Spying on a directory with auditd 

Files start coming up missing for me on a server and I get freaked out looking for security holes, but sometimes users and other utilities are spiking the bunch bowl. You can get serious with watching files with other utilities, but I went back to good ole auditd.

A simple test to track stuff getting trashed from an upload folder:

auditctl -w /site-dir/wp-content/uploads/ -p wa -k upload_issue

A capital W will remove the rule:

auditctl -W /site-dir/wp-content/uploads/ -p wa -k upload_issue

Do a quick search for issues with ausearch.

ausearch -f wp-content/uploads

Now permanently add the rule on a redhat system by putting this line in /etc/audit/audit.rules. Just leave off the auditctl command.

 -w /site-dir/wp-content/uploads/ -p wa -k upload_issue

Of course you need to make sure your auditd process is running and using chkconfig, etc. Good ole check status like:

/etc/init.d/auditd status

Here are a few of the resources I used:

Please forgive the RedHat auth-walls…

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Defining_Audit_Rules_and_Controls.html
http://stackoverflow.com/questions/29519590/monitor-audit-file-delete-on-linux
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html