Stat command in Linux can be used to display a file or a file system status. I came across an issue in RHEL4 where a file’s ‘Change time’ is far ahead than the ‘Modification time’ without a change in uid, gid and mode. To explain why this can be considered unusual, I will start by explaining the time values associated with a file: So ctime would get updated with mtime and file size would get updated with a mtime. So if a file’s ctime is changed from mtime without a change in mode, uid, and gid, the behaviour can be considered unexpected. On checking the stat upstream (coreutils) source, I came across a known issue. Running chmod on a file without changing the file permissions can alter inode and cause the same behaviour. It is documented in TODO of coreutils upstream source. This behaviour is not fixed in upstream. Now we can assume that a process or user ran a chmod command which actually did not changed the attributes of php.ini. This would change ctime and not other attributes. I can reproduce the same behaviour in my Fedora system as well. For example, But this is just an assumption. For getting a conclusive answer on what is causing this behaviour in this specific system, we would need to find what process is causing this. auditd in linux can be used for watching a file and capturing audit records on that file to /var/log/audit/. To watch the file, I edited /etc/audit.rules and added following. Then restarted auditd, Running a cat command on the php.ini file would give following logs. ausearch command is available for searching through the audit logs. Following command would display the audit entries from 6th July related to /etc/php.ini file. When I noticed the ctime changed again, I ran ausearch. I saw multiple events on the file. Most of the access are from syscall=5, which is the open system call. Following entries seem to be pointing to the culprit. You can see that the system call is 271. Using ausearch you can search based on system calls also. You can see that there is only one record with system call number 271. Another advantage of ausearch is that it would convert the time stamps to human readable form. You can see time in the start of each block of search outputs. The time stamps matches. From RHEL4 kernel source code we can see that syscall 271 is utimes. utimes is a legacy syscall that can change a file’s last access and modification times. utimes is later deprecated and replaced with utime from RHEL5. netbackup process bpbkar is doing a utimes syscall on the file, possibly modifying the mtime to the already existing time resulting in the change. This example shows us the power of Linux Auditing System. Auditing is a kernel feature which provides interface to daemons like auidtd to capture events related to system and user space processes and log it.# stat /etc/php.iniFile: `/etc/php.ini'Size: 45809 Blocks: 96 IO Block: 4096 regular fileDevice: 6801h/26625d Inode: 704615 Links: 1Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2014-06-25 13:22:15.000000000 -0400Modify: 2012-10-01 13:21:41.000000000 -0400Change: 2014-06-01 20:06:35.000000000 -0400
Modify chmod so that it does not change an inode's st_ctimewhen the selected operation would have no other effect.First suggested by Hans Ecke inhttps://thread.gmane.org/gmane.comp.gnu.coreutils.bugs/2920Discussed more recently on https://bugs.debian.org/497514.
# stat testFile: ‘test’Size: 0 Blocks: 0 IO Block: 4096 regular empty fileDevice: 803h/2051d Inode: 397606 Links: 1Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2014-07-14 16:26:10.996128678 +0530Modify: 2014-07-14 16:26:10.996128678 +0530Change: 2014-07-14 16:26:10.996128678 +0530Birth: -# chmod 644 test# stat testFile: ‘test’Size: 0 Blocks: 0 IO Block: 4096 regular empty fileDevice: 803h/2051d Inode: 397606 Links: 1Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2014-07-14 16:26:10.996128678 +0530Modify: 2014-07-14 16:26:10.996128678 +0530Change: 2014-07-14 16:26:41.444377623 +0530 Birth: -
-w /etc/php.ini
# service auditd startStarting auditd: [ OK ]# chkconfig auditd on
type=SYSCALL msg=audit(1404006436.500:12): arch=40000003 syscall=5 success=yes exit=3 a0=bff88c10 a1=8000 a2=0 a3=8000 items=1 pid=19905 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0egid=0 sgid=0 fsgid=0 comm="cat" exe="/bin/cat"type=FS_WATCH msg=audit(1404006436.500:12): watch_inode=704615 watch="php.ini" filterkey= perm=0 perm_mask=4type=FS_INODE msg=audit(1404006436.500:12): inode=704615 inode_uid=0 inode_gid=0 inode_dev=68:01 inode_rdev=00:00type=CWD msg=audit(1404006436.500:12): cwd="/root"type=PATH msg=audit(1404006436.500:12): name="/etc/php.ini" flags=101 inode=704615 dev=68:01 mode=0100644 ouid=0 ogid=0 rdev=00:00
# ausearch -ts 7/6/2014 -f /etc/php.ini | less
type=SYSCALL msg=audit(1404691594.175:37405): arch=40000003 syscall=271 success=yes exit=0 a0=bff09b00 a1=bff07b00 a2=7beff4 a3=bff0a1a0 items=1 pid=9830 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bpbkar" exe="/usr/openv/netbackup/bin/bpbkar"type=FS_WATCH msg=audit(1404691594.175:37405): watch_inode=704615 watch="php.ini" filterkey= perm=0 perm_mask=2type=FS_INODE msg=audit(1404691594.175:37405): inode=704615 inode_uid=0 inode_gid=0 inode_dev=68:01 inode_rdev=00:00type=FS_WATCH msg=audit(1404691594.175:37405): watch_inode=704615 watch="php.ini" filterkey= perm=0 perm_mask=2type=FS_INODE msg=audit(1404691594.175:37405): inode=704615 inode_uid=0 inode_gid=0 inode_dev=68:01 inode_rdev=00:00type=CWD msg=audit(1404691594.175:37405): cwd="/etc"type=PATH msg=audit(1404691594.175:37405): name="/etc/php.ini" flags=1 inode=704615 dev=68:01 mode=0100644 ouid=0 ogid=0 rdev=00:00
# ausearch -ts 7/6/2014 -sc 271 -f /etc/php.ini
----time->Sun Jul 6 20:06:34 2014type=PATH msg=audit(1404691594.175:37405): name="/etc/php.ini" flags=1 inode=704615 dev=68:01 mode=0100644 ouid=0 ogid=0 rdev=00:00type=CWD msg=audit(1404691594.175:37405): cwd="/etc"type=FS_INODE msg=audit(1404691594.175:37405): inode=704615 inode_uid=0 inode_gid=0 inode_dev=68:01 inode_rdev=00:00type=FS_WATCH msg=audit(1404691594.175:37405): watch_inode=704615 watch="php.ini" filterkey= perm=0 perm_mask=2type=FS_INODE msg=audit(1404691594.175:37405): inode=704615 inode_uid=0 inode_gid=0 inode_dev=68:01 inode_rdev=00:00type=FS_WATCH msg=audit(1404691594.175:37405): watch_inode=704615 watch="php.ini" filterkey= perm=0 perm_mask=2type=SYSCALL msg=audit(1404691594.175:37405): arch=40000003 syscall=271 success=yes exit=0 a0=bff09b00 a1=bff07b00 a2=7beff4 a3=bff0a1a0 items=1 pid=9830 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bpbkar" exe="/usr/openv/netbackup/bin/bpbkar"
# stat /etc/php.iniFile: `/etc/php.ini'Size: 45809 Blocks: 96 IO Block: 4096 regular fileDevice: 6801h/26625d Inode: 704615 Links: 1Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2014-07-07 01:06:47.000000000 -0400Modify: 2012-10-01 13:21:41.000000000 -0400Change: 2014-07-06 20:06:34.000000000 -0400
# cat ./include/asm-i386/unistd.h |grep 271#define __NR_utimes 271
FAQs
How to audit a file in Linux? ›
- auditctl -e to enable or disable audit.
- auditctl -f to control the failure flag.
- auditctl -r to control the rate limit for audit messages.
- auditctl -b to control the backlog limit.
- auditctl -s to query the current status of the audit daemon. Tip.
An inspection of all the events occurring within file servers is called file auditing. This includes the monitoring of file access with details of who accessed what file, when, and from where; an analysis of the most accessed and modified files; successful and failed file access attempts; and more.
How to check audit logs in Linux? ›- Install the audit package. Include the audispd-plugins package if you will be using audispd . ...
- Configure Auditd by editing the /etc/audit/auditd. conf file. ...
- Enable and restart the Auditd service to reload the configuration.
Auditd is a userspace component interacting with kernel auditing subsystem. And that subsystem is meant for auditing. Normal syslog/journald logging is meant for "general logging", which might also include security related events from various parts of the operating system.
Which tool can perform Linux auditing? ›Lynis is a security auditing tool for systems based on UNIX like Linux, macOS, BSD, and others. It performs an in-depth security scan and runs on the system itself. The primary goal is to test security defenses and provide tips for further system hardening.
What is auditd in Linux? ›auditd or Linux Audit Daemon is a user-space component of the Linux Auditing System, responsible for collecting and writing audit log file records to the disk. It is, however, not responsible for viewing the logs, which can be done through ausearch or aureport utilities.
What is an example of an audit file? ›Examples of audit documentation include memoranda, confirmations, correspondence, schedules, audit programs, and letters of representation. Audit documentation may be in the form of paper, electronic files, or other media. 5.
How to audit a file system? ›In the Group Policy editor, click through to Computer Configuration -> Policies -> Windows Settings -> Local Policies. Click on Audit Policy. You can add many auditing options to your Windows Event Log. The option for file auditing is the “Audit object access” option.
How do I enable audit in Linux? ›- Log on as a user with root privileges.
- Run dacontrol with the -x option or the --desktop-audit option: dacontrol -x. ...
- Run dainfo to verify that desktop auditing has been enabled. For example, the relevant information from the dainfo command looks like this:
- Check the disk space from the command line. Use the du command to see which files and directories consume the most space inside of the /var/log directory. ...
- Select the files or directories that you want to clear: ...
- Empty the files.
How do I check logs in Linux? ›
This is such a crucial folder on your Linux systems. Open up a terminal window and issue the command cd /var/log. Now issue the command ls and you will see the logs housed within this directory (Figure 1). Figure 1: A listing of log files found in /var/log/.
What's the difference between logging and auditing? ›However, auditing and logging differ in how they process, store, and use that information. Auditing focuses on analyzing and evaluating the information for security and compliance purposes, while logging focuses on recording and preserving the information for performance and operational purposes.
Where are auditd logs? ›/var/log/audit/audit. log. This file is the default log file for the Linux audit daemon. It has all related audit events and is configured using the configuration file of auditd (auditd.
What is the purpose of syslog in Linux? ›Syslog, an abbreviation for system logging protocol, is a type of logging that allows a system administrator to monitor and manage logs from different parts of the system. It can be used to track events and errors, as well as provide information about system performance.
How do you audit access to a file? ›Select and hold (or right-click) the file or folder that you want to audit, select Properties, and then select the Security tab. Select Advanced. In the Advanced Security Settings dialog box, select the Auditing tab, and then select Continue.
How do I monitor a file system in Linux? ›- From the Hosts page (Explore → Hosts), search for message: "Current sync path" to reveal the file path.
- If you have access to the endpoint, run findmnt -o FSTYPE -T <file path> to return the file system. For example: > findmnt -o FSTYPE -T /etc/passwd FSTYPE ext4.
Use stat with the -f option followed by a filename or directory to get detailed information about the filesystem, such as the total number of blocks, free blocks, and the size of each block.
How to check who accessed a file in Linux? ›Lsof is used on a file system to identify who is using any files on that file system. You can run lsof command on Linux filesystem and the output identifies the owner and process information for processes using the file as shown in the following output.