May 9, 2012
tom

Is there a way to log who upload or change a spesific file? (centos)

Question

There is a file that keeps infected with this code. I can’t figure out why. So I want to log who upload or change the file. Is there a way to log who upload or change a spesific file?

PS: There is no FTP login. We only use SSH and Plesk.

Asked by nahha

Answer

Yes, there is. The audit subsystem has some pretty neat accounting features.

Running the following command will audit changes to the file:

auditctl -w /my/specificly/modified/file.txt -p w -k "suspect file change"

This will setup a watch on this file, whenever it is modified by a write the change will be logged, and be logged quite extensively.

You can check the logs doing:

ausearch -i -k "suspect file change"

This will return output such as:

type=PATH msg=audit(05/08/2012 17:32:32.353:13118) : item=1 name=/tmp/test.txt inode=5767528 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=staff_u:object_r:user_tmp_t:s0 
type=PATH msg=audit(05/08/2012 17:32:32.353:13118) : item=0 name=/tmp/ inode=5767169 dev=fd:00 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 
type=CWD msg=audit(05/08/2012 17:32:32.353:13118) :  cwd=/home/matthew/Testbed/C/fanotify 
type=SYSCALL msg=audit(05/08/2012 17:32:32.353:13118) : arch=x86_64 syscall=unlinkat success=yes exit=0 a0=0xffffffffffffff9c a1=0xb540c0 a2=0x0 a3=0x7fff50cfba20 items=2 ppid=13699 pid=2773 auid=matthew uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=rm exe=/usr/bin/rm subj=staff_u:sysadm_r:sysadm_t:s0 key=some file 

If you want something stronger, you can go for something that, say watches for any deletions by a user not normally inclined to do that. For performance the more specific the rule the better..

auditctl -a exit,always -F arch=b64 -S unlink -S rmdir -F auid=78 -F dir=/var/www/vhost

The -F defines the filters and the -S defines the syscalls, the more filters the less intensive it is on the kernel to track it. So in this case I filter on the user (apache), the vhosts directory and arch. Arch becomes important b64 being 64 bit b32 for 32 bit.

You can set these up long-term by putting the rules in /etc/audit.rules.

Answered by MIfe

Related posts:

  1. Change syslog log file’s owner/group?
  2. How do I change timezone in centos 6.2?
  3. Anonymous FTP upload on CentOS 5.2
  4. ftp upload / how to change permissions / ownership “automagically”?
  5. Limit vsftpd upload to a given set of file-names

Leave a comment