The Community Forums

Interact with an entire community of cPanel & WHM users.
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

FIle and Folders Auditing

Discussion in 'Security' started by Electrone, Jan 27, 2010.

  1. Electrone

    Electrone Member

    Joined:
    Jan 27, 2010
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Hi
    Actually i know that we can enable audit for folders and files through kernel daemon auditd but that is not good when dealing with web-Hosting . what i ask is these is any other way to audit who delete , modify files through cpanel or with any other advanced way ..
    Thanks
     
  2. Electrone

    Electrone Member

    Joined:
    Jan 27, 2010
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    No answers?? !
    Ok lets make it more clear

    lets say that i will enable audit in Kernel with auditd now it will olnly save something like this
    root@xxx [/var/log/audit]# tail -f /var/log/audit/audit.log | grep electrone.txt
    type=PATH msg=audit(1264695849.064:3764776): item=1 name="electrone.txt" inode=57770055 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00

    This done from shh with account root >>> the electrone.txt is in one of my users directories in cpanel

    . ok lets now log on Cpanel with the user account and file manger and go and delete the electrone.txt

    we get this

    type=PATH msg=audit(1264695875.758:3765057): item=1 name="/home/xxx/public_html/electrone.txt" inode=57770055 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00

    So there is nothing i could know if this user is the one who delete it or it done lets say by a melecious request from apache ??
     
    #2 Electrone, Jan 28, 2010
    Last edited: Jan 28, 2010
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,450
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm not sure I understand you, but have you looked at logwatch?
    www.logwatch.org
     
  4. Electrone

    Electrone Member

    Joined:
    Jan 27, 2010
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Dear Sir
    Thanks for reply
    sorry for my english

    Now lets make it more clear again

    Lets say that i have a user hosting in my server and i use cpanel as a hosting panel . now that user come to me and said that his index file was deleted yesterday and he cant find it any more. i was enabling and watching all /home/ directory with auditd but it didnot catch which user id did that , i saw the access_log files for his site and i didnot see who delete it . Now as i said the file is gone mostly deleted , now how can we know if that user by mistake delete that file or a hacker uses a special http request to make apache delete that index file ?? i hope i am clear now .
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,450
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    This is an example log snip of what you can have with logwatch if customized a bit:


    Code:
    Mar 25 14:38:12 servername pure-ftpd: (?@ip.goes.he.re) [INFO] user@domain.com is now logged in
    Mar 25 14:38:18 servername pure-ftpd: (user@domain.com@ip.goes.he.re) [NOTICE] /home/user/public_html//index.html uploaded  (0 bytes, 0.00KB/sec)
    Mar 25 14:38:18 servername pure-ftpd: (user@domain.com@ip.goes.he.re) [NOTICE] Deleted index.html
    Mar 25 14:38:19 servername pure-ftpd: (user@domain.com@ip.goes.he.re) [NOTICE] /home/user/public_html//index.html uploaded  (25963 bytes, 85.52KB/sec)
    Mar 25 14:48:43 servername pure-ftpd: (user@domain.com@ip.goes.he.re) [INFO] Timeout - try typing a little faster next time
    This of course tells who logged in, what file was uploaded, downloaded or deleted and when the users connection timed out and was disconnected. Logwatch emails are sent every hour.

    I can't help with auditd but thought this might be useful for getting something similar to what you seek.
     
  6. Electrone

    Electrone Member

    Joined:
    Jan 27, 2010
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Dear Sir
    Thanks a lot for your help . but this is only will watch ftp connection right? so what about file manger from Cpanel or is that file manger connect using ftp connection which will be logged with logwatch ?
    as i said i have to confirm which user delete that file , apache ( malicious code ) , the site user , any other user on the server . i hope you bear with me on this as this is very important from the security point of view . Thanks
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,450
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    No, you are exactly correct. My mistake, not sure why I overlooked the part about using the File Manager.

    This might interest you: ConfigServer eXploit Scanner (cxs)

    I use it here and wouldn't go without it as part of my security setup.
     
  8. Electrone

    Electrone Member

    Joined:
    Jan 27, 2010
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    :)
    Thanks again , i already see that site and i use their firewall , that tool is very good . but i cant test it so i will get the answer from you as you said you have it. hmmm so that tool will notify me if it detect some ( know script like shells etc ) which could harm or Own the server , ok but what if the attacker just use a 0day code and make apache delete that file electrone.html ,, is this tool will log that apache deleted that file with that specific http request ???
    i mean it will log that electrone.html deleted on time xxx with user name apache with http request xxxxx???
    i hope you understand what i mean!

    Thanks
     
Loading...

Share This Page