[SOLVED] How to audit and find who did what with files (external applications included
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
How to audit and find who did what with files (external applications included
So I have a server, that recently, had some files missing (not a problem we have back ups and restores are accurate up to a couple hours after modification). But I've been tasked with figuring out who did it.
First thought in my mind would be the owner of said files, or a user in the same group that file belongs to. So, correct me if I'm wrong, but if a file belongs to user1.group1 only user1 or a user that belongs to group1 can make changes to the file or the directory with those permissions; correct? (excluding root and sudo users(me))
Secondly, I have turned on verbose ssh logging as well as file auditing on the directories were things seem to keep going missing. I thought file auditing would catch the person but it apparently only logs actions that take place directly on the server in a terminal. So anything that gets modified by an external program doesn't get logged. I thought openssh verbose logging would catch other programs that make modifications to files and directories (a user accessing a directory via WinScp) but no luck.
Tell me where I'm going wrong, and what I can do to fix it. Please.
Removing or renaming files depends on write permission to the directory not the file.
If you enabled auditing after the files disappeared you won't see what happened (unless it happens again). But it should report everything it's configured to from boot up to shutdown. Alterations made while booted from a live CD wouldn't show.
OK so my first assumption is right and that it had to be someone who has access to that directory. As for the auditing I do realize that I won't see what happened the first time since I missed it, but the two times after that I still haven't seen what happened or I'm not looking over the ausearch properly.
For example the files exist in /data/log/reports but I've set up auditing at the level /data/ When I view the audit logs I can see stuff happening in /data and in /data/log/ and in /data/log/exitfiles but for some reason i'm not seeing anything that happened in /data/log/reports. If the directory reports was deleted or moved wouldn't I see an audit log of that action taking place?
Similar to 'iptables-save' vs 'cat /etc/sysconfig/iptables' this only means you have rules actively loaded that aren't committed (yet): 'auditctl -l' vs 'cat /etc/audit/audit.rules' really. So if you could please post full 'auditctl -l' output?
auditctl -a exit,always -S close -S write -S truncate -S ftruncate -S unlink -S unlinkat -F dir=/tmp -k WATCH_this_too
(to some extent because the above won't catch WRITE or CLOSE_WRITE) and your rules looks OK to me. No idea why it won't log.
If we take for example the "/data/dl/reports" directory, what can you tell us about the files it contains and how they get there? Are they dynamically generated files? Or maybe FTPed there? Are they constantly kept open by a writing process? Are they not plain text but for example database tables? Please share anything else we might want to know.
*Unless you are forced to solve this using the audit service another approach you may want to try is using inotify(wait) watching for the modify, close_write, moved_from, delete, delete_self events.