Monitor/audit file delete on Linux
Yes, you can use the audit daemon. You did't say which Linux distro. Red Hat based systems contain auditd, and you can use auditctl to add rules.
To watch a directory recursively for changes:
auditctl -w /usr/local/someapp/ -p wa
To watch system calls made by a program with pid of 2021:
auditctl -a exit,always -S all -F pid=2021
Check the man page for auditctl.
Results will be logged to /var/log/audit/audit.log
To ensure it's running.
/etc/init.d/auditd status
For a more thorough approach, you could use tripwire or OSSEC, but they're geared more toward intrusion detection.
Monitor directory recursively for file additions/modifications/deletions
As you rightly guessed, kqueue
is not scalable because you have to hold a handle to the file / directory in question, even if in O_RDONLY
mode. On Linux, one would use inotify
for this purpose (http://linux.die.net/man/7/inotify), but I believe there is no FreeBSD port of this kernel feature!
If you have the time and resources, what you could do is look at the code for audit
on BSD (http://www.freebsd.org/cgi/man.cgi?query=audit&sektion=4) and try to code up a version of inotify for BSD! O_O
Unix Shell script to monitor a folder for files with user details
I know something call inotify tools but will that work on all unix
versions like HP, Solaris etc?
inotify
is a Linux-only solution. There are approximately similar solutions available for other operating systems (e.g., Solaris has file event notifications, but I don't know that there is anything available that wraps them up in a single API.
And how to track name of user/id who doing that file add/delete/modify?
You can't, at least not in a cross-platform manner. Under Linux you can probably accomplish a task like this using the audit
subsystem, but that is again a Linux-only solution.
Monitor chattr changes
struct ev_loop* loop = nullptr;
int fd = 0;
void
sig_handler(int signo)
{
if (signo == SIGINT)
printf("received SIGINT\n");
else if (signo == SIGTERM)
printf("received SIGTERM\n");
else if (signo == SIGBUS)
printf("received SIGBUS\n");
else if (signo == SIGABRT)
printf("received SIGABRT\n");
if (loop != nullptr) {
std::cout << "Stopping event loop" << std::endl;
ev_break(EV_A_ EVBREAK_ONE);
}
}
void
monitoring(struct ev_loop* loop, struct ev_io* io, int revents)
{
struct audit_reply reply;
audit_get_reply(fd, &reply, GET_REPLY_NONBLOCKING, 0);
if (reply.type != AUDIT_EOE && reply.type != AUDIT_PROCTITLE &&
reply.type != AUDIT_PATH) {
char* buf = new char[MAX_AUDIT_MESSAGE_LENGTH];
snprintf(buf,
MAX_AUDIT_MESSAGE_LENGTH,
"Type=%s Message=%.*s",
audit_msg_type_to_name(reply.type),
reply.len,
reply.message);
printf("EVENT: %s\n", buf);
}
}
int
main()
{
std::cout << "Starting up..." << std::endl;
if (signal(SIGINT, sig_handler) == SIG_ERR) {
printf("can't catch SIGINT\n");
}
if (signal(SIGTERM, sig_handler) == SIG_ERR) {
printf("can't catch SIGTERM\n");
}
if (signal(SIGBUS, sig_handler) == SIG_ERR) {
printf("can't catch SIGBUS\n");
}
if (signal(SIGABRT, sig_handler) == SIG_ERR) {
printf("can't catch SIGABRT\n");
}
struct ev_io monitor;
fd = audit_open();
audit_set_pid(fd, getpid(), WAIT_YES);
struct audit_rule_data* rule = new audit_rule_data();
std::cout << "Add watch dir..." << std::endl;
audit_add_watch_dir(AUDIT_DIR, &rule, "test");
// setting rule.
audit_add_rule_data(fd, rule, AUDIT_FILTER_EXIT, AUDIT_ALWAYS);
loop = EV_DEFAULT;
ev_io_init(&monitor, monitoring, fd, EV_READ);
std::cout << "Enable audit..." << std::endl;
audit_set_enabled(fd, 1);
std::cout << "Start io monitor..." << std::endl;
ev_io_start(loop, &monitor);
std::cout << "Start event loop..." << std::endl;
// now wait for events to arrive
ev_run(loop, 0);
std::cout << "Closing audit..." << std::endl;
audit_close(fd);
delete rule;
std::cout << "Bye" << std::endl;
return 0;
}
How is it possible to understand which process deletes a file on the hard drive
May be using Process Monitor, with this parameters «operation: SetDispositionInformationFile,
Result: SUCCESS, detail:"Delete:True"» on your path.
More detail abut this :here and here
selinux: How to programmatically log to audit log?
If you are using C/C++ you can interact with auditd (the one responsible for writing to audit.log) with the library "audit-libs" by including "libaudit.h".
If you have the development library installed read the manual page of audit_open (man audit_open), or take a look here: http://linux.die.net/man/3/audit_open
I gathered most information from the following sites:
http://www.mail-archive.com/linux-audit@redhat.com/msg01093.html
http://www.linuxquestions.org/questions/linux-kernel-70/interfacing-with-the-auditd-737239/
How to log to AUDITD from application?
Your understanding of auditd as a replacement for logging is incorrect. Auditd is not a direct replacement for syslog/rsyslog type logging. Rather it produces logs based on system calls to the kernel.
Then man page explains it:
auditd is the userspace component to the Linux Auditing System. It's
responsible for writing audit records to the disk. Viewing the logs
is done with theausearch
oraureport
utilities. Configuring the
audit system or loading rules is done with the auditctl utility.
During startup, the rules in/etc/audit/audit.rules
are read by
auditctl
and loaded into the kernel. Alternately, there is also an
augenrules
program that reads rules located in/etc/audit/rules.d/
and compiles them into anaudit.rules
file. The audit daemon itself
has some configuration options that the admin may wish to customize.
They are found in theauditd.conf
file.
There's also a good overview of auditd, titled: A Brief Introduction to auditd:
.... Since it operates at the kernel level this gives us a hook into any system operation we want. We have the option to write a log any time a particular system call happens, whether that be unlink or getpid. We can monitor access to any file, all network traffic, really anything we want. The level of detail is pretty phenomenal and, since it operates at such a low level, the granularity of information is incredibly useful.
I would also direct you to this tutorial titled: How To Use the Linux Auditing System on CentOS 7. There's an example of the types of logging you'll get from auditd.
type=SYSCALL msg=audit(1434371271.277:135496): arch=c000003e syscall=2 success=yes exit=3 a0=7fff0054e929 a1=0 a2=1fffffffffff0000 a3=7fff0054c390 items=1 ppid=6265 pid=6266 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=113 comm="cat" exe="/usr/bin/cat" key="sshconfigchange"
type=CWD msg=audit(1434371271.277:135496): cwd="/home/sammy"
type=PATH msg=audit(1434371271.277:135496): item=0 name="/etc/ssh/sshd_config" inode=392210 dev=fd:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL
This is all from a single event, but 3 messages were logged via auditd. You can tell which events are associated via the msg=audit(...)
fields.
I show you this example, because this type of logging is being driven from the kernel, not the applications themselves.
NOTE: Auditd's true purpose is to produce a audit log of interactions with the Linux kernel, whereas syslog/rsyslog are really meant for general purpose logging from the applications themselves.
Related Topics
How to Change Qmake Prefix Location
Will Java Compiled in Windows Work in Linux
Where Is Linux Cfs Scheduler Code
Difference Between Wic and Hddimg Format in Yocto
Incomplete Lsb Comment. Insserv: Missing Valid Name for 'Provides:' Please Add
How to Store Result of Diff in Linux
How to Execute 'X86_64-Conda_Cos6-Linux-Gnu-Gcc': No Such File or Directory (Pysam Installation)
Partitioning Images Based on Their White Space
Why Does Utf-8 Text Sort in Different Order Between Os X and Linux
Sendmail/Procmail - Get Mail Sender and Mail Subject, Utf8 Encoding Issues
Javafx: Tested/Confirmed Hardware (Gpu) Acceleration on Linux
Having Trouble Wrapping Functions in The Linux Kernel
On Linux, Is Access() Faster Than Stat()