auditctl - Removing Rules/Watches

  • Posted on: 28 May 2015
  • By: davis

I used auditctl to help me track down what was modifying files on my Ubuntu server.

To remove an auditctl rule, you have to match each field in a rule.

For example:

root@web01-gpv1:~# auditctl -l
LIST_RULES: exit,always watch=/var/www/vhosts/testsite.com/wp-includes/nav-menu.php perm=rwxa key=RULE1
LIST_RULES: exit,always watch=/var/www/vhosts/testsite.com/wp-includes/nav-menu.php perm=wa key=RULE2
root@web01-gpv1:~# auditctl -W /var/www/vhosts/testsite.com/wp-includes/nav-menu.php -p wa -k RULE1
root@web01-gpv1:~# auditctl -W /var/www/vhosts/testsite.com/wp-includes/nav-menu.php -p rwxa -k RULE2

Also remember to enable logging of ausearch/aureport.

Random commands:

auditctl -w /var/www/vhosts/testsite.com/wp-includes/nav-menu.php -p wa -k KEY

I find that write + append give me readable logs, especially when dealing with Wordpress files. Otherwise, you'll be sifting through thousands of repetitions of apache2 accessing the .php file.

ausearch -i -k KEY // -i is a human friendly interpreter, KEY is established with auditctl -k KEY
aureport -k //not very useful to me personally

Typical output:

myUbuntuServer:~# ausearch -i -k RULE1 //USE THE -i SWITCH! You won't like the results without it!
----
type=PATH msg=audit(05/26/2015 10:08:34.823:534859) : item=0 name=/var/www/vhosts/testsite.com/wp-includes/nav-menu.php inode=1410970 dev=ca:01 mode=file,664 ouid=www-data ogid=www-data rdev=00:00
type=CWD msg=audit(05/26/2015 10:08:34.823:534859) :  cwd=/var/www/vhosts/testsite.com/wp-admin
type=SYSCALL msg=audit(05/26/2015 10:08:34.823:534859) : arch=x86_64 syscall=open success=yes exit=56 a0=7f141a4a82d8 a1=41 a2=1b6 a3=62e0 items=1 ppid=4699 pid=25840 auid=unset uid=www-data gid=www-data euid=www-data suid=www-data fsuid=www-data egid=www-data sgid=www-data fsgid=www-data tty=(none) ses=4294967295 comm=apache2 exe=/usr/lib/apache2/mpm-prefork/apache2 key=RULE1
----
type=PATH msg=audit(05/26/2015 13:58:35.295:538884) : item=0 name=/var/www/vhosts/testsite.com/wp-includes/nav-menu.php inode=1410970 dev=ca:01 mode=file,664 ouid=www-data ogid=www-data rdev=00:00
type=CWD msg=audit(05/26/2015 13:58:35.295:538884) :  cwd=/var/www/vhosts/testsite.com/wp-admin
type=SYSCALL msg=audit(05/26/2015 13:58:35.295:538884) : arch=x86_64 syscall=open success=yes exit=56 a0=7f14198b1620 a1=241 a2=1b6 a3=7ffef00107f0 items=1 ppid=4699 pid=26789 auid=unset uid=www-data gid=www-data euid=www-data suid=www-data fsuid=www-data egid=www-data sgid=www-data fsgid=www-data tty=(none) ses=4294967295 comm=apache2 exe=/usr/lib/apache2/mpm-prefork/apache2 key=RULE1

For help interpreting ausearch results: Try the RedHat docs.

In my case, auditctl/ausearch helped me track down a php file that was modifying files every couple of days.