How to Use auditd on Ubuntu to Monitor File Changes

Monitoring file changes on a Linux system is crucial for maintaining security and tracking any unauthorized modifications. On Ubuntu, auditd is a powerful tool that can help you achieve this. In this guide, we’ll walk you through the steps to install, configure, and use auditd to trace file changes effectively—especially useful for tracking down the source of recurring malware infections on WordPress sites.

What is Auditd?

auditd, short for “Audit Daemon,” is a userspace component to the Linux Auditing System. It provides comprehensive monitoring and logging capabilities for all system activities, including file access, modification, user authentication, and more. By using auditd, you can set up rules to monitor specific files or directories and keep track of who made changes and when.

Why Use Auditd for WordPress Security?

One of the most frustrating issues for WordPress site administrators is dealing with recurring malware infections. Even after cleaning the site, malicious files may reappear if the root cause isn’t identified. By using auditd to monitor key WordPress directories and files, you can trace the source of these infections. This way, you’ll know exactly when and how malware files are being reintroduced, helping you to eliminate the threat for good.

Steps to Use Auditdon Ubuntu

1. Install auditd

First, you need to install auditd on your Ubuntu system. Open your terminal and run the following commands to update your package list and install auditd along with its plugins:

sudo apt update
sudo apt install auditd audispd-plugins

This will install the auditd service and additional plugins required for its operation.

2. Start and Enable Audit

Once installed, start the auditd service and ensure it starts automatically on boot. Use the following commands:

sudo systemctl start auditd
sudo systemctl enable auditd

Now, auditd is up and running, ready to monitor your system activities.

3. Add an Audit Rule

To monitor specific files or directories, you need to set up audit rules. These rules define what auditd should watch and what type of activities it should log.

• Monitoring a Specific File: For instance, to monitor changes to the /var/web/site/public_html/wp-config.php file (which contains user account information), use the following command:
  sudo auditctl -w /var/web/site/public_html/wp-config.php -p wa -k config_changes
  Here, -w /var/web/site/public_html/wp-config.php tells auditd to watch the /var/web/site/public_html/wp-config.php file.
  The -p wa option sets it to monitor both write (w) and attribute (a) changes. The -k config_changes option assigns a key to this rule, making it easier to search the logs later.
• Monitoring an Entire Directory: If you want to monitor changes within an entire directory, use a similar command:
sudo auditctl -w /var/web/site/public_html/ -p wa -k directory_changes
  For WordPress sites, you might want to monitor directories like /var/web/site/public_html/wp-content where themes, plugins, and uploads are stored, as these are common targets for malware.

4. View Audit Logs

Once you’ve set up your audit rules, auditd will start logging any matching activities. To view these logs, you can use the ausearch command:

• View Logs by Key: To see all logs related to the passwd_changes key:sudo ausearch -k config_changes
• Real-Time Log Viewing: If you want to see logs as they are recorded, use the following command:sudo tail -f /var/log/audit/audit.log

This command will display new entries in the audit log file as they are added.

5. Persist Audit Rules

Audit rules set with auditctl are not persistent and will be lost after a reboot. To make your rules permanent, add them to the /etc/audit/audit.rules file.

For example, open the file in a text editor:

sudo nano /etc/audit/audit.rules

Then, add your rules:

-w /var/web/site/public_html/wp-config.php -p wa -k config_changes

Save and close the file, then restart auditd to apply the changes:

sudo systemctl restart auditd

6. Refining and Removing Rules

Over time, you may want to refine or remove certain audit rules.

• Removing a Specific Rule: To remove a rule, use the -W option:sudo auditctl -W /var/web/site/public_html/wp-config.php -p wa -k config_changes
• Listing Active Rules: To see all active audit rules, use:sudo auditctl -l

This command lists all the current rules, helping you review and manage them as needed.

Conclusion

Using auditd on Ubuntu is an effective way to keep track of changes to critical files and directories. This is particularly useful for WordPress site administrators dealing with recurring malware infections. By monitoring key files and directories, you can identify when and how malware is being reintroduced to your site, allowing you to take targeted action to eliminate the threat. Whether you’re a system administrator or a security-conscious user, mastering auditd is a valuable skill that enhances your system’s security posture.