Audit

Linux audit files to see who made changes to a file

Package name audit

# yum install audit

auditctl - a command to assist controlling the kernel’s audit system. You can get status, and add or delete rules into kernel audit system.

ausearch - a command that can query the audit daemon logs based for events based on different search criteria.

aureport - a tool that produces summary reports of the audit system logs.

Start audit

# /etc/init.d/auditd start

Set a watch on a file for auditing

# auditctl -w /etc/passwd -p war -k password-file

Where,

-w /etc/passwd : Insert a watch for the file system object at given path i.e. watch file called /etc/passwd

-p war : Set permissions filter for a file system watch. It can be r for read, w for write, x for execute, a for append.

-k password-file : Set a filter key on a /etc/passwd file (watch). The password-file is a filterkey (string of text that can be up to 31 bytes long). It can uniquely identify the audit records produced by the watch. You need to use password-file string or phrase while searching audit logs.

In short you are monitoring (read as watching) a /etc/passwd file for anyone (including syscall) that may perform a write, append or read operation on a file

Add a watch on "/etc/shadow" with the arbitrary filterkey "shadow-file" that generates records for "reads, writes, executes, and appends" on "shadow"

# auditctl -w /etc/shadow -k shadow-file -p rwxa

Find out who changed or accessed a file /etc/passwd

# ausearch -f /etc/passwd 

or

# ausearch -f /etc/passwd -i | less

Where,

-f /etc/passwd : Only search for this file 

-i : Interpret numeric entities into text. For example, uid is converted to account name