Detecting File Permission and Ownership Changes
FedoraForum.org - Fedora Support Forums and Community
Results 1 to 6 of 6
  1. #1
    Join Date
    Nov 2016
    Location
    Cape Canaveral
    Posts
    58
    Windows 7 Firefox 61.0

    Detecting File Permission and Ownership Changes

    Hello,

    I need to monitor a few directory trees to detect if any file or directory permissions change. Also to see if the user or group ownership changes.

    What is the easiest way to achieve this?


    Thanks for your advice,

    Michael

  2. #2
    Join Date
    Dec 2017
    Location
    USA
    Posts
    57
    Windows 7 Firefox 60.0

    Re: Detecting File Permission and Ownership Changes

    Hm, I have no idea if there are software packages designed for this. You could search online for integrity checking tools, that scan the filesystem for changes. Perhaps one out there also monitors the owner or permissions changes.

    If you want a super-simple solution, use a shell script like the following:
    Code:
    #!/bin/sh
    # filename: check-owners.sh
    
    # PARSE INPUT
    CO_INPUT="$( readlink -f "${1:-.}" 2>/dev/null )"                   # read first parameter given, or use $PWD
    CO_TMPFILE="$( mktemp )"
    test -z "${CO_OUTPUT}" && \
       CO_OUTPUT="/var/cache/check-owners/co${CO_INPUT//\//.}.db.gz"    # use directory-specific database file
    test ! -e "$( dirname "${CO_OUTPUT}" )" && \
       mkdir -p "$( dirname "${CO_OUTPUT}" )"                           # make the cache directory for the databases
    
    # DEBUG
    test -n "${CO_DEBUG}" && echo "Checking directory ${CO_INPUT}" 1>&2 # set CO_DEBUG to any value to get debugging info on stderr
    
    # FUNCTIONS
    scan_dir() {
       # call: scan_dir "${CO_INPUT}"
       # output: listing of hash, owner+perm hash for each file
       local td="${1}"
    
       find "${td}" -exec stat -L -c '%u,%U,%g,%G,%a,%n' {} + 2>/dev/null | sort -t ',' -k6
    }
    
    clean_co() {
       # remote tempfiles
       rm -f "${CO_TMPFILE}"
    }
    
    # TRAPS
    
    # ignore broken pipes, because we still want to update the database file
    trap '' 13 # SIGPIPE
    
    # regular traps
    trap "__ec=$? ; clean_co ; trap '' 0 1 2 3 4 5 6 7 8 9 10 11 12 14 15 16 17 18 19 20 ; exit ${__ec} ;" 0 1 2 3 4 5 6 7 8 9 10 11 12 14 15 16 17 18 19 20  # clean up when exiting
    
    
    echo "DEBUG INFO:"
    ls -l "/proc/$$/fd/1"
    
    # MAIN
    if test -z "$( zcat "${CO_OUTPUT}" 2>/dev/null | head -n3 )" ;
    then
       # database is empty so write it the first time
       test -n "${CO_DEBUG}" && echo "Initializing database \"${CO_OUTPUT}\" during this run..." 1>&2
       scan_dir "${CO_INPUT}" | tee "/proc/$$/fd/1" | gzip > "${CO_OUTPUT}"
    else
       # not empty
       test -n "${CO_DEBUG}" && echo "Comparing ${CO_INPUT} to database ${CO_OUTPUT}"
    
       # learn current status
       scan_dir "${CO_INPUT}" > "${CO_TMPFILE}"
    
       # compare to database
       zcat "${CO_OUTPUT}" | diff -W300 --suppress-common-lines -y "-" "${CO_TMPFILE}"
    
       # replace database
       cat "${CO_TMPFILE}" | gzip > "${CO_OUTPUT}"
    
    fi
    
    # EXIT
    true
    I get sample output like this:
    Code:
    # CO_DEBUG=1 /home/bgstack15/dev/check-owners.sh .
    Checking directory /usr/src/debug
    Comparing /usr/src/debug to database /var/cache/check-owners/co.usr.src.debug.db.gz
    0,root,0,root,400,/usr/src/debug/foo                          | 0,root,0,root,600,/usr/src/debug/foo
    Which shows that I ran chmod 0600 foo between runs.
    Last edited by bgstack15; 9th August 2018 at 02:49 PM.

  3. #3
    Join Date
    Nov 2016
    Location
    Cape Canaveral
    Posts
    58
    Windows 7 Firefox 61.0

    Re: Detecting File Permission and Ownership Changes

    bgstack15, Very nice!

    I noticed Redhat has an auditing package. It looks very good. Info on it here.

    I wonder if it has a lot of overhead though. Anyone know?

  4. #4
    Join Date
    Nov 2016
    Location
    Cape Canaveral
    Posts
    58
    Windows 7 Firefox 61.0

    Re: Detecting File Permission and Ownership Changes

    Info if you cant get to link (snippet):

    How to monitor permission, ownership or any other change to a particular directory or file
    Solution Verified - Updated August 3 2017 at 10:41 PM - English
    Environment

    Red Hat Enterprise Linux 4
    Red Hat Enterprise Linux 5
    Red Hat Enterprise Linux 6
    Red Hat Enterprise Linux 7

    Issue

    How to monitor the permission change and ownership change of a particular directory or file?
    How to configure auditd to find how a file was modified in Red Hat Enterprise Linux?
    What tool can audit files at a directory level?
    How do I monitor files or directories using auditd in Red Hat Enterprise Linux ?
    How do I monitor a file or directory to see which user or program has accessed or modified data ?

    Resolution

    The Linux Audit system (audit package) can be used to accomplish this task.
    Ensure the auditd service is running, and set to start on boot with chkconfig auditd on
    Set a watch on the required file to be monitored by using the auditctl command:

  5. #5
    Join Date
    Dec 2017
    Location
    USA
    Posts
    57
    Windows 7 Firefox 60.0

    Re: Detecting File Permission and Ownership Changes

    That's just the regular auditd daemon. My environment runs it, but for my team its output it hardly useful. It looks incredibly verbose, because it live-monitors what the system is doing. I don't think it is process-intensive, so if it provides the exact output you're looking for, go for it!

  6. #6
    Join Date
    Jun 2005
    Location
    Montreal, Que, Canada
    Posts
    5,402
    Linux (Fedora) Firefox 61.0

    Re: Detecting File Permission and Ownership Changes

    I wrote a program that can produce a listing. A sample few lines follow.
    Code:
     Host=rfr28                      |<----Date----->| <----Hash--------------------->|<- Bytes >| /scratch/bin @ 20180809-123530
    soxprepdup                       |20180809-000754|ad5fe0d0e4671a9e8682f1755b7e098b|     10488|/scratch/bin
    soxdircmp                        |20180809-000754|3cd6f37864a11c0c4466e0a01946e80e|     35256|/scratch/bin
    soxdircrc                        |20180809-000754|6b231360e028d809b8620dd1d86fc58c|     39464|/scratch/bin
    adoc                             |20180725-111416|18d480ac91c0bd5252a8e541adc23acc|       414|/scratch/bin
    ISO                              |20180507-091355|6118f4d5d5b61b434e6bb56c2a4a715d|       168|/scratch/bin
    rsyncSims.sh                     |20180724-181235|9b707853e87b60ba8de59374338278da|       323|/scratch/bin
    rsyncIomega.sh                   |20180718-120613|d7859a505ec73db6ea60c46c835c0db8|      1507|/scratch/bin
    rsyncScratchToSeagate.sh         |20180805-015025|5652cf56b8b6e9e5ac19c964b292dc0a|       567|/scratch/bin
    soxsha1                          |20180809-000754|1248ed20361b9d296ae7f5360dd95013|     14568|/scratch/bin
    soxdirmd5.ini                    |20180809-000754|ec878770850b9994d0694bebf18f990e|       955|/scratch/bin
    rsync.sh                         |20180805-015025|494dd51d99db5d894b335aef784e4081|       164|/scratch/bin
    I created the above listing to help visualize what I collect. My scan was targeting production application code and constant data.
    Here is what I actually stored within my program.
    I hash the filename to an unsigned integer.
    I use the timestamp based on the file's date/time as stored by Linux
    I use the sha1sum type of scan to create a hash of the file contents. You could use md5sum
    I have the file size and the hashed value for the directory. In practice, any file change in size of contents is detected by the sha1sum function.
    For my needs, I did not need to remember owner/group or rwx attributes, though these could be added.
    My print function is recursive (it will process subdirectories. I did register symbolic links but did not traverse them.
    My database was fairly small as I hash most values including directory names.
    bytes
    ====
    4=filename
    4=timestamp
    20=sha1sum or 16 bytes for md5sum checksums of the file's contents. I would not use crc32 checksum
    4 for directory path hash

    I do a memcmp() against previous and collected strings of bytes representing one line of the listing, and record changes.

    The code was written to comply with Canada's Sarbannes Oxley law about accountability. (I had to prove there were no unauthorized changes). Any change I detected had to have an audited change request form. The auditors had the sha1sum of the file being placed into production as new or a fix, or a file being removed.

    Linux does allow you to setup security traps for any changes to a directory contents. You can also impose access rights rules in addition to controlling a file's access via user/group.
    Best to use a simple solution. The program to produce the listing is available on request.
    Leslie in Montreal

    Interesting web sites list
    http://forums.fedoraforum.org/showth...40#post1697840

Similar Threads

  1. Permission/ownership problem with external HDD with XFS in fuse
    By picasso_1.2.13 in forum Using Fedora
    Replies: 2
    Last Post: 7th June 2016, 08:32 PM
  2. restore ownership and permission
    By luca in forum Using Fedora
    Replies: 3
    Last Post: 15th November 2006, 11:29 AM
  3. Ownership and permission question
    By satimis in forum Using Fedora
    Replies: 13
    Last Post: 1st February 2006, 12:43 PM
  4. Replies: 1
    Last Post: 11th October 2005, 11:25 AM
  5. ownership/permission
    By makaveli in forum Using Fedora
    Replies: 8
    Last Post: 14th June 2004, 06:27 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •