Viewing relevant information about file accesses from the audit log

Question

Assume, you have a Linux machine and there are three users -

user1, user2 and user3, who can log in to the machine.

You created a rule

$ auditctl -w /etc/file.txt -p rwxa

If you would like to see daily, who and in what time accessed the file.txt how would you do it to minimize information overload, because you use a few apps that access file.txt and create a lot of logged data. There is a need to see only file accesses to file.txt from other users (user1, user2, user3, their apps, remote users, etc.)

Answer 1

There are user-space tools for filtering and reporting audit events. See https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Creating_Audit_Reports.html for some examples.

For your case you could try something like:

ausearch --start today --success no --file /etc/file.txt | aureport --file

to see all failed access attempts on the file for current day.

Check ausearch and aureport manual pages for more options.

Answer 2

Assuming you've installed auditd, which seems likely as you've created the rule with auditctl, you could grep by uid.

Find out the uid by using:

id user1
id user2
id user3

Check the logging selecting the userid in question.

cat /var/log/audit/audit.log | grep uid=1000

This is assuming 1000 is the user you wish to see fileaccess for. It will show you, for example, when user 1000 has viewed the audited file.txt, in this case using cat.

type=SYSCALL msg=audit(1484859413.000:83): arch=c000003e syscall=2 success=yes exit=3 a0=7ffd50e9eefb a1=0 a2=20000 a3=7ffd50e9c8d0 items=1 ppid=28517 pid=28545 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=435 comm="cat" exe="/bin/cat" key=(null) type=PATH msg=audit(1484859413.000:83): item=0 name="test.txt" inode=4847 dev=08:01 mode=0100644 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL

I hope this was what you were looking for!