LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 01-27-2011, 10:28 AM   #1
wdominick
LQ Newbie
 
Registered: Jan 2011
Posts: 2

Rep: Reputation: 0
File create/modify/delete monitoring with user account


We are looking to monitor and log selected application file systems for file create/modify/delete changes that will also include, user account that changed/deleted the file, file name and date and time of event. Everything I have looked at does not seem to provide all of the information that we need.

Inotify seems to monitor modify/create/delete but does not seem to provide the user account.

Auditd seems to monitor modify/create/append with user account, but not deletes.

We need to provide this information to auditing for Sarbane Oxley compliance.

Any software products available or ideas would greatly appreciated.

Thank you for your time.
 
Old 01-27-2011, 10:36 AM   #2
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux
Posts: 2,766
Blog Entries: 1

Rep: Reputation: 872Reputation: 872Reputation: 872Reputation: 872Reputation: 872Reputation: 872Reputation: 872
I thought 'auditd' watched for any modifications to files, including delete.
 
1 members found this post helpful.
Old 01-27-2011, 01:19 PM   #3
Nominal Animal
Senior Member
 
Registered: Dec 2010
Location: Finland
Distribution: Xubuntu, CentOS, LFS
Posts: 1,723
Blog Entries: 3

Rep: Reputation: 942Reputation: 942Reputation: 942Reputation: 942Reputation: 942Reputation: 942Reputation: 942Reputation: 942
Yes, auditd can monitor deletes, via the unlink and rmdir syscalls. (This does not include "deletes" via renaming.)

For a list of syscalls, see the man syscalls man page. Unfortunately that list is not exhaustive, and does not contain the *at variants; you should be prepared to audit those too.

To monitor file and directory access, I'd audit these syscalls:
  • Opening or creating a file or directory:
    open, openat, creat, link, linkat, mkdir, mkdirat, mknod, mknodat, symlink, symlinkat
  • Deletion and renaming:
    ftruncate, ftruncate64, rename, renameat, rmdir, truncate, truncate64, unlink, unlinkat
  • Modifying file or directory ownership
    chown, chown32, fchown, fchown32, fchownat, lchown, lchown32
  • Changing access mode or attributes
    chmod, fchmod, fchmodat, fremovexattr, fsetxattr, lremovexattr, lsetxattr, removexattr, setxattr
  • Modifying timestamps:
    futimesat, utime, utimensat, utimes
  • Directory traversal:
    chdir, fchdir
This list should be complete. Do check, though. I'd also personally appreciate if somebody notices some I'm not aware of.
Nominal Animal

Last edited by Nominal Animal; 03-21-2011 at 07:30 AM.
 
1 members found this post helpful.
Old 01-27-2011, 03:11 PM   #4
wdominick
LQ Newbie
 
Registered: Jan 2011
Posts: 2

Original Poster
Rep: Reputation: 0
Thank you

Thank you very much for your time and the responses. This will give us what we are looking for.

Thanks again,
Walt
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to know if some users modify/delete/create files/directories in linux? b-RAM Linux - General 10 10-29-2010 04:58 AM
Access rights: allow create but not delete and modify gagou7 Linux - Newbie 3 06-21-2010 06:42 AM
[SOLVED] How to delete a user account ZAMO Solaris / OpenSolaris 5 04-28-2010 07:57 PM
cannot delete or modify the file k0nsole.c Linux - General 7 06-25-2007 09:07 PM
cant delete user account!!! farhanali Linux - General 7 04-29-2003 08:31 AM


All times are GMT -5. The time now is 12:42 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration