The blame game: Who deleted that file? Working with auditd

I’ve recently had an issue where a file was disappearing that I couldn’t explain. Without something to blame it on I search for a method to log change to file and quickly found audit. Audit is quite extensive and can capture a vast array of information. I’m only interested in monitoring a specific file here. This is for Redhat based systems.

First you’ll need to install / configure audit if it’s not already;

yum install audit

Check the service is running…

service auditd status

Let’s create a dummy file to monitor…

echo "Please don't delete me\!" > /path/to/file/rhys.txt;

Add a rule to audit for the file. This adds a rule to watch the specified file with the tag *whodeletedmyfile*.

auditctl -w /path/to/file/rhys.txt -k whodeletedmyfile

You can search for any records with;

ausearch -i -k whodeletedmyfile

The following information will be logged after you add the rule;

----
type=CONFIG_CHANGE msg=audit(02/02/2017 13:09:59.967:226727) : auid=user@domain.local ses=12425 op="add rule" key=whodeletedmyfile list=exit res=yes

Now let’s delete the file and search the audit log again;

rm /path/to/file/rhys.txt && ausearch -i -k whodeletedmyfile

We’ll see the following information;

----
type=CONFIG_CHANGE msg=audit(02/02/2017 13:09:59.967:226727) : auid=user@domain.local ses=12425 op="add rule" key=whodeletedmyfile list=exit res=yes
----
type=PATH msg=audit(02/02/2017 13:10:26.939:226735) : item=1 name=/path/to/file/rhys.txt inode=42 dev=fd:04 mode=file,644 ouid=root ogid=root rdev=00:00 nametype=DELETE
type=PATH msg=audit(02/02/2017 13:10:26.939:226735) : item=0 name=/path/to/file/ inode=28 dev=fd:04 mode=dir,700 ouid=user@domain.local ogid=user@domain.local rdev=00:00 nametype=PARENT
type=CWD msg=audit(02/02/2017 13:10:26.939:226735) :  cwd=/root
type=SYSCALL msg=audit(02/02/2017 13:10:26.939:226735) : arch=x86_64 syscall=unlinkat success=yes exit=0 a0=0xffffffffffffff9c a1=0xf9a0c0 a2=0x0 a3=0x0 items=2 ppid=27157 pid=27604 auid=user@domain.local uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=12425 comm=rm exe=/bin/rm key=whodeletedmyfile

The final command shows us the rm command has been executed on the file by user@domain.local (See auid) who has sudoed to root first.

You can remove the watch on the file with;

auditctl -W /path/to/file/rhys.txt -k whodeletedmyfile

You can list the configured watches with…

auditctl -l

Leave a Reply