Need to audit created files and deleted files

jholp · 09-01-2010, 04:29 PM

I have a request for auditing on passive "listening" machines. The customer wants to audit file creation and deletion.

-a exit, always -S mkdir -S rmdir

Should work for directories

But how would one gracefully audit the creation and deletion of files ?
I asume it would be system call when one does a touch, vi, etc. for creating.

I assume they would want the UID of the person that did the creating and deleting, along with year, month, date, hour, minute, second.

Any ideas?

Thanks,

John

unSpawn · 09-01-2010, 05:41 PM

Quote:

Originally Posted by jholp

I have a request for auditing on passive "listening" machines.

Sounds intriguing but I wonder if it has anything to do with /etc/audit/audit.rules?..

Quote:

Originally Posted by jholp

But how would one gracefully audit the creation and deletion of files ?

From readlink -f /lib/modules/$(uname -r)/build)/include/asm-i386/unistd.h see creat, open, unlink?

Quote:

Originally Posted by jholp

I assume they would want the UID of the person that did the creating and deleting, along with year, month, date, hour, minute, second.

Are you sure you want to assume things? Y'know.. ;-p Anyway, 'auditctl' your rules adding an appropriate key (making it easier to do 'ausearch --interpret --key') then watch your /var/log/audit/audit.log. UNIX Epoch, UID fields, they're all there. Also see 'aureport'.