Linux openSUSE 12 - Folder permissions change logs

We are running a Linux openSUSE 12 server for our file storage.
It is setup with groups for security permissions.
I found that one folder had the group changed and was open to all users.

Is there a log that I can see when the folder group was changed?
Who is Participating?
Zephyr ICTConnect With a Mentor Cloud ArchitectCommented:
Hi, following doc might set you on your way: also check out chapter 31.

Check all of /var/log to see if an audit.log is available ... Or check if /etc/audit/auditd.conf is available ...
You can check the login session logs to see who had logged in at that time, and apart from that if you have enhanced audit enabled in your system, that can be checked to find out the culprit.

Zephyr ICTConnect With a Mentor Cloud ArchitectCommented:
Yes, if you have audit installed and configured you might find something in /var/log/audit/audit.log ...
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

bax2000Author Commented:
Thanks for the update.
I am not that familiar to Linux but know some basics.
If I go to /var/log/audit/audit.log  it says the directory does not exist, so I take it that the auditing is not setup. Is that correct?

Where would I check to see it auditing is setup or to have it setup now?
Dave GouldConnect With a Mentor Onsite SupportCommented:
If you run the stat command to find the time that the metadata was changed for the file, it might help you pin down the exact time that the group was updated:

stat -c %z yourfile

with this information, checking the access logs might help you identify who was on at that time.
If you are root, you can even check the history files for the users that you suspect might have made the changes. If your users use bash (which is pretty much the norm nowdays), then you can check the .bash_history that can be founfd in their homedir.
@trappa01.. that will give the time of last change since Epoc... still he needs audit to be enabled.

Dave GouldOnsite SupportCommented:
%z will give an actual timestamp of the last change time. %Z will give seconds since Epoc.
I agree its not much to go on but the original poster does not seem to have audit running so its a case of narrowing down as much as possible.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.