Linux audit files to see who made changes to a file
How do I audit file events such as read / write etc? How can I use audit to see who changed a file in Linux?
The answer is to use 2.6 kernelâ€™s audit system. Modern Linux kernel (2.6.x) comes with auditd daemon. Itâ€™s responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. The default file is good enough to get started with auditd.
In order to use audit facility you need to use following utilities => auditctl – a command to assist controlling the kernelâ€™s audit system. You can get status, and add or delete rules into kernel audit system. Setting a watch on a file is accomplished using this command:
=> ausearch – a command that can query the audit daemon logs based for events based on different search criteria.
=> aureport – a tool that produces summary reports of the audit system logs.
Note that following all instructions are tested on CentOS 4.x and Fedora Core and RHEL 4/5 Linux.
Task: install audit package
The audit package contains the user space utilities for storing and searching the audit records generate by the audit subsystem in the Linux 2.6 kernel. CentOS/Red Hat and Fedora core includes audit rpm package. Use yum or up2date command to install package # yum install audit or # up2date install audit
Auto start auditd service on boot # ntsysv OR # chkconfig auditd on Now start service: # /etc/init.d/auditd start
How do I set a watch on a file for auditing?
Let us say you would like to audit a /etc/passwd file. You need to type command as follows: # auditctl -w /etc/passwd -p war -k password-file
-w /etc/passwd : Insert a watch for the file system object at given path i.e. watch file called /etc/passwd
-p war : Set permissions filter for a file system watch. It can be r for read, w for write, x for execute, a for append.
-k password-file : Set a filter key on a /etc/passwd file (watch). The password-file is a filterkey (string of text that can be up to 31 bytes long). It can uniquely identify the audit records produced by the watch. You need to use password-file string or phrase while searching audit logs.
In short you are monitoring (read as watching) a /etc/passwd file for anyone (including syscall) that may perform a write, append or read operation on a file.
Wait for some time or as a normal user run command as follows: $ grep 'something' /etc/passwd $ vi /etc/passwd
Following are more examples:
File System audit rules
Add a watch on “/etc/shadow” with the arbitrary filterkey “shadow-file” that generates records for “reads, writes, executes, and appends” on “shadow” # auditctl -w /etc/shadow -k shadow-file -p rwxa
SYSCALL AUDIT RULE
The next rule suppresses auditing for mount syscall exits # auditctl -a exit,never -S mount
FILE SYSTEM AUDIT RULE
Add a watch “tmp” with a NULL filterkey that generates records “executes” on “/tmp” (good for a webserver) # auditctl -w /tmp -p e -k webserver-watch-tmp
SYSCALL AUDIT RULE USING PID
To see all syscalls made by a program called sshd (pid – 1005): # auditctl -a entry,always -S all -F pid=1005
How do I find out who changed or accessed a file /etc/passwd?
Use ausearch command as follows: # ausearch -f /etc/passwd OR # ausearch -f /etc/passwd | less OR # ausearch -f /etc/passwd -i | less Where,
-f /etc/passwd : Only search for this file
-i : Interpret numeric entities into text. For example, uid is converted to account name.
audit(03/16/2007 14:52:59.985:55) : Audit log time
uid=lighttpd gid=lighttpd : User ids in numerical format. By passing -i option to command you can convert most of numeric data to human readable format. In our example user is lighttpd used grep command to open a file
exe=”/bin/grep” : Command grep used to access /etc/passwd file
perm_mask=read : File was open for read operation
So from log files you can clearly see who read file using grep or made changes to a file using vi/vim text editor. Log provides tons of other information. You need to read man pages and documentation to understand raw log format.
Other useful examples
Search for events with date and time stamps. if the date is omitted, today is assumed. If the time is omitted, now is assumed. Use 24 hour clock time rather than AM or PM to specify time. An example date is 10/24/05. An example of time is 18:00:00. # ausearch -ts today -k password-file # ausearch -ts 3/12/07 -k password-file
Search for an event matching the given executable name using -x option. For example find out who has accessed /etc/passwd using rm command: # ausearch -ts today -k password-file -x rm # ausearch -ts 3/12/07 -k password-file -x rm
Search for an event with the given user name (UID). For example find out if user vivek (uid 506) try to open /etc/passwd: # ausearch -ts today -k password-file -x rm -ui 506 # ausearch -k password-file -ui 506
To fix the issue, we suggest that you follow the methods below:
Method 1: Modify the Network Adapter Properties
1. Use Windows shortcut keys Win + X (or right click the Start menu) and select Device Manager from the menu.
2. Expand the Network adapters, right click on the network adapter of you device and select Properties.
3. Select Power Management tab from the pop-up dialog box and uncheck the item Allow the computer to turn off this device to save power.
4. Click OK to save the changes.
Method 2: Disable Non-Microsoft Services
Some programs or services can affect the Windows 10 airplane mode. You could try to disable some non-Microsoft services to fix the issue. If you happen to know the program, disable it directly. If not, it may take your time to figure it out.
1. Use Windows shortcut keys Win + R to launch Run.
2. Type msconfig into the box and press Enter.
3. Select the Service tab, check Hide all Microsoft services and click the button Disable. Then click Apply.
4. Select the Startup tab, click Open Task Manager.
5. Select Startup tab from the new pop-up dialog and disable all the startup items.
You need to reboot the computer and re-enable the services you’ve disabled one by one to find out the problematic services or programs that result in the Windows 10 airplane mode error. Once you figure them out, disable them again.
Method 3: Update or Reinstall the Network Adapter Drivers
Problematic drivers can bring about Windows 10 airplane mode errors and other Windows 10 issues, so it is necessary to fix the network adapter drivers on Windows 10.