0

I have a symbolic link of the form

ubuntu@platform1:~$ ls -lrt
total 28
drwxr-xr-x  4 ubuntu ubuntu 4096 Mar  2 15:02 deploy
lrwxrwxrwx  1 ubuntu ubuntu   14 May 25 18:27 logs -> /var/log/arkin

Disk layout

ubuntu@platform1:~$ df -h
Filesystem                    Size  Used Avail Use% Mounted on
/dev/mapper/vg-var            853G  3.7G  806G   1% /var
/dev/mapper/vg-var+log         49G  1.1G   45G   3% /var/log
/dev/mapper/vg-var+log+audit   20G   60M   19G   1% /var/log/audit
/dev/mapper/vg-home            30G  6.5G   22G  24% /home

But many times I am observing that symbolic link is changed to 

drwxr-xr-x  6 ubuntu ubuntu 4096 May 31 08:41 logs

Can someone let me know if there is a way to enable audit logs on the folder /home/ubuntu/logs so that I can get some idea which operation is breaking the symbolic link and creating a new /home/ubuntu/logs or some other ways I can debug this problem?

  • Filesystem - ext4
  • OS - Ubuntu 16.04

EDIT

I followed the steps as suggested in the answer. I had the following symbolic link :-

lrwxrwxrwx 1 ubuntu ubuntu 14 Jun 3 07:26 logs -> /var/log/arkin

Added the below rule in /etc/audit/audit.rules

-a always,exit -F dir=/home/ubuntu/logs -S unlink -S unlinkat -S rename -S renameat -S rmdir -k log_link

Then restarted audit service

ubuntu@vrni-platform:~$ sudo service auditd stop
ubuntu@vrni-platform:~$ sudo service auditd start

Executed the below command

ubuntu@vrni-platform:~$ sudo ln -svf /var/log/arkin /home/ubuntu/logs
'/home/ubuntu/logs/arkin' -> '/var/log/arkin'

But I am not seeing any audit entry

# aureport -k -i | grep log_link

tuk
  • 293
  • 4
  • 16
  • The obvious suspect is whatever program is writing logs to that location. – Michael Hampton May 31 '19 at 18:15
  • Every process writes its logs in a sub-directory under that directory. There are quite a few process accessing this directory. So it is getting difficult to identify the culprit. – tuk May 31 '19 at 18:37
  • I think you should try `audit` or `aide`, to debug more. – asktyagi Jun 01 '19 at 03:08
  • 1
    For auditd you can try below `$ tail -2 /etc/audit/audit.rules -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -k delete -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -k delete` – asktyagi Jun 01 '19 at 03:56
  • Yes I am looking for audit / aide only. But I am not able to find how to add a rule for which will log an entry when the symblink `/home/ubuntu/logs` is deleted or the `/home/ubuntu/logs` is created. – tuk Jun 01 '19 at 04:01
  • @asktyagi - Can you post your comment as an answer with little more explanation about the command? – tuk Jun 01 '19 at 04:03

1 Answers1

1

For auditd you can try below 

$tail -2 /etc/audit/audit.rules 
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat  -S rmdir -k delete
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat  -S rmdir -k delete

Here you can specify directory too

-F dir=<directory or mount point>

Here is the used options description in shot for more details please check http://man7.org/linux/man-pages/man8/auditctl.8.html

 -a [list,action|action,list] 
 -S [Syscall name or number|all]
 -k key Set a filter key on an audit rule.

Some more examples for different rules are:

## Audit log access
-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
## Attempts to Alter Process and Session Initiation Information
-a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
asktyagi
  • 2,401
  • 1
  • 5
  • 19
  • I followed the steps you suggested but this does not seem to be creating any audit entry. Check my edit in the question. – tuk Jun 03 '19 at 10:50