Track any file changes using auditd

Question

I try configure PCI REQ 10.5.5 "Use file integrity monitoring or change detection software on logs"

Use auditd for this, rule "auditctl -w /tmp/testfile -p war" works perfectly.

But if I try to use stdout redirect on file like "echo "hi" >> /tmp/testfile" Line is appended but in audit.log have no changes.

Is anybody knows how log all changes in file by using auditd?

What OS/distribution/version are you implementing this on? – ewwhite May 22 '14 at 13:28 — ewwhite, May 22 '14 at 13:28

score 1 · Answer 1 · answered May 23 '14 at 06:29

1

I just tried this on Centos 6.3 and got the same result. Reading the file tripped auditd but the append using echo did not.

Including x seems to work. Change -p war to -p warx and see if that works for you on Ubuntu.

answered May 23 '14 at 06:29

Ryan Davies

126
1

Unfortunately, it does not help. – Asazio May 23 '14 at 07:23

score 1 · Answer 2 · edited Mar 25 '15 at 16:21

auditd does catch the change to the file, but it is logged as bash making a syscall, unfortunately with no identifiable path back to the file that was changed.

As a workaround, for each rule to monitor a file, I include the file in the key name. For example:

-w /etc/login.txt -p wa -k login.txt-modified

That way, log entries triggered with echo > login.txt will be easily found. There is an open bug with Red Hat about this:

https://bugzilla.redhat.com/show_bug.cgi?id=1204937

score 0 · Answer 3 · answered May 22 '14 at 13:28

0

I actually wouldn't use auditd alone for this. For my PCI and HIPAA-compliant systems, I used auditd to record changes on critical system files and functions, but leveraged either AIDE or Tripwire for actual file-integrity monitoring and reporting.

answered May 22 '14 at 13:28

ewwhite

197,159
92
443
809

Yep, I'll try to use inotify with auditd. – Asazio May 23 '14 at 07:26

Track any file changes using auditd

3 Answers3