Monitor Web Site Files With Auditd

Posted: 21st January 2014 by Babar Shafiq in Security, System Administration
Tags: , , ,

 

The Linux Auditing System and auditd are a great way to monitor who and when changes are made to the files in your website. To install and configure follow these steps:

1. Install auditd and related utilities:

yum install audit

2. Make sure auditd is running:

/sbin/chkconfig --list auditd 
auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

3. Edit /etc/audit/auditd.conf and change:

action_mail_acct = [your email address]

This sets any action emails to go to your preferred address.
4. Edit /etc/audit/audit.rules and add a line like this to the bottom:

-w [path_to_website] -p wa -k [key]

So if you website is located at:
/var/www/vhosts/mysite.com/httpdocs
Then a command like:

-w /var/www/vhosts/mysite.com/httpdocs -p wa -k mysite

would setup auditing of write and attribute change requests. Events matching this rule would be tagged with the “mysite” key.

/sbin/service auditd restart

Audit logs go to:

/var/log/audit/audit.log