Audit directory permission changes in Red Hat Enterprise Linux
Q I am a Windows sysadmin at a marketing company. The company employs a number of developers who work on in-house marketing campaign software that runs on Red Hat Enterprise Linux. The other Windows administrator with Linux experience who used to manage these servers resigned, and the development team took over the administration of all Linux servers. After a conversation with my ex-colleague I've realised that the development team and their "let's get the job done" attitude often meant changing execute rights on root-only applications and allowing some restricted directories to be accessed by everyone. Now that I have to start involving myself with these servers, is it easy to audit all these changes?
A The only way to pick up all system modifications is to revise disaster recovery procedures and bringing up a replica of the production system from bare metal and a clean copy of the operating system. It should be something that upper management may be keen on backing up too. As a starter, however, RPM can help you determine which files on an installation have been modified. Running rpm -Va will show all files in all RPM packages installed that have been modified since installation. It is normal for some configuration to be changed but watch out for files and directories that report any of the following failures:
M The permissions have been changed.
5 The file has changed.
U/G Ownership of the file has changed.
RPM is flexible enough to allow permissions and ownership to be set back to the original. For example, to recover 'M, U & G' failures reported for a particular package, run
# rpm --setperms <package>
# rpm --setugids <package>
Follow us on Identi.ca or Twitter