The blame game: Who deleted that file? Working with auditd
I've recently had an issue where a file was disappearing that I couldn't explain. Without something to blame it on I search for a method to log change to file and quickly found audit. Audit is quite extensive and can capture a vast array of information. I'm only interested in monitoring a specific file here. This is for Redhat based systems.
First you'll need to install / configure audit if it's not already;
yum install audit
Check the service is running...
service auditd status
Let's create a dummy file to monitor...
echo "Please don't delete me\!" > /path/to/file/rhys.txt;
Add a rule to audit for the file. This adds a rule to watch the specified file with the tag *whodeletedmyfile*.
auditctl -w /path/to/file/rhys.txt -k whodeletedmyfile
You can search for any records with;
ausearch -i -k whodeletedmyfile
The following information will be logged after you add the rule;
---- type=CONFIG_CHANGE msg=audit(02/02/2017 13:09:59.967:226727) : auid=user@domain.local ses=12425 op="add rule" key=whodeletedmyfile list=exit res=yes
Now let's delete the file and search the audit log again;
rm /path/to/file/rhys.txt && ausearch -i -k whodeletedmyfile
We'll see the following information;
---- type=CONFIG_CHANGE msg=audit(02/02/2017 13:09:59.967:226727) : auid=user@domain.local ses=12425 op="add rule" key=whodeletedmyfile list=exit res=yes ---- type=PATH msg=audit(02/02/2017 13:10:26.939:226735) : item=1 name=/path/to/file/rhys.txt inode=42 dev=fd:04 mode=file,644 ouid=root ogid=root rdev=00:00 nametype=DELETE type=PATH msg=audit(02/02/2017 13:10:26.939:226735) : item=0 name=/path/to/file/ inode=28 dev=fd:04 mode=dir,700 ouid=user@domain.local ogid=user@domain.local rdev=00:00 nametype=PARENT type=CWD msg=audit(02/02/2017 13:10:26.939:226735) : cwd=/root type=SYSCALL msg=audit(02/02/2017 13:10:26.939:226735) : arch=x86\_64 syscall=unlinkat success=yes exit=0 a0=0xffffffffffffff9c a1=0xf9a0c0 a2=0x0 a3=0x0 items=2 ppid=27157 pid=27604 auid=user@domain.local uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=12425 comm=rm exe=/bin/rm key=whodeletedmyfile The final command shows us the rm command has been executed on the file by user@domain.local (See auid) who has sudoed to root first. You can remove the watch on the file with; ``` auditctl -W /path/to/file/rhys.txt -k whodeletedmyfile ``` You can list the configured watches with... ``` auditctl -l ```