Seb's IT blog

Tell what executable caused a filesystem change

  • Apr 23, 2021

Auditd will let you put a labeled watcher on a file or directory that’ll tell you what executable caused a change (includes pid, ppid, uid, gid, and more.)

To create a labeled watcher run the following command. Use whatever label you like with -k:

sudo auditctl -w $HOME/audit_test -k who_touched_my_folder

If you don’t specify what permissions to monitor, auditd will assume it has to monitor all of them (-p rwxa). Use the optional -p parameter to limit the watcher to only log actions with specific permissions:

  • r to monitor for read accesses to a file or a directory,
  • w to monitor for write accesses,
  • x to monitor for execute accesses,
  • and a to check for changes of the file’s or directory’s attributes.

And then, after the file(s) or folder(s) you’re interested in have changed:

sudo ausearch -k who_touched_my_folder

Example output:

----
time->Fri Jun 26 14:17:15 2020
type=PROCTITLE msg=audit(1593173835.719:156): proctitle=617564697463746C002D57002F686F6D652F6D6567616D6F72662F61756469745F74657374002D700072777861002D6B0077686F5F746F75636865645F6D795F666F6C646572
type=SOCKADDR msg=audit(1593173835.719:156): saddr=100000000000000000000000
type=SYSCALL msg=audit(1593173835.719:156): arch=c000003e syscall=44 success=yes exit=1104 a0=4 a1=7fff5fcdace0 a2=450 a3=0 items=0 ppid=3262110 pid=3262111 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=8696 comm="auditctl" exe="/usr/sbin/auditctl" key=(null)
type=CONFIG_CHANGE msg=audit(1593173835.719:156): auid=1000 ses=8696 op=remove_rule key="who_touched_my_folder" list=4 res=0
----
time->Fri Jun 26 14:18:51 2020
type=CONFIG_CHANGE msg=audit(1593173931.337:195): auid=1000 ses=8696 op=add_rule key="who_touched_my_folder" list=4 res=1
----
time->Fri Jun 26 14:19:45 2020
type=PROCTITLE msg=audit(1593173985.558:221): proctitle=617564697463746C002D57002F686F6D652F6E656D2F61756469745F74657374002D6B0077686F5F746F75636865645F6D795F666F6C646572
type=SOCKADDR msg=audit(1593173985.558:221): saddr=100000000000000000000000
type=SYSCALL msg=audit(1593173985.558:221): arch=c000003e syscall=44 success=yes exit=1100 a0=4 a1=7ffea1c20dd0 a2=44c a3=0 items=0 ppid=3262332 pid=3262333 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=8696 comm="auditctl" exe="/usr/sbin/auditctl" key=(null)
type=CONFIG_CHANGE msg=audit(1593173985.558:221): auid=1000 ses=8696 op=remove_rule key="who_touched_my_folder" list=4 res=1
----
time->Fri Jun 26 14:24:21 2020
type=CONFIG_CHANGE msg=audit(1593174261.415:270): auid=1000 ses=8696 op=remove_rule key="who_touched_my_folder" list=4 res=0
----
time->Fri Jun 26 14:24:26 2020
type=CONFIG_CHANGE msg=audit(1593174266.963:277): auid=1000 ses=8696 op=add_rule key="who_touched_my_folder" list=4 res=1
----
time->Fri Jun 26 14:24:40 2020
type=PROCTITLE msg=audit(1593174280.140:280): proctitle=746F756368002F686F6D652F6E656D2F61756469745F746573742F495F73686F756C645F6E6F745F65786973742E747874
type=PATH msg=audit(1593174280.140:280): item=1 name="/home/megamorf/audit_test/I_should_not_exist.txt" inode=1702746 dev=fd:00 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1593174280.140:280): item=0 name="/home/megamorf/audit_test/" inode=1702057 dev=fd:00 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1593174280.140:280): cwd="/home/megamorf"
type=SYSCALL msg=audit(1593174280.140:280): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffcd5d6bd26 a2=941 a3=1b6 items=2 ppid=3259291 pid=3266946 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=8696 comm="touch" exe="/usr/bin/touch" key="who_touched_my_folder"
----
time->Fri Jun 26 14:25:09 2020
type=PROCTITLE msg=audit(1593174309.488:281): proctitle=6D6B646972002D70002F686F6D652F6E656D2F61756469745F746573742F666F6F002F686F6D652F6E656D2F61756469745F746573742F626172
type=PATH msg=audit(1593174309.488:281): item=1 name="foo" inode=262121 dev=fd:00 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1593174309.488:281): item=0 name="/home/megamorf/audit_test" inode=1702057 dev=fd:00 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1593174309.488:281): cwd="/home/megamorf/audit_test"
type=SYSCALL msg=audit(1593174309.488:281): arch=c000003e syscall=83 success=yes exit=0 a0=7ffeec7c4d35 a1=1ff a2=0 a3=7f689b24a640 items=2 ppid=3259291 pid=3266982 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=8696 comm="mkdir" exe="/usr/bin/mkdir" key="who_touched_my_folder"
----
time->Fri Jun 26 14:25:09 2020
type=PROCTITLE msg=audit(1593174309.488:282): proctitle=6D6B646972002D70002F686F6D652F6E656D2F61756469745F746573742F666F6F002F686F6D652F6E656D2F61756469745F746573742F626172
type=PATH msg=audit(1593174309.488:282): item=1 name="bar" inode=262122 dev=fd:00 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1593174309.488:282): item=0 name="/home/megamorf/audit_test" inode=1702057 dev=fd:00 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1593174309.488:282): cwd="/home/megamorf/audit_test"
type=SYSCALL msg=audit(1593174309.488:282): arch=c000003e syscall=83 success=yes exit=0 a0=7ffeec7c4d4e a1=1ff a2=0 a3=7f689b24a640 items=2 ppid=3259291 pid=3266982 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=8696 comm="mkdir" exe="/usr/bin/mkdir" key="who_touched_my_folder"
----
time->Fri Jun 26 14:25:26 2020
type=PROCTITLE msg=audit(1593174326.808:283): proctitle="-bash"
type=PATH msg=audit(1593174326.808:283): item=0 name="/home/megamorf/audit_test/" inode=1702057 dev=fd:00 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1593174326.808:283): cwd="/home/megamorf"
type=SYSCALL msg=audit(1593174326.808:283): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=55e3344c59c0 a2=90800 a3=0 items=1 ppid=3259291 pid=3267026 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=8696 comm="bash" exe="/usr/bin/bash" key="who_touched_my_folder"
----
time->Fri Jun 26 14:25:30 2020
type=PROCTITLE msg=audit(1593174330.665:284): proctitle=726D002F686F6D652F6E656D2F61756469745F746573742F495F73686F756C645F6E6F745F65786973742E747874
type=PATH msg=audit(1593174330.665:284): item=1 name="/home/megamorf/audit_test/I_should_not_exist.txt" inode=1702746 dev=fd:00 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1593174330.665:284): item=0 name="/home/megamorf/audit_test/" inode=1702057 dev=fd:00 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1593174330.665:284): cwd="/home/megamorf"
type=SYSCALL msg=audit(1593174330.665:284): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=55de9829e4d0 a2=0 a3=0 items=2 ppid=3259291 pid=3267027 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=8696 comm="rm" exe="/usr/bin/rm" key="who_touched_my_folder"

A simplified report of the actions can be displayed with:

$ sudo ausearch -k who_touched_my_folder | aureport -f -i

File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 26.06.2020 14:24:40 /home/megamorf/audit_test/I_should_not_exist.txt openat yes /usr/bin/touch nem 280
2. 26.06.2020 14:25:09 foo mkdir yes /usr/bin/mkdir nem 281
3. 26.06.2020 14:25:09 bar mkdir yes /usr/bin/mkdir nem 282
4. 26.06.2020 14:25:26 /home/megamorf/audit_test/ openat yes /usr/bin/bash nem 283
5. 26.06.2020 14:25:30 /home/megamorf/audit_test/I_should_not_exist.txt unlinkat yes /usr/bin/rm nem 284

List auditd rules:

$ sudo auditctl -l
-w /home/megamorf/audit_test -p rwxa -k who_touched_my_folder

Remove a rule:

sudo auditctl -W /home/megamorf/audit_test -p rwxa -k who_touched_my_folder

References:

Search