In a multi-user environment there are lots of files shared between different users with different permissions. There may be a need to keep an eye on what they are doing with these files. So here we’ll look into a mechanism to audit files on our Linux system. With this we can track what kind of operations are performed over a file and by whom.

For this we will use auditctl and ausearch commands. S first of all create a file as I have create a file named file under /root directory.Now we will set a watch on a file with this command-

                               auditctl -w /root/file -p war -k host-file

The parameters we have used are described as –

-w: File name here it is /root/file

-p:Type of operations war means Write Access Read

-k:Key which will be used for searching

Once you have set a watch on the file make any modifications in the file as I have done. I simply changed the permissions for this file with chmod. Now this operation will be logged.

Auditing Files In Red Hat Enterprise Linux

To view the log just type-   ausearch -ts today -k host-file

The parameters we have used are:

-ts:Timstamp here we want to see the changes made on the current day

-k:Key which we have set earlier

Now focus on the last line of the screen-shot and you will see exe=”/bin/chmod” subj=root. This indicates that chmod operation has been performed by the user root on that file. Now make further changes and they will be shown in the audit.