Linux – Using auditd to watch a directory non-recursively

auditdcentosfile-permissionslinux

I'm working on a Cent 6 Cpanel machine, and some mystery script is changing the permissions of home directories (!) to 777. I've ruled out all the easy fixes, so I just need to set up a watch on the directory and wait until it happens again.

The trouble is, my current rule:

`auditctl -w /home -pa -k homedir_perm_changes`

is watching the entire home directory recursively, and this partition stores emails and documentroots, so there's entirely too much information.

How can I pare down my rule such that it watches only the directories directly under /home, and not the entire (huge) directory tree beneath it?

Thanks!

Best Answer

It seems like this option is not implemented yet. Might be a technical limitation as system calls on inodes are watched.

Just an idea: You could work around this limitation with a good grep, for example:

ausearch -i -k yourauditkey | grep "name=/etc/ "

(Note the space after /etc/) It is dirty, but should help you, because it crops all subdirectories out of it.

Related Solutions

Linux – File audit in Linux: how to watch directory tree for deletions

This is an answer i wrote to a previous question:

Generally if you wish to know what a process/user/file is doing without having to run lsof against it 24/7 you use auditctl.

Assuming you have a recent-ish kernel audit control should be a simple operation. (This is in Debian-fu, if you're running Red Hat translate as appropriate)
# apt-get install auditd
Make sure that its running (/etc/init.d/auditd status).
auditctl -a entry,always -F arch=b64 -S open -F pid=<process id>
Replace b64 with b32 if you're running 32-bit arch, open can be replaced by any system call or the word 'all'

For more read the auditctl manpage.

You can use this method and ask it to watch for the 'unlink' system call.

The -w parameter is useful for watching files/directories, but the as the man page explains there are caveats.

-w path Insert a watch for the file system object at path. You cannot insert a watch to the top level directory. This is prohibited by the kernel. Wildcards are not supported either and will generate a warning. The way that watches work is by tracking the inode internally. This means that if you put a watch on a directory, you will see what appears to be file events, but it is really just the updating of meta data. You might miss a few events by doing this. If you need to watch all files in a directory, its recommended to place an individual watch on each file. Unlike syscall auditing rules, watches do not impact performance based on the number of rules sent to the kernel.

Linux SCP – Can SCP Copy Directories Recursively?

Yup, use -r:

scp -rp sourcedirectory user@dest:/path

-r means recursive
-p preserves modification times, access times, and modes from the original file.

Note: This creates the sourcedirectory inside /path thus the files will be in /path/sourcedirectory

Best Answer

Related Solutions

Linux – File audit in Linux: how to watch directory tree for deletions

Linux SCP – Can SCP Copy Directories Recursively?

Related Topic