How to monitor file access on Linux with "auditd"

For critical servers and sensitive data, keeping an eye on who accesses or changes files is essential for security. The Linux Audit System, with its auditd daemon, helps you do just that. It monitors system calls and logs them, providing a detailed trail of file activity.

---

INSTALLING AUDITD

auditd is available in the package repositories for most Linux distributions.

• Debian, Ubuntu, Linux Mint:

  sudo apt-get install auditd

  On these systems, auditd usually starts automatically on boot after installation.

• Fedora, CentOS, RHEL:

  sudo yum install audit

  To ensure auditd starts automatically on boot for these distributions:

  sudo chkconfig auditd on

---

CONFIGURING AUDITD

You can configure auditd using the auditctl command-line utility or by editing its configuration file, /etc/audit/audit.rules. This guide focuses on editing the configuration file.

• Edit the Configuration File:

  sudo vi /etc/audit/audit.rules

• Example Configuration (/etc/audit/audit.rules):

  # First rule - delete all existing rules
  -D
  
  # Increase buffer size for busy systems to prevent lost events
  -b 1024
  
  # Monitor when files or directories are deleted (unlink and rmdir system calls)
  -a exit,always -S unlink -S rmdir
  
  # Monitor file open attempts by a specific Linux User ID (UID 1001)
  -a exit,always -S open -F loginuid=1001
  
  # Monitor write-access and changes to file properties (permissions) for critical files
  -w /etc/group -p wa
  -w /etc/passwd -p wa
  -w /etc/shadow -p wa
  -w /etc/sudoers -p wa
  
  # Monitor read-access to a specific sensitive directory
  -w /etc/secret_directory -p r
  
  # Lock the audit configuration to prevent unauthorized modifications until reboot
  -e 2
  

  • -D: Clears all previous rules.

  • -b 1024: Sets the buffer size. Increase this for active systems to avoid missing events.

  • -a exit,always -S <syscall>: Monitors specific system calls.

  • -F loginuid=<UID>: Filters events by the user ID logged in.

  • -w <path> -p <permissions>: Sets a watch on a file or directory.

    • w: write access

    • a: attribute change (e.g., permissions)

    • r: read access

  • -e 2: Puts auditd into immutable mode, preventing rule changes until reboot.

• Restart Auditd: After making changes to /etc/audit/audit.rules, restart the service for them to take effect.

  sudo service auditd restart

---

ANALYZING AUDIT LOGS

auditd logs its findings to /var/log/audit/audit.log. The ausearch command-line tool is used to query these logs.

• Check File Access: To see if /etc/passwd has been accessed or modified:

  sudo ausearch -f /etc/passwd

  The output will show details like the time, type of event, user, process, and system call involved. For example, you might see an entry indicating chmod was applied to /etc/passwd by root.

• Check Directory Access: To see if /etc/secret_directory has been accessed:

  sudo ausearch -f /etc/secret_directory

  This will show events like ls commands being run within that directory by a specific UID.

---

IMMUTABLE MODE AND RULE MODIFICATION

If you set auditd to immutable mode (-e 2), you cannot modify the rules and restart the service without a reboot.

• Error Message in Immutable Mode:

  Error deleting rule (Operation not permitted)
  The audit system is in immutable mode, no rules loaded
  

• To Modify Rules in Immutable Mode:

  1. Edit /etc/audit/audit.rules.

  2. Reboot your machine. The new rules will be loaded upon restart.

---

LOG ROTATION

Audit logs can grow large quickly. It's recommended to enable daily log rotation.

• Rotate Audit Logs Daily (for cronjob):

  sudo service auditd rotate

  You can add this command to a daily cron job to ensure logs are rotated regularly, preventing the /var/log/audit directory from filling up.