Using Inotify/Monitoring users

Support for security such as Firewalls and securing linux
Post Reply
mth-adam
Posts: 1
Joined: 2017/09/29 13:38:47

Using Inotify/Monitoring users

Post by mth-adam » 2017/09/29 13:43:52

Hi,

Hoping somebody can help, I've been actively looking for something to use in Centos that will help monitor what is happening in our /home/ directory(which contains sites for clients) as we've had a few occasions where user/s have deleted entire directories of their site and we don't know who exactly it is.

I've tried to use Inotify but whilst it is working well in showing what files are deleted, it doesn't actually pinpoint who done it, what exact time and it seems to require a setup of each folder as it doesn't want to recursively monitor all the sites in the /home/ directory.

Does anyone know of anything I can use for my requirements above?
Or any scripts I can use to achieve this whether it be by email alerts or a script etc.

Appreciate the help,

Thanks

dcrdev
Posts: 70
Joined: 2015/10/25 23:42:17

Re: Using Inotify/Monitoring users

Post by dcrdev » 2017/09/29 14:40:24

Inotify is good when used as part of something else to trigger an action, for this however I think maybe you've made things too complex.

I believe the audit daemon - provides everything you're looking for; see https://linux.die.net/man/8/auditctl.

To monitor home recursively:

Code: Select all

auditctl -w /home/ -p wa
Then check the activity in, or syslog depending on how you have it set up:

Code: Select all

/var/log/audit/audit.log

Post Reply