• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 683
  • Last Modified:

Linux openSUSE 12 - Folder permissions change logs

We are running a Linux openSUSE 12 server for our file storage.
It is setup with groups for security permissions.
I found that one folder had the group changed and was open to all users.

Is there a log that I can see when the folder group was changed?
0
bax2000
Asked:
bax2000
  • 2
  • 2
  • 2
  • +1
3 Solutions
 
SandyCommented:
You can check the login session logs to see who had logged in at that time, and apart from that if you have enhanced audit enabled in your system, that can be checked to find out the culprit.

TY/SA
0
 
Zephyr ICTCloud ArchitectCommented:
Yes, if you have audit installed and configured you might find something in /var/log/audit/audit.log ...
0
 
bax2000Author Commented:
Thanks for the update.
I am not that familiar to Linux but know some basics.
If I go to /var/log/audit/audit.log  it says the directory does not exist, so I take it that the auditing is not setup. Is that correct?

Where would I check to see it auditing is setup or to have it setup now?
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
Zephyr ICTCloud ArchitectCommented:
Hi, following doc might set you on your way: http://doc.opensuse.org/products/draft/SLES/SLES-security_sd_draft/cha.audit.comp.html also check out chapter 31.

Check all of /var/log to see if an audit.log is available ... Or check if /etc/audit/auditd.conf is available ...
0
 
Dave GouldCommented:
If you run the stat command to find the time that the metadata was changed for the file, it might help you pin down the exact time that the group was updated:

stat -c %z yourfile

with this information, checking the access logs might help you identify who was on at that time.
If you are root, you can even check the history files for the users that you suspect might have made the changes. If your users use bash (which is pretty much the norm nowdays), then you can check the .bash_history that can be founfd in their homedir.
0
 
SandyCommented:
@trappa01.. that will give the time of last change since Epoc... still he needs audit to be enabled.

TY/SA
0
 
Dave GouldCommented:
%z will give an actual timestamp of the last change time. %Z will give seconds since Epoc.
I agree its not much to go on but the original poster does not seem to have audit running so its a case of narrowing down as much as possible.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now