Create rules for the Linux Audit system. To test rules initially, use the command auditctl to immediately add or remove rules.
Note: The following examples show rules for an EFS file system.
Use the following command to monitor all activity for your file system's mount location:
$ auditctl -w /home/ec2-user/efs -k efs_changes
Here are examples of actions that you can configure the audit system to log:
$ mkdir dir1
$ touch file1
$ touch file2
$ mv file1 file3
$ rm -f file2
$ chmod 600 file3
$ rmdir dir1
$ rm -f file3
Run the ausearch -k efs_changes command to view the audit log. The following example shows the audit log for the mkdir command, based on the example operations from Step 3:
time->Thu Jan 9 21:30:59 2020
type=PROCTITLE msg=audit(1578605459.080:127433): proctitle=6D6B6469720064697231
type=PATH msg=audit(1578605459.080:127433): item=1 name="dir1" inode=4989235361872937641 dev=00:16 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1578605459.080:127433): item=0 name="/home/ec2-user/efs/audit" inode=12759736523397539955 dev=00:16
mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1578605459.080:127433): cwd="/home/ec2-user/efs/audit"
type=SYSCALL msg=audit(1578605459.080:127433): arch=c000003e syscall=83 success=yes exit=0 a0=7fffe6aca6e1 a1=1ff a2=1ff a3=7fffe6ac7720 items=2 ppid=18661 pid=2948 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=18369 comm="mkdir" exe="/bin/mkdir" key="efs_changes"
This example shows the raw audit log. The audit log contains a large amount of information for each operation.
To create a shorter output in the audit log, run the aureport command. This version still shows all of the operations:
$ ausearch -k efs_changes | aureport -f -i
10118. 01/09/2020 21:36:29 file1 open yes /bin/touch ec2-user 127450
10119. 01/09/2020 21:36:29 dir1 mkdir yes /bin/mkdir ec2-user 127449
10120. 01/09/2020 21:36:29 file2 open yes /bin/touch ec2-user 127451
10121. 01/09/2020 21:36:29 file3 rename yes /bin/mv ec2-user 127452
10122. 01/09/2020 21:36:29 file2 unlinkat yes /bin/rm ec2-user 127453
10123. 01/09/2020 21:36:29 file3 fchmodat yes /bin/chmod ec2-user 127454
10124. 01/09/2020 21:36:29 dir1 rmdir yes /bin/rmdir ec2-user 127455
10125. 01/09/2020 21:36:35 file3 unlinkat yes /bin/rm ec2-user 127456
Keep in mind that you don't have to log all operations. For example, you can create a rule to log only delete-related actions:
auditctl -a always,exit -F arch=b64 -F dir=/home/ec2-user/efs -S unlink -S unlinkat -S rename -S renameat -S rmdir -k efs_changes
If you run the example commands from Step 3, then only the specified delete-related commands appear in the log:
10126. 01/09/2020 22:17:08 file3 rename yes /bin/mv ec2-user 127519
10127. 01/09/2020 22:17:08 file2 unlinkat yes /bin/rm ec2-user 127520
10128. 01/09/2020 22:17:08 dir1 rmdir yes /bin/rmdir ec2-user 127521
10129. 01/09/2020 22:17:09 file3 unlinkat yes /bin/rm ec2-user 127522