I need a way with RedHat 7.3, 7.3, and 8.0 to track file access attemps to unauthorized files. For example, someone other than root tries to modify the shadow file. I would like to know who, and when the attempt was made.
IMSNHO the first question should always be "what are you trying to do?".
- If the shadow files have the proper rights then no other account user should be able to modify /etc/shadow,
- Auditing access to system files is no substitute for proper system hardening which should be a first priority.
If you want to log access attempts, then a wrapper like Jlightner suggested won't work in all situations (like he mentioned). What you need is a few things:
- A host that is hardened in general. Without that basis all other efforts are a waste of time. Please check out the
LQ FAQ: Security references.
- A way to deny processes access to files and to log access. In Kernel 2.6.x you would have SELinux (or GRSecurity, but can't have both at the same time), 2.4.x can only use GRSecurity kernel patch.
- A way to allow "trusted" users to perform root account tasks. I'd opt for Sudo + Rootsh + noexec. Sudo allows you to authorise people to perform root account tasks, Rootsh logs the whole shell session and noexec will allow for instance a vi session to be opened, but without allowing access to subshells. (This clearly is not enough if you also want to protect the system against fsck ups: then you would need a wrapper that for instance copies out a conf file from CVS, let the user change it, and then diff and inspect the changes before committing. Though if you're at that point you probably shouldn't hand out sudo access anyway).
You can use "samhain" for example. It will tell you when a file has been accessed.
AFAIK Samhain will detect changes made to a file, just like Aide or even sha1sum would, but that is a passive check. If you want to deny access you will have to resort to blocking *before* the file is opened. This means you've gotta intercept the syscall.