Monitor/Audit File Delete on Linux

Monitor/audit file delete on Linux

Yes, you can use the audit daemon. You did't say which Linux distro. Red Hat based systems contain auditd, and you can use auditctl to add rules.

To watch a directory recursively for changes:

auditctl -w /usr/local/someapp/ -p wa

To watch system calls made by a program with pid of 2021:

auditctl -a exit,always -S all -F pid=2021

Check the man page for auditctl.

Results will be logged to /var/log/audit/audit.log

To ensure it's running.

/etc/init.d/auditd status

For a more thorough approach, you could use tripwire or OSSEC, but they're geared more toward intrusion detection.

Monitor directory recursively for file additions/modifications/deletions

As you rightly guessed, kqueue is not scalable because you have to hold a handle to the file / directory in question, even if in O_RDONLY mode. On Linux, one would use inotify for this purpose (http://linux.die.net/man/7/inotify), but I believe there is no FreeBSD port of this kernel feature!

If you have the time and resources, what you could do is look at the code for audit on BSD (http://www.freebsd.org/cgi/man.cgi?query=audit&sektion=4) and try to code up a version of inotify for BSD! O_O

Unix Shell script to monitor a folder for files with user details

I know something call inotify tools but will that work on all unix
versions like HP, Solaris etc?

inotify is a Linux-only solution. There are approximately similar solutions available for other operating systems (e.g., Solaris has file event notifications, but I don't know that there is anything available that wraps them up in a single API.

And how to track name of user/id who doing that file add/delete/modify?

You can't, at least not in a cross-platform manner. Under Linux you can probably accomplish a task like this using the audit subsystem, but that is again a Linux-only solution.

Monitor chattr changes

struct ev_loop* loop = nullptr;
int fd = 0;
void
sig_handler(int signo)
{
  if (signo == SIGINT)
    printf("received SIGINT\n");
  else if (signo == SIGTERM)
    printf("received SIGTERM\n");
  else if (signo == SIGBUS)
    printf("received SIGBUS\n");
  else if (signo == SIGABRT)
    printf("received SIGABRT\n");
  if (loop != nullptr) {
    std::cout << "Stopping event loop" << std::endl;
    ev_break(EV_A_ EVBREAK_ONE);
  }
}
void
monitoring(struct ev_loop* loop, struct ev_io* io, int revents)
{
  struct audit_reply reply;

  audit_get_reply(fd, &reply, GET_REPLY_NONBLOCKING, 0);

  if (reply.type != AUDIT_EOE && reply.type != AUDIT_PROCTITLE &&
      reply.type != AUDIT_PATH) {
    char* buf = new char[MAX_AUDIT_MESSAGE_LENGTH];

    snprintf(buf,
             MAX_AUDIT_MESSAGE_LENGTH,
             "Type=%s Message=%.*s",
             audit_msg_type_to_name(reply.type),
             reply.len,
             reply.message);

    printf("EVENT: %s\n", buf);
  }
}

int
main()
{
  std::cout << "Starting up..." << std::endl;

  if (signal(SIGINT, sig_handler) == SIG_ERR) {
    printf("can't catch SIGINT\n");
  }
  if (signal(SIGTERM, sig_handler) == SIG_ERR) {
    printf("can't catch SIGTERM\n");
  }
  if (signal(SIGBUS, sig_handler) == SIG_ERR) {
    printf("can't catch SIGBUS\n");
  }
  if (signal(SIGABRT, sig_handler) == SIG_ERR) {
    printf("can't catch SIGABRT\n");
  }

  struct ev_io monitor;
  fd = audit_open();

  audit_set_pid(fd, getpid(), WAIT_YES);
  struct audit_rule_data* rule = new audit_rule_data();

  std::cout << "Add watch dir..." << std::endl;
  audit_add_watch_dir(AUDIT_DIR, &rule, "test");

  // setting rule.
  audit_add_rule_data(fd, rule, AUDIT_FILTER_EXIT, AUDIT_ALWAYS);

  loop = EV_DEFAULT;

  ev_io_init(&monitor, monitoring, fd, EV_READ);

  std::cout << "Enable audit..." << std::endl;
  audit_set_enabled(fd, 1);
  std::cout << "Start io monitor..." << std::endl;
  ev_io_start(loop, &monitor);
  std::cout << "Start event loop..." << std::endl;
  // now wait for events to arrive
  ev_run(loop, 0);
  std::cout << "Closing audit..." << std::endl;
  audit_close(fd);
  delete rule;

  std::cout << "Bye" << std::endl;
  return 0;
}

How is it possible to understand which process deletes a file on the hard drive

May be using Process Monitor, with this parameters «operation: SetDispositionInformationFile,
Result: SUCCESS, detail:"Delete:True"» on your path.

More detail abut this :here and here

selinux: How to programmatically log to audit log?

If you are using C/C++ you can interact with auditd (the one responsible for writing to audit.log) with the library "audit-libs" by including "libaudit.h".
If you have the development library installed read the manual page of audit_open (man audit_open), or take a look here: http://linux.die.net/man/3/audit_open

I gathered most information from the following sites:

• http://www.mail-archive.com/linux-audit@redhat.com/msg01093.html

• http://www.linuxquestions.org/questions/linux-kernel-70/interfacing-with-the-auditd-737239/

How to log to AUDITD from application?

Your understanding of auditd as a replacement for logging is incorrect. Auditd is not a direct replacement for syslog/rsyslog type logging. Rather it produces logs based on system calls to the kernel.

Then man page explains it:

auditd is the userspace component to the Linux Auditing System. It's
responsible for writing audit records to the disk. Viewing the logs
is done with the ausearch or aureport utilities. Configuring the
audit system or loading rules is done with the auditctl utility.
During startup, the rules in /etc/audit/audit.rules are read by
auditctl and loaded into the kernel. Alternately, there is also an
augenrules program that reads rules located in /etc/audit/rules.d/
and compiles them into an audit.rules file. The audit daemon itself
has some configuration options that the admin may wish to customize.
They are found in the auditd.conf file.

There's also a good overview of auditd, titled: A Brief Introduction to auditd:

.... Since it operates at the kernel level this gives us a hook into any system operation we want. We have the option to write a log any time a particular system call happens, whether that be unlink or getpid. We can monitor access to any file, all network traffic, really anything we want. The level of detail is pretty phenomenal and, since it operates at such a low level, the granularity of information is incredibly useful.

I would also direct you to this tutorial titled: How To Use the Linux Auditing System on CentOS 7. There's an example of the types of logging you'll get from auditd.

type=SYSCALL msg=audit(1434371271.277:135496): arch=c000003e syscall=2 success=yes exit=3 a0=7fff0054e929 a1=0 a2=1fffffffffff0000 a3=7fff0054c390 items=1 ppid=6265 pid=6266 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=113 comm="cat" exe="/usr/bin/cat" key="sshconfigchange"

type=CWD msg=audit(1434371271.277:135496):  cwd="/home/sammy"

type=PATH msg=audit(1434371271.277:135496): item=0 name="/etc/ssh/sshd_config" inode=392210 dev=fd:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL

This is all from a single event, but 3 messages were logged via auditd. You can tell which events are associated via the msg=audit(...) fields.

I show you this example, because this type of logging is being driven from the kernel, not the applications themselves.

NOTE: Auditd's true purpose is to produce a audit log of interactions with the Linux kernel, whereas syslog/rsyslog are really meant for general purpose logging from the applications themselves.

---

Related Topics