I would like to understand if there is a way to monitor if a unix log file has been tampered with (lines deleted or modified). I dont believe this can be done with fschange monitor as it will record all updates to the log as changes.
asked 29 Jun '11, 00:05
This is a very complicated subject to comprehensively answer. The only way to be entirely sure is to be able to (essentially) system-call trace every single process running on the system at all times.
Remember that users don't change files - processes running on behalf of those users change files. In a traditional Unix system, the root user is assumed to have absolute authority to have any of his processes change a file. Without keeping detailed trace data of what
This is one of the gaps that SELinux and other similar security layers attempt to close. SELinux makes it possible for additional controls to be placed around certain system operations -- even for the root user. A properly configured selinux policy can make it much harder for someone to tamper with logfiles by restricting what processes can write to those logfiles, regardless of what user is running the process.
That said, though, even at its current state, SELinux is not able to fully withstand the attack of a complicit root user. See http://marc.info/?l=selinux&m=105458123321234&w=2 for comments from an NSA representative regarding how much of root's capabilities have to be taken away in order to make it substantially harder for the root user to subvert the system.
mw's answer of the operating system auditing facilities is a good one - the audit subsystem could give you "commercially reasonable best effort" assurance that you knew about each time a log file was changed.
But at some point you have to just stop and trust your sysadmin to not subvert the systems you've hired her/him to manage for you.
answered 05 Jul '11, 16:02
fschange tells you what the change that occured was, including deletes and modifications. If you use the 'fullevent=true' option, you can even compare before and after to see how the file looked, and how it lo oks now.
answered 29 Jun '11, 07:32
I believe the answer to this is going to be: turn on OS level auditing. That will tell you as much as is possible to know. You could probably splunk user's .bash_history, etc files as well, but of course, they can modify their HISTFILE if they want to.
answered 30 Jun '11, 08:37