Was Your Linux File Hacked? Learn How to Find Out Using Auditd

Ensuring that files are accessed or modified by authorized users is critical for maintaining system security. Auditd, the Linux Auditing System, provides powerful tools to monitor and log these activities. This guide will help you set up Auditd to track who accessed or modified files on your Linux system.

Installing and Starting Auditd

First, ensure Auditd is installed on your system. For Debian-based distributions, use:
sudo apt-get install auditd

Start and enable Auditd with the following commands:
sudo systemctl start auditd
sudo systemctl enable auditd

Configuring File Monitoring

To monitor a specific file, such as /var/log/auth.log, you need to set up an audit rule. Use the following command to track access and modifications:
sudo auditctl -w /var/log/auth.log -p rwa -k auth_log_monitor

-w: Specifies the file to watch.
-p rwa: Monitors read, write, and attribute changes.
-k: Assigns a key to filter logs easily.

Example: Tracking Access and Modifications to a File

To monitor a file like pradeep.txt, use:
sudo auditctl -w /home/ubuntu/pradeep.txt -p rwa -k pradeep_txt

This command will log all read, write, and attribute changes.

Simulating File Access and Modification
Edit the file with:
echo "New content" >> /home/ubuntu/pradeep.txt

Viewing Audit Logs
sudo ausearch -k pradeep_txt

UID: The User ID of the person who accessed or modified the file.
Command: The command used to perform the action.
Timestamp: The date and time of the access or modification.

Conclusion

Auditd is a robust tool for tracking file access and modifications on Linux. By setting up appropriate rules, you can effectively monitor who is accessing or altering your files, ensuring better security and accountability. Regularly reviewing these logs helps maintain a secure and well-managed system.