Someone is changing file permissions, how to figure out who?

A

Alexander Karabanov2019-11-21 14:27:51

linux

Alexander Karabanov, 2019-11-21 14:27:51

Hello.

An anomaly has appeared on a number of servers - something changes the permissions on files - sets -rwxr-xr-x for files, drwxr-xr-x for directories, tell me how to figure out who is doing this?
Only I have root access, and it doesn’t matter at the moment, it’s clear that they somehow broke it. But how to calculate who changes the rights?

PS
What is strange could be to enter rm -rf, but no, they only change the rights ... The truth is that it doesn’t make it easier, because when the rights are changed to / or to ssh keys or to / dev / null or / tmp, etc. significant problems arise.

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

M

mayton2019, 2019-11-22
@karabanov

Make chmod an alias to your script that does an action but audits the time and terminal from which the action came.

Z

Zolg, 2019-11-21
@Zolg

https://wiki.archlinux.org/index.php/Audit_framework

D

Denis, 2019-11-28
@Sat0shi

Enable auditd, then use ausearch, aureport. It can also be used in conjunction with file integrity control software, such as Efros / AIDE