Hello,
I need to monitor a few directory trees to detect if any file or directory permissions change. Also to see if the user or group ownership changes.
What is the easiest way to achieve this?
Thanks for your advice,
Michael
Hello,
I need to monitor a few directory trees to detect if any file or directory permissions change. Also to see if the user or group ownership changes.
What is the easiest way to achieve this?
Thanks for your advice,
Michael
Hm, I have no idea if there are software packages designed for this. You could search online for integrity checking tools, that scan the filesystem for changes. Perhaps one out there also monitors the owner or permissions changes.
If you want a super-simple solution, use a shell script like the following:
I get sample output like this:Code:#!/bin/sh # filename: check-owners.sh # PARSE INPUT CO_INPUT="$( readlink -f "${1:-.}" 2>/dev/null )" # read first parameter given, or use $PWD CO_TMPFILE="$( mktemp )" test -z "${CO_OUTPUT}" && \ CO_OUTPUT="/var/cache/check-owners/co${CO_INPUT//\//.}.db.gz" # use directory-specific database file test ! -e "$( dirname "${CO_OUTPUT}" )" && \ mkdir -p "$( dirname "${CO_OUTPUT}" )" # make the cache directory for the databases # DEBUG test -n "${CO_DEBUG}" && echo "Checking directory ${CO_INPUT}" 1>&2 # set CO_DEBUG to any value to get debugging info on stderr # FUNCTIONS scan_dir() { # call: scan_dir "${CO_INPUT}" # output: listing of hash, owner+perm hash for each file local td="${1}" find "${td}" -exec stat -L -c '%u,%U,%g,%G,%a,%n' {} + 2>/dev/null | sort -t ',' -k6 } clean_co() { # remote tempfiles rm -f "${CO_TMPFILE}" } # TRAPS # ignore broken pipes, because we still want to update the database file trap '' 13 # SIGPIPE # regular traps trap "__ec=$? ; clean_co ; trap '' 0 1 2 3 4 5 6 7 8 9 10 11 12 14 15 16 17 18 19 20 ; exit ${__ec} ;" 0 1 2 3 4 5 6 7 8 9 10 11 12 14 15 16 17 18 19 20 # clean up when exiting echo "DEBUG INFO:" ls -l "/proc/$$/fd/1" # MAIN if test -z "$( zcat "${CO_OUTPUT}" 2>/dev/null | head -n3 )" ; then # database is empty so write it the first time test -n "${CO_DEBUG}" && echo "Initializing database \"${CO_OUTPUT}\" during this run..." 1>&2 scan_dir "${CO_INPUT}" | tee "/proc/$$/fd/1" | gzip > "${CO_OUTPUT}" else # not empty test -n "${CO_DEBUG}" && echo "Comparing ${CO_INPUT} to database ${CO_OUTPUT}" # learn current status scan_dir "${CO_INPUT}" > "${CO_TMPFILE}" # compare to database zcat "${CO_OUTPUT}" | diff -W300 --suppress-common-lines -y "-" "${CO_TMPFILE}" # replace database cat "${CO_TMPFILE}" | gzip > "${CO_OUTPUT}" fi # EXIT true
Which shows that I ran chmod 0600 foo between runs.Code:# CO_DEBUG=1 /home/bgstack15/dev/check-owners.sh . Checking directory /usr/src/debug Comparing /usr/src/debug to database /var/cache/check-owners/co.usr.src.debug.db.gz 0,root,0,root,400,/usr/src/debug/foo | 0,root,0,root,600,/usr/src/debug/foo
Last edited by bgstack15; 9th August 2018 at 02:49 PM.
bgstack15, Very nice!
I noticed Redhat has an auditing package. It looks very good. Info on it here.
I wonder if it has a lot of overhead though. Anyone know?
Info if you cant get to link (snippet):
How to monitor permission, ownership or any other change to a particular directory or file
Solution Verified - Updated August 3 2017 at 10:41 PM - English
Environment
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Issue
How to monitor the permission change and ownership change of a particular directory or file?
How to configure auditd to find how a file was modified in Red Hat Enterprise Linux?
What tool can audit files at a directory level?
How do I monitor files or directories using auditd in Red Hat Enterprise Linux ?
How do I monitor a file or directory to see which user or program has accessed or modified data ?
Resolution
The Linux Audit system (audit package) can be used to accomplish this task.
Ensure the auditd service is running, and set to start on boot with chkconfig auditd on
Set a watch on the required file to be monitored by using the auditctl command:
That's just the regular auditd daemon. My environment runs it, but for my team its output it hardly useful. It looks incredibly verbose, because it live-monitors what the system is doing. I don't think it is process-intensive, so if it provides the exact output you're looking for, go for it!
I wrote a program that can produce a listing. A sample few lines follow.
I created the above listing to help visualize what I collect. My scan was targeting production application code and constant data.Code:Host=rfr28 |<----Date----->| <----Hash--------------------->|<- Bytes >| /scratch/bin @ 20180809-123530 soxprepdup |20180809-000754|ad5fe0d0e4671a9e8682f1755b7e098b| 10488|/scratch/bin soxdircmp |20180809-000754|3cd6f37864a11c0c4466e0a01946e80e| 35256|/scratch/bin soxdircrc |20180809-000754|6b231360e028d809b8620dd1d86fc58c| 39464|/scratch/bin adoc |20180725-111416|18d480ac91c0bd5252a8e541adc23acc| 414|/scratch/bin ISO |20180507-091355|6118f4d5d5b61b434e6bb56c2a4a715d| 168|/scratch/bin rsyncSims.sh |20180724-181235|9b707853e87b60ba8de59374338278da| 323|/scratch/bin rsyncIomega.sh |20180718-120613|d7859a505ec73db6ea60c46c835c0db8| 1507|/scratch/bin rsyncScratchToSeagate.sh |20180805-015025|5652cf56b8b6e9e5ac19c964b292dc0a| 567|/scratch/bin soxsha1 |20180809-000754|1248ed20361b9d296ae7f5360dd95013| 14568|/scratch/bin soxdirmd5.ini |20180809-000754|ec878770850b9994d0694bebf18f990e| 955|/scratch/bin rsync.sh |20180805-015025|494dd51d99db5d894b335aef784e4081| 164|/scratch/bin
Here is what I actually stored within my program.
I hash the filename to an unsigned integer.
I use the timestamp based on the file's date/time as stored by Linux
I use the sha1sum type of scan to create a hash of the file contents. You could use md5sum
I have the file size and the hashed value for the directory. In practice, any file change in size of contents is detected by the sha1sum function.
For my needs, I did not need to remember owner/group or rwx attributes, though these could be added.
My print function is recursive (it will process subdirectories. I did register symbolic links but did not traverse them.
My database was fairly small as I hash most values including directory names.
bytes
====
4=filename
4=timestamp
20=sha1sum or 16 bytes for md5sum checksums of the file's contents. I would not use crc32 checksum
4 for directory path hash
I do a memcmp() against previous and collected strings of bytes representing one line of the listing, and record changes.
The code was written to comply with Canada's Sarbannes Oxley law about accountability. (I had to prove there were no unauthorized changes). Any change I detected had to have an audited change request form. The auditors had the sha1sum of the file being placed into production as new or a fix, or a file being removed.
Linux does allow you to setup security traps for any changes to a directory contents. You can also impose access rights rules in addition to controlling a file's access via user/group.
Best to use a simple solution. The program to produce the listing is available on request.
Leslie in Montreal
Interesting web sites list
http://forums.fedoraforum.org/showth...40#post1697840
We get too soon old, and too late smart!