• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 695
  • Last Modified:

Linux openSUSE 12 - Folder permissions change logs

We are running a Linux openSUSE 12 server for our file storage.
It is setup with groups for security permissions.
I found that one folder had the group changed and was open to all users.

Is there a log that I can see when the folder group was changed?
0
Barry Kay
Asked:
Barry Kay
  • 2
  • 2
  • 2
  • +1
3 Solutions
 
SandyCommented:
You can check the login session logs to see who had logged in at that time, and apart from that if you have enhanced audit enabled in your system, that can be checked to find out the culprit.

TY/SA
0
 
Zephyr ICTCloud ArchitectCommented:
Yes, if you have audit installed and configured you might find something in /var/log/audit/audit.log ...
0
 
Barry KaySystems EngineerAuthor Commented:
Thanks for the update.
I am not that familiar to Linux but know some basics.
If I go to /var/log/audit/audit.log  it says the directory does not exist, so I take it that the auditing is not setup. Is that correct?

Where would I check to see it auditing is setup or to have it setup now?
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Zephyr ICTCloud ArchitectCommented:
Hi, following doc might set you on your way: http://doc.opensuse.org/products/draft/SLES/SLES-security_sd_draft/cha.audit.comp.html also check out chapter 31.

Check all of /var/log to see if an audit.log is available ... Or check if /etc/audit/auditd.conf is available ...
0
 
Dave GouldOnsite SupportCommented:
If you run the stat command to find the time that the metadata was changed for the file, it might help you pin down the exact time that the group was updated:

stat -c %z yourfile

with this information, checking the access logs might help you identify who was on at that time.
If you are root, you can even check the history files for the users that you suspect might have made the changes. If your users use bash (which is pretty much the norm nowdays), then you can check the .bash_history that can be founfd in their homedir.
0
 
SandyCommented:
@trappa01.. that will give the time of last change since Epoc... still he needs audit to be enabled.

TY/SA
0
 
Dave GouldOnsite SupportCommented:
%z will give an actual timestamp of the last change time. %Z will give seconds since Epoc.
I agree its not much to go on but the original poster does not seem to have audit running so its a case of narrowing down as much as possible.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now