not show any kind of error so i try to type ausearch but it give me some error "config file/etc/audit/auditd.conf doesn't exists, skipping"
from the first time i use this machine the audit daemon had been installed so i just want to use it, it is true using audit, i will be monitoring file and the users who accessed the file/dir?

Need advice please, thank's a lot.
 
Old 10-25-2010, 10:38 PM   #2
quanta
Member
 
Registered: Aug 2007
Location: Vietnam
Distribution: RedHat based, Debian based, Slackware, Gentoo
Posts: 724

Rep: Reputation: 100Reputation: 100
Quote:
Originally Posted by b-RAM View Post
And i've been trying to use auditctl but got a confused about using it
when i use:
Code:
auditctl -w /etc/home -p war -k home-file
the output not show any kind of error so i try to type ausearch but it give me some error "config file/etc/audit/auditd.conf doesn't exists, skipping"
from the first time i use this machine the audit daemon had been installed so i just want to use it, it is true using audit, i will be monitoring file and the users who accessed the file/dir?
You can create it with below content: (default in my server)
Code:
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 5 
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port = 
tcp_listen_queue = 5
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
 
Old 10-25-2010, 10:50 PM   #3
b-RAM
Member
 
Registered: Apr 2009
Distribution: OpenSuse, Slackware
Posts: 70

Original Poster
Rep: Reputation: 15
Thank's for your reply quanta, it is meant i must add the command auditctl in files /etc/auditd.conf ?, what bothering me is the file auditd.conf is on /etc/ not in /etc/audit/ cause the directory audit itself not exist in system.

Sorry for disturbing your time,

Thank's a lot
 
Old 10-25-2010, 11:00 PM   #4
quanta
Member
 
Registered: Aug 2007
Location: Vietnam
Distribution: RedHat based, Debian based, Slackware, Gentoo
Posts: 724

Rep: Reputation: 100Reputation: 100
Which distro are you using? Post your init script please (/etc/init.d/auditd)?
 
Old 10-25-2010, 11:17 PM   #5
b-RAM
Member
 
Registered: Apr 2009
Distribution: OpenSuse, Slackware
Posts: 70

Original Poster
Rep: Reputation: 15
The distro is OpenSuse 10.2, and here's the script auditd in /etc/init.d:
Code:
#! /bin/sh
# Copyright (c) 1995-2004 SUSE Linux AG, Nuernberg, Germany.
# All rights reserved.
#
# Author: Kurt Garloff
# Please send feedback to http://www.suse.de/feedback/
#
# /etc/init.d/auditd
#   and its symbolic link
# /(usr/)sbin/rcauditd
#
# Template system startup script for some example service/daemon auditd
#
# LSB compatible service control script; see http://www.linuxbase.org/spec/
# 
# Note: This template uses functions rc_XXX defined in /etc/rc.status on
# UnitedLinux (UL) based Linux distributions. If you want to base your 
# script on this template and ensure that it works on non UL based LSB 
# compliant Linux distributions, you either have to provide the rc.status
# functions from UL or change the script to work without them.
#
### BEGIN INIT INFO
# Provides:          auditd
# Required-Start:    $syslog 
# Should-Start:
# Required-Stop:     $syslog 
# Should-Stop:
# Default-Start:     3 5
# Default-Stop:      0 1 2 6
# Short-Description: auditd daemon providing core auditing services
# Description:       Starts the auditing subsystem.
### END INIT INFO
# 
# A registry has been set up to manage the init script namespace.
# http://www.lanana.org/
# Please use the names already registered or register one or use a
# vendor prefix.


# Check for missing binaries (stale symlinks should not happen)
# Note: Special treatment of stop for LSB conformance
AUDITD_BIN=/sbin/auditd
test -x $AUDITD_BIN || { echo "$AUDITD_BIN not installed"; 
        if [ "$1" = "stop" ]; then exit 0;
        else exit 5; fi; }

# Check for existence of needed config file and read it
AUDITD_CONFIG=/etc/sysconfig/auditd
test -r $AUDITD_CONFIG || { echo "$AUDITD_CONFIG not existing";
        if [ "$1" = "stop" ]; then exit 0;
        else exit 6; fi; }

# Read config        
. $AUDITD_CONFIG

# Source LSB init functions
# providing start_daemon, killproc, pidofproc, 
# log_success_msg, log_failure_msg and log_warning_msg.
# This is currently not used by UnitedLinux based distributions and
# not needed for init scripts for UnitedLinux only. If it is used,
# the functions from rc.status should not be sourced or used.
#. /lib/lsb/init-functions

# Shell functions sourced from /etc/rc.status:
#      rc_check         check and set local and overall rc status
#      rc_status        check and set local and overall rc status
#      rc_status -v     be verbose in local rc status and clear it afterwards
#      rc_status -v -r  ditto and clear both the local and overall rc status
#      rc_status -s     display "skipped" and exit with status 3
#      rc_status -u     display "unused" and exit with status 3
#      rc_failed        set local and overall rc status to failed
#      rc_failed <num>  set local and overall rc status to <num>
#      rc_reset         clear both the local and overall rc status
#      rc_exit          exit appropriate to overall rc status
#      rc_active        checks whether a service is activated by symlinks
#      rc_splash arg    sets the boot splash screen to arg (if active)
. /etc/rc.status

# Reset status of this service
rc_reset

# Return values acc. to LSB for all commands but status:
# 0          - success
# 1       - generic or unspecified error
# 2       - invalid or excess argument(s)
# 3       - unimplemented feature (e.g. "reload")
# 4       - user had insufficient privileges
# 5       - program is not installed
# 6       - program is not configured
# 7       - program is not running
# 8--199  - reserved (8--99 LSB, 100--149 distrib, 150--199 appl)
# 
# Note that starting an already running service, stopping
# or restarting a not-running service as well as the restart
# with force-reload (in case signaling is not supported) are
# considered a success.

case "$1" in
    start)
        echo -n "Starting auditd "
        if [ "$AUDITD_DISABLE_CONTEXTS" == "yes" ] ; then 
                EXTRAOPTIONS="$EXTRAOPTIONS -n"
        fi
        ## Start daemon with startproc(8). If this fails
        ## the return value is set appropriately by startproc.
        startproc $AUDITD_BIN $EXTRAOPTIONS
        test -f /etc/audit.rules && /sbin/auditctl -R /etc/audit.rules >/dev/null

        # Remember status and be verbose
        rc_status -v
        ;;
    stop)
        echo -n "Shutting down auditd "
        ## Stop daemon with killproc(8) and if this fails
        ## killproc sets the return value according to LSB.

        killproc -TERM $AUDITD_BIN

        # Remember status and be verbose
        rc_status -v
        ;;
    try-restart|condrestart)
        ## Do a restart only if the service was active before.
        ## Note: try-restart is now part of LSB (as of 1.9).
        ## RH has a similar command named condrestart.
        if test "$1" = "condrestart"; then
                echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart
${warn}(RH)${norm}"
        fi
        $0 status
        if test $? = 0; then
                $0 restart
        else
                rc_reset        # Not running is not a failure.
        fi
        # Remember status and be quiet
        rc_status
        ;;
    restart)
        ## Stop the service and regardless of whether it was
        ## running or not, start it again.
        $0 stop
        $0 start

        # Remember status and be quiet
        rc_status
        ;;
    force-reload)
        ## Signal the daemon to reload its config. Most daemons
        ## do this on signal 1 (SIGHUP).
        ## If it does not support it, restart.

        echo -n "Reload service AUDITD "
        ## if it supports it:
        killproc -HUP $AUDITD_BIN
        #touch /var/run/auditd.pid
        rc_status -v

        ## Otherwise:
        #$0 try-restart
        #rc_status
        ;;
    reload)
        ## Like force-reload, but if daemon does not support
        ## signaling, do nothing (!)

        # If it supports signaling:
        echo -n "Reload service auditd "
        killproc -HUP $AUDITD_BIN
        #touch /var/run/auditd.pid
        rc_status -v
        
        ## Otherwise if it does not support reload:
        #rc_failed 3
        #rc_status -v
        ;;
    status)
        echo -n "Checking for service auditd "
        ## Check status with checkproc(8), if process is running
        ## checkproc will return with exit status 0.

        # Return value is slightly different for the status command:
        # 0 - service up and running
        # 1 - service dead, but /var/run/  pid  file exists
        # 2 - service dead, but /var/lock/ lock file exists
        # 3 - service not running (unused)
        # 4 - service status unknown :-(
        # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)
        
        # NOTE: checkproc returns LSB compliant status values.
        checkproc $AUDITD_BIN
        # NOTE: rc_status knows that we called this init script with
        # "status" option and adapts its messages accordingly.
        rc_status -v
        ;;
    probe)
        ## Optional: Probe for the necessity of a reload, print out the
        ## argument to this init script which is required for a reload.
        ## Note: probe is not (yet) part of LSB (as of 1.9)

        test /etc/auditd.conf -nt /var/run/auditd.pid && echo reload
        ;;
    *)
        echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
        exit 1
        ;;
esac
rc_exit
quanta, from what i read in file auditd init script it show that only read from /etc/audit.conf(correct me if i'm wrong), so it is something else i need to do, please advise.
Thank's a lot
 
Old 10-26-2010, 10:50 AM   #6
quanta
Member
 
Registered: Aug 2007
Location: Vietnam
Distribution: RedHat based, Debian based, Slackware, Gentoo
Posts: 724

Rep: Reputation: 100Reputation: 100
I'm not familiar with openSUSE but your problem is quite strange to me. I suggest you open up 2 consoles: the first to start auditd in the foreground `auditd -f -l` and the second run the ausearch command to see what happen. Paste the full command you use and the output you get here.
 
Old 10-26-2010, 09:40 PM   #7
b-RAM
Member
 
Registered: Apr 2009
Distribution: OpenSuse, Slackware
Posts: 70

Original Poster
Rep: Reputation: 15
quanta, thank's for your reply, i must first add rules like instruction in your previous post(/etc/auditd.conf)isn't it?, after that i run ausearch based rules i add in /etc/auditd.conf.
Cause based on tutorial i got from http://www.cyberciti.biz/tips/linux-...to-a-file.html, it just tell to run auditctl first and after that i can try ausearch based on auditctl i watch.
please correct me if i'm wrong,

Thank's a lot.
 
Old 10-26-2010, 10:39 PM   #8
quanta
Member
 
Registered: Aug 2007
Location: Vietnam
Distribution: RedHat based, Debian based, Slackware, Gentoo
Posts: 724

Rep: Reputation: 100Reputation: 100
Quote:
Originally Posted by b-RAM View Post
quanta, thank's for your reply, i must first add rules like instruction in your previous post(/etc/auditd.conf)isn't it?, after that i run ausearch based rules i add in /etc/auditd.conf.
No no. auditd.conf is a configuration file.
Quote:
Originally Posted by b-RAM View Post
Cause based on tutorial i got from http://www.cyberciti.biz/tips/linux-...to-a-file.html, it just tell to run auditctl first and after that i can try ausearch based on auditctl i watch.
please correct me if i'm wrong,
There are 2 ways to add the audit rules:

- The first is running auditctl from command line. But these rules will disappear when restarting auditd unless you set AUDITD_CLEAN_STOP="no" in the /etc/sysconfig/auditd (on my CentOS, don't know the correlative file on openSUSE).

- The second is adding to the audit.rules (in this case, is on /etc), something like this:
Code:
-a exit,always -F path=/etc/my.cnf -F perm=wa -k /etc/my.cnf.auditd

Last edited by quanta; 10-26-2010 at 10:45 PM.
 
Old 10-26-2010, 10:52 PM   #9
b-RAM
Member
 
Registered: Apr 2009
Distribution: OpenSuse, Slackware
Posts: 70

Original Poster
Rep: Reputation: 15
Thank's quanta, i've try this command:
Code:
auditctl -w /home/test/test.txt -k /home/test/test-shadow -p rwxa
After i enter the command above, i dont have any error
and then i type:
Code:
ausearch -i -f /home/test/test.txt ,
it have error/warning config file /etc/audit/auditd.conf doesn't exists, skipping
<no matches>
Sorry for bothering you, but is kinda weird, when i read file /etc/init.d/auditd it should read on /etc/auditd.conf or there's something missing in auditd.conf.

Thank's a lot
 
Old 10-27-2010, 03:26 AM   #10
quanta
Member
 
Registered: Aug 2007
Location: Vietnam
Distribution: RedHat based, Debian based, Slackware, Gentoo
Posts: 724

Rep: Reputation: 100Reputation: 100
ps -ef | grep auditd?

Try to make a symlink and run the ausearch command again to see what happen:
Code:
mkdir /etc/audit
ln -s /etc/auditd.conf /etc/audit/
 
Old 10-29-2010, 05:58 AM   #11
b-RAM
Member
 
Registered: Apr 2009
Distribution: OpenSuse, Slackware
Posts: 70

Original Poster
Rep: Reputation: 15
Thank's quanta, that's work.
I've been trying to do some test.


Thank's a lot.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Access rights: allow create but not delete and modify gagou7 Linux - Newbie 3 06-21-2010 07:42 AM
[SOLVED] [SAMBA] How to track windows user access , create files /modify files on linux SMB efciem Linux - Server 2 05-16-2010 09:45 AM
Samba users cannot create directories / delete files habiem Linux - Server 1 09-21-2007 05:59 PM
log what files users create, delete etc. Goma_2 Linux - General 3 09-26-2003 07:12 PM
Cant delete directories/files skopje909 Linux - General 2 11-07-2001 06:59 PM


All times are GMT -5. The time now is 09:02 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration