Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I already installed/setup Tripwire, it was working fine, but i need to know who(userID) are made a changes(modified, deleted...) files. From the report i cant see any userID change/deleted my monitored file even i set report level to 4.
*I follow default Tripwire settings.
*Is it possible to log who are made a changes?
As far as I'm aware Open Source Tripwire can not be run in a way that would facilitate this and neither does it include any functionality that could detect who deletes a file. To detect this you would need to log system calls and privilege elevation. Inotify-based tools log the effect of system calls (events) but require watches to do that (plus you can't insert watches at the top level inode 2) and PAM-based systems log transitions to syslog. The audit service can provide both in a single log file, in more detail and with less manual configuration.
You need a distribution that implements SELinux and audit logging.
Tripwire cannot do that. It can examine paths and analyze contents (essentially generate checksums) to verify existence, ownership, access modes, and detect changes.
What you are asking for involves being able to audit and log filesystem events. Not all file removals work through the system calls (unlink), for instance, mkfs can remove everything... but that is a separate activity from file deletion, yet files are deleted. And unlink itself may be deceving - a file doesn't get deleted until the last link is removed; and that may not be the one you want to catch (directory modification might be, and that is a different though related thing).
One problem with logging all system calls is that that can/will be a HUGE number of log entries. Even file removal - all temporary files would be recorded, and what about truncation events? These delete the contents of files without using unlink. What about overwrites? These can replace the contents as well. So the choice of logging has expanded...
It goes hand in hand. SELinux sets up a lot of trap points... which are also audit points.
Full logging is unreasonable - it generates so much data that it is impractical to actually go through it. But narrowing it down is possible.
In addition, you can define security labels that can be used for both auditing (as in they permit anything, but allow audit entries) as well as being able to block what you really don't want happening.