How do I detect what is changing file ownership on Linux?

Question

I have inherited a bunch of Linux (Ubuntu Precise) servers and am currently having problems with the ownership of a folder changing to "root" fairly often. We run puppet, which changes the ownership to the user it should be, but something else changes it back a bit later.

I'm currently logging the permissions on the file every 30 seconds to try and narrow down a time to see if there's anything in logs, etc. It's a large busy server, so without more information it's not easy to find anything in logs.

Is there a way in Linux to catch when a file/folder ownership changes and detect the process responsible?

Can you please tell us which directory is changing ownership? If it's a system or application one it might shed light on the cause. — Boscoe, Aug 13 '14 at 14:22
In this case it's a (local) glusterfs filesystem mount, so that probably does indicate something, but I'm also interested in the general case. I've got auditd running now, suggested in one of the answers, so will see what that shows. — Colin Coghill, Aug 14 '14 at 22:44
@ColinCoghill hi have you found a solution ? I have a similar question https://stackoverflow.com/questions/60807998/shell-script-to-monitor-file-ownership-change-and-change-it-back — Qiulang 邱朗, Mar 23 '20 at 05:11

score 10 · Accepted Answer · answered Aug 13 '14 at 11:43

I think you can use audit for specific file/directory or you can write custom rule based on your requirement

        auditctl -w <path to the file you need to monitor> -p war -k test

        Where -w is for specifying file path
        -p is for permission access (read,write,execute and attribute change)
        -k key name,you can give name you can use to filter audit rule

Then you can search it using

        ausearch -ts today -k test

For eg I used this,create this file /tmp/test and then write some random data

       auditctl -w /tmp/test -p warx -k test

and then execute this command

       ausearch -ts today -k test

      --ts for start date
      -k is for key string

So the output of this

  type=SYSCALL msg=audit(1407949301.821:63216): arch=c000003e syscall=191 success=no
  exit=-61 a0=eacca0 a1=3600005db7 a2=7fff15265180 a3=84 items=1 ppid=2384 pid=16921
  auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=10096
  comm="vim" exe="/usr/bin/vim" key="test"

So if you check the last line of output it will show command executed is vim and with uid=0 which is root

If you want to make these changes persistent across reboot,inside /etc/audit/audit.rules add the entry like this

  -w /tmp/test -p warx -k test

and make sure auditd service is up and running

  service auditd status

For more info you can refer http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html

Fantastic tool, did the trick, thanks! Turns out it was puppet after all, but was referring to the directory by another (hard-linked) name. — Colin Coghill, Aug 18 '14 at 01:56

hookenz · Answer 2 · 2014-08-12T03:31:42.607

4

A quick google reveals inotify api in the Linux kernel.

Inotify (inode notify) is a Linux kernel subsystem that acts to extend filesystems to notice changes to the filesystem, and report those changes to applications

I can't find any applications that allow you to watch a file directly with inotify. However there is the inotify-tools package which allows you to get access to the api in scripts.

It doesn't by itself tell you who changed what, but you may be able to use this api to build a script to narrow it down. For example, by combining it with lsof and ps

edited Aug 12 '14 at 03:31

answered Aug 12 '14 at 03:21

hookenz

14,132
22
86
142

Based on Matt suggestion I am just playing with inotify tools and unfortunately I don't find it much useful.I run this command [root@test ~]# rm -rf /tmp/test and then test inotify [root@test ~]# inotifywait -e create,delete,modify,move,attrib -m /tmp Setting up watches. Watches established. /tmp/ DELETE test So it's not telling who deleted this file but yes constantly notifying it,so the best way to get notification is to wrote shell script and mail command and run it via.May be I am wrong but this is what I found out – Prashant Lakhera Aug 20 '14 at 12:51

score 0 · Answer 3 · answered Aug 12 '14 at 02:04

Sorry, there is nothing in the standard Linux system that does logging at such a level. You'll probably have to write a script, however, even that is a hit or miss proposition.

Hmmmm....you might be able to set the immutable bit on the file to protect it and see who complains that it cannot be changed:

 chattr +i filename1 ... filenamen

How do I detect what is changing file ownership on Linux?

3 Answers3