Often system administrators need to find out who changed a file, or determine the user who performed certain read/write operations. You can use Linux audit logs for this purpose. Since Linux kernel 2.6.x onwards, there is auditd daemon that writes audit records to the disk. During startup the audit rules in file /etc/audit.rules are read by the daemon. You can always open this file and change the configuration as per your requirement. But the default settings are enough to work for most system administrators.
How to Read Audit Logs in Linux
There are 3 commonly used utilities for reading audit logs in Linux.
- aureport – produces summary reports of audit system logs
- ausearch – command to query system audit logs using different search criteria, for getting information about various events.
- auditctl – helps control kernel audit system. It allows you to get status, add or delete rules into kernel audit system. You can also use it to set a watch on a file.
Here is the command to install audit package.
# yum install audit or # up2date install audit
Enable auditd to autostart on boot.
# ntsysv OR # chkconfig auditd on
Start auditd service.
# /etc/init.d/auditd start
Let us say you want to track changes being made to /etc/passwd file. Here is the command to set watch on this file.
# auditctl -w /etc/passwd -p war -k password-file
In the above command,
- -w /etc/passwd – create watch object for file with given path
- -p war : Set permissions filter for a file system watch. It can be r for read, w for write, x for execute, a for append.
- -k password-file : Set a filter key on a /etc/passwd file (watch). It is like an identifier for records related to /etc/passwd file in the audit logs. You can use this phrase to easily search records about /etc/passwd file in audit logs.
Here is a command to add watch to /etc/shadow with filterkey shadow-file that captures records for read, write, executes and appends.
# auditctl -w /etc/shadow -k shadow-file -p rwxa
If you want to search audit file to find out who changed or accessed /etc/passwd file, use the ausearch command.
# ausearch -f /etc/passwd OR # ausearch -f /etc/passwd | less OR # ausearch -f /etc/passwd -i | less
In the above command,
- -f /etc/passwd : Only search for this file
- -i : Interpret numeric entities into text
Let us look at some commonly used examples.
Here is the command to search for records on a specific date, such as, 3/12/22. You can also use keywords such as today, to get today’s records.
# ausearch -ts today -k password-file # ausearch -ts 3/12/07 -k password-file
Here is the command to search for records by the command used (e.g. rm) to access the /etc/passwd file.
# ausearch -ts today -k password-file -x rm # ausearch -ts 3/12/07 -k password-file -x rm
You can also search for an event by the UID of user who had accessed the file.
# ausearch -ts today -k password-file -x rm -ui 506 # ausearch -k password-file -ui 506
In this article, we have learnt how to read audit logs in Linux. Linux audit tool provides useful utilities such as ausearch, auditctl, and aureport to read audit logs in Linux.
Also read:
How to Check User Login Details in Linux
How to Delete Multiple Directories in Linux
How to Force CP Command to Overwrite Without Confirmation
How to Force Delete Directory in Linux
How to Upload File Asynchronously in JavaScript