How to audit and find who did what with files (external applications included
So I have a server, that recently, had some files missing (not a problem we have back ups and restores are accurate up to a couple hours after modification). But I've been tasked with figuring out who did it.
First thought in my mind would be the owner of said files, or a user in the same group that file belongs to. So, correct me if I'm wrong, but if a file belongs to user1.group1 only user1 or a user that belongs to group1 can make changes to the file or the directory with those permissions; correct? (excluding root and sudo users(me)) Secondly, I have turned on verbose ssh logging as well as file auditing on the directories were things seem to keep going missing. I thought file auditing would catch the person but it apparently only logs actions that take place directly on the server in a terminal. So anything that gets modified by an external program doesn't get logged. I thought openssh verbose logging would catch other programs that make modifications to files and directories (a user accessing a directory via WinScp) but no luck. Tell me where I'm going wrong, and what I can do to fix it. Please. |
Removing or renaming files depends on write permission to the directory not the file.
If you enabled auditing after the files disappeared you won't see what happened (unless it happens again). But it should report everything it's configured to from boot up to shutdown. Alterations made while booted from a live CD wouldn't show. |
OK so my first assumption is right and that it had to be someone who has access to that directory. As for the auditing I do realize that I won't see what happened the first time since I missed it, but the two times after that I still haven't seen what happened or I'm not looking over the ausearch properly.
For example the files exist in /data/log/reports but I've set up auditing at the level /data/ When I view the audit logs I can see stuff happening in /data and in /data/log/ and in /data/log/exitfiles but for some reason i'm not seeing anything that happened in /data/log/reports. If the directory reports was deleted or moved wouldn't I see an audit log of that action taking place? |
I guess you should show exactly how you're auditing.
|
Ok first, here is the guide I followed. Cybercity guide on file auditing.
Next here is the key I set specific to my situation (there are others but nothing has been missing from there) LIST_RULES: exit,always dir=/data/dl/reports (0xe) perm=rwxa key=reports-file You can do an ausearch for my key and see everything that has happened in the reports folder and below. But for some reason, I never seem to have information on files that go missing. |
Could you please attach or post the complete contents of your /etc/audit/audit.rules?
|
Quote:
|
Quote:
|
Quote:
|
What you wrote amounts to using
Code:
auditctl -a exit,always -S close -S write -S truncate -S ftruncate -S unlink -S unlinkat -F dir=/tmp -k WATCH_this_too If we take for example the "/data/dl/reports" directory, what can you tell us about the files it contains and how they get there? Are they dynamically generated files? Or maybe FTPed there? Are they constantly kept open by a writing process? Are they not plain text but for example database tables? Please share anything else we might want to know. *Unless you are forced to solve this using the audit service another approach you may want to try is using inotify(wait) watching for the modify, close_write, moved_from, delete, delete_self events. |
The files in the reports directory are all .csv files generated by an oracle application and then modified by a human. They aren't always kept open.
How would I use inotify? |
Quote:
Code:
inotifywait -m -e modify -e close_write -e moved_from -e delete -e delete_self -r /data/dl |
Thanks,
I went over the man page and made some tweaks and I'm adding inotify to the logging options. Maybe I'll see something this time. |
NP. Let us know if it doesn't, OK?
|
All times are GMT -5. The time now is 12:08 AM. |