LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 02-21-2013, 10:14 AM   #1
mosiac
Member
 
Registered: Jan 2013
Distribution: RHEL
Posts: 50
Blog Entries: 1

Rep: Reputation: 4
How to audit and find who did what with files (external applications included


So I have a server, that recently, had some files missing (not a problem we have back ups and restores are accurate up to a couple hours after modification). But I've been tasked with figuring out who did it.

First thought in my mind would be the owner of said files, or a user in the same group that file belongs to. So, correct me if I'm wrong, but if a file belongs to user1.group1 only user1 or a user that belongs to group1 can make changes to the file or the directory with those permissions; correct? (excluding root and sudo users(me))

Secondly, I have turned on verbose ssh logging as well as file auditing on the directories were things seem to keep going missing. I thought file auditing would catch the person but it apparently only logs actions that take place directly on the server in a terminal. So anything that gets modified by an external program doesn't get logged. I thought openssh verbose logging would catch other programs that make modifications to files and directories (a user accessing a directory via WinScp) but no luck.

Tell me where I'm going wrong, and what I can do to fix it. Please.
 
Old 02-21-2013, 11:05 AM   #2
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,OpenBSD
Posts: 668
Blog Entries: 2

Rep: Reputation: 169Reputation: 169
Removing or renaming files depends on write permission to the directory not the file.

If you enabled auditing after the files disappeared you won't see what happened (unless it happens again). But it should report everything it's configured to from boot up to shutdown. Alterations made while booted from a live CD wouldn't show.
 
Old 02-21-2013, 11:10 AM   #3
mosiac
Member
 
Registered: Jan 2013
Distribution: RHEL
Posts: 50
Blog Entries: 1

Original Poster
Rep: Reputation: 4
OK so my first assumption is right and that it had to be someone who has access to that directory. As for the auditing I do realize that I won't see what happened the first time since I missed it, but the two times after that I still haven't seen what happened or I'm not looking over the ausearch properly.

For example the files exist in /data/log/reports but I've set up auditing at the level /data/ When I view the audit logs I can see stuff happening in /data and in /data/log/ and in /data/log/exitfiles but for some reason i'm not seeing anything that happened in /data/log/reports. If the directory reports was deleted or moved wouldn't I see an audit log of that action taking place?
 
Old 02-22-2013, 01:08 AM   #4
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,090

Rep: Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995
I guess you should show exactly how you're auditing.
 
Old 02-22-2013, 07:46 AM   #5
mosiac
Member
 
Registered: Jan 2013
Distribution: RHEL
Posts: 50
Blog Entries: 1

Original Poster
Rep: Reputation: 4
Ok first, here is the guide I followed. Cybercity guide on file auditing.

Next here is the key I set specific to my situation (there are others but nothing has been missing from there)

LIST_RULES: exit,always dir=/data/dl/reports (0xe) perm=rwxa key=reports-file

You can do an ausearch for my key and see everything that has happened in the reports folder and below. But for some reason, I never seem to have information on files that go missing.
 
Old 02-22-2013, 08:38 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,539
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
Could you please attach or post the complete contents of your /etc/audit/audit.rules?
 
1 members found this post helpful.
Old 02-22-2013, 08:54 AM   #7
mosiac
Member
 
Registered: Jan 2013
Distribution: RHEL
Posts: 50
Blog Entries: 1

Original Poster
Rep: Reputation: 4
Quote:
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

# Feel free to add below this line. See auditctl man page
Looks like I need some more rules don't I?
 
Old 02-22-2013, 09:39 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,539
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
Quote:
Originally Posted by mosiac View Post
Looks like I need some more rules don't I?
Similar to 'iptables-save' vs 'cat /etc/sysconfig/iptables' this only means you have rules actively loaded that aren't committed (yet): 'auditctl -l' vs 'cat /etc/audit/audit.rules' really. So if you could please post full 'auditctl -l' output?
 
1 members found this post helpful.
Old 02-22-2013, 09:42 AM   #9
mosiac
Member
 
Registered: Jan 2013
Distribution: RHEL
Posts: 50
Blog Entries: 1

Original Poster
Rep: Reputation: 4
Quote:
LIST_RULES: exit,always dir=/data/dl/reports (0xe) perm=rwxa key=reports-file
LIST_RULES: exit,always dir=/data/dl/finance (0xf) perm=rwxa key=Finance-file
LIST_RULES: exit,always dir=/data/dl/business (0xe) perm=rwxa key=business-file
LIST_RULES: exit,always dir=/data/dl/business2 (0xf) perm=rwxa key=business2-file
LIST_RULES: exit,always dir=/data/dl/hr (0xa) perm=rwxa key=hr-file
LIST_RULES: exit,always dir=/data/dl/payroll (0xf) perm=rwxa key=payroll-file
LIST_RULES: exit,always dir=/data/dl/staff (0xf) perm=rwxa key=staff-file
That's my full output from auditctl -l
 
Old 02-22-2013, 11:03 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,539
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
What you wrote amounts to using
Code:
auditctl -a exit,always -S close -S write -S truncate -S ftruncate -S unlink -S unlinkat -F dir=/tmp -k WATCH_this_too
(to some extent because the above won't catch WRITE or CLOSE_WRITE) and your rules looks OK to me. No idea why it won't log.

If we take for example the "/data/dl/reports" directory, what can you tell us about the files it contains and how they get there? Are they dynamically generated files? Or maybe FTPed there? Are they constantly kept open by a writing process? Are they not plain text but for example database tables? Please share anything else we might want to know.

*Unless you are forced to solve this using the audit service another approach you may want to try is using inotify(wait) watching for the modify, close_write, moved_from, delete, delete_self events.
 
1 members found this post helpful.
Old 02-22-2013, 12:12 PM   #11
mosiac
Member
 
Registered: Jan 2013
Distribution: RHEL
Posts: 50
Blog Entries: 1

Original Poster
Rep: Reputation: 4
The files in the reports directory are all .csv files generated by an oracle application and then modified by a human. They aren't always kept open.

How would I use inotify?
 
Old 02-23-2013, 06:54 AM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,539
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
Quote:
Originally Posted by mosiac View Post
How would I use inotify?
Reading 'man inotifywait' should make you end up minimally with something like
Code:
inotifywait -m -e modify -e close_write -e moved_from -e delete -e delete_self -r /data/dl
 
1 members found this post helpful.
Old 02-25-2013, 08:28 AM   #13
mosiac
Member
 
Registered: Jan 2013
Distribution: RHEL
Posts: 50
Blog Entries: 1

Original Poster
Rep: Reputation: 4
Thanks,

I went over the man page and made some tweaks and I'm adding inotify to the logging options. Maybe I'll see something this time.
 
Old 02-25-2013, 08:38 AM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,539
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
NP. Let us know if it doesn't, OK?
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Complete list of applications included with CentOS installer? jeff_schaffzin Linux - Newbie 9 08-02-2011 06:37 PM
[Linux Audit]: Which groups should be allowed to read audit log files? quanba Linux - Security 1 11-15-2010 10:09 AM
LXer: 10 Essential Applications Included in Kubuntu 9.04 Jaunty Jackalope LXer Syndicated Linux News 0 03-29-2009 10:30 AM
LXer: 8 Essential Applications Included by Default in Kubuntu 8.04 LXer Syndicated Linux News 0 09-11-2008 09:10 PM
LXer: Top 10 Best GTK Applications Not Included in GNOME LXer Syndicated Linux News 0 06-21-2008 10:41 PM


All times are GMT -5. The time now is 02:37 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration