I used auditctl to help me track down what was modifying files on my Ubuntu server.
To remove an auditctl rule, you have to match each field in a rule.
For example:
root@web01-gpv1:~# auditctl -l
LIST_RULES: exit,always watch=/var/www/vhosts/testsite.com/wp-includes/nav-menu.php perm=rwxa key=RULE1
LIST_RULES: exit,always watch=/var/www/vhosts/testsite.com/wp-includes/nav-menu.php perm=wa key=RULE2
root@web01-gpv1:~# auditctl -W /var/www/vhosts/testsite.com/wp-includes/nav-menu.php -p wa -k RULE1
root@web01-gpv1:~# auditctl -W /var/www/vhosts/testsite.com/wp-includes/nav-menu.php -p rwxa -k RULE2Also remember to enable logging of ausearch/aureport.
Random commands:
auditctl -w /var/www/vhosts/testsite.com/wp-includes/nav-menu.php -p wa -k KEYI find that write + append give me readable logs, especially when dealing with Wordpress files. Otherwise, you’ll be sifting through thousands of repetitions of apache2 accessing the .php file.
ausearch -i -k KEY // -i is a human friendly interpreter, KEY is established with auditctl -k KEY
aureport -k //not very useful to me personallyTypical output:
myUbuntuServer:~# ausearch -i -k RULE1 //USE THE -i SWITCH! You won't like the results without it!
----
type=PATH msg=audit(05/26/2015 10:08:34.823:534859) : item=0 name=/var/www/vhosts/testsite.com/wp-includes/nav-menu.php inode=1410970 dev=ca:01 mode=file,664 ouid=www-data ogid=www-data rdev=00:00
type=CWD msg=audit(05/26/2015 10:08:34.823:534859) : cwd=/var/www/vhosts/testsite.com/wp-admin
type=SYSCALL msg=audit(05/26/2015 10:08:34.823:534859) : arch=x86_64 syscall=open success=yes exit=56 a0=7f141a4a82d8 a1=41 a2=1b6 a3=62e0 items=1 ppid=4699 pid=25840 auid=unset uid=www-data gid=www-data euid=www-data suid=www-data fsuid=www-data egid=www-data sgid=www-data fsgid=www-data tty=(none) ses=4294967295 comm=apache2 exe=/usr/lib/apache2/mpm-prefork/apache2 key=RULE1
----
type=PATH msg=audit(05/26/2015 13:58:35.295:538884) : item=0 name=/var/www/vhosts/testsite.com/wp-includes/nav-menu.php inode=1410970 dev=ca:01 mode=file,664 ouid=www-data ogid=www-data rdev=00:00
type=CWD msg=audit(05/26/2015 13:58:35.295:538884) : cwd=/var/www/vhosts/testsite.com/wp-admin
type=SYSCALL msg=audit(05/26/2015 13:58:35.295:538884) : arch=x86_64 syscall=open success=yes exit=56 a0=7f14198b1620 a1=241 a2=1b6 a3=7ffef00107f0 items=1 ppid=4699 pid=26789 auid=unset uid=www-data gid=www-data euid=www-data suid=www-data fsuid=www-data egid=www-data sgid=www-data fsgid=www-data tty=(none) ses=4294967295 comm=apache2 exe=/usr/lib/apache2/mpm-prefork/apache2 key=RULE1
For help interpreting ausearch results: Try the RedHat docs.In my case, auditctl/ausearch helped me track down a php file that was modifying files every couple of days.