Solved

Linux openSUSE 12 - Folder permissions change logs

Posted on 2014-02-23
7
651 Views
Last Modified: 2014-03-05
We are running a Linux openSUSE 12 server for our file storage.
It is setup with groups for security permissions.
I found that one folder had the group changed and was open to all users.

Is there a log that I can see when the folder group was changed?
0
Comment
Question by:bax2000
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 13

Expert Comment

by:Sandy
ID: 39881814
You can check the login session logs to see who had logged in at that time, and apart from that if you have enhanced audit enabled in your system, that can be checked to find out the culprit.

TY/SA
0
 
LVL 25

Assisted Solution

by:Zephyr ICT
Zephyr ICT earned 167 total points
ID: 39881832
Yes, if you have audit installed and configured you might find something in /var/log/audit/audit.log ...
0
 

Author Comment

by:bax2000
ID: 39882085
Thanks for the update.
I am not that familiar to Linux but know some basics.
If I go to /var/log/audit/audit.log  it says the directory does not exist, so I take it that the auditing is not setup. Is that correct?

Where would I check to see it auditing is setup or to have it setup now?
0
Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

 
LVL 25

Accepted Solution

by:
Zephyr ICT earned 167 total points
ID: 39882092
Hi, following doc might set you on your way: http://doc.opensuse.org/products/draft/SLES/SLES-security_sd_draft/cha.audit.comp.html also check out chapter 31.

Check all of /var/log to see if an audit.log is available ... Or check if /etc/audit/auditd.conf is available ...
0
 
LVL 5

Assisted Solution

by:Dave Gould
Dave Gould earned 83 total points
ID: 39882157
If you run the stat command to find the time that the metadata was changed for the file, it might help you pin down the exact time that the group was updated:

stat -c %z yourfile

with this information, checking the access logs might help you identify who was on at that time.
If you are root, you can even check the history files for the users that you suspect might have made the changes. If your users use bash (which is pretty much the norm nowdays), then you can check the .bash_history that can be founfd in their homedir.
0
 
LVL 13

Expert Comment

by:Sandy
ID: 39882167
@trappa01.. that will give the time of last change since Epoc... still he needs audit to be enabled.

TY/SA
0
 
LVL 5

Expert Comment

by:Dave Gould
ID: 39882184
%z will give an actual timestamp of the last change time. %Z will give seconds since Epoc.
I agree its not much to go on but the original poster does not seem to have audit running so its a case of narrowing down as much as possible.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html) provided 218 attendees with a step-by-step guide for identifying Acti…
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now