How to detect on linux chmod of a file [closed]

Question

I have some applications that runs over my system. some of them are using the same configuration file.
Some of them when application is started change the permission of the file, like change it to 664 and also 644.
Those applications are run from the crontab, every day.
The reason I have this question is that for some configuration files I suddenly get permission of 640.
I want to know of a specific configuration file it's history. like Who change and when it's permission.

Thanks

Answer 1

You need to audit the permission file changing.

Created a file named /var/www/html/1

Edit /etc/audit/audit.rules. Add the following line then restart auditd:

-w /var/www/html/1

Then ran the following command.

chmod 777 /var/www/html/1

/var/log/audit/audit.log show you some like:

type=SYSCALL msg=audit(1349582090.742:414): arch=c000003e syscall=268 success=yes exit=0 a0=ffffffffffffff9c a1=17be0f0 a2=1ff a3=4000 items=1 ppid=2859 pid=3069 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="chmod" exe="/usr/bin/chmod" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1349582090.742:414):  cwd="/root"
type=PATH msg=audit(1349582090.742:414): item=0 name="/var/www/html/1" inode=6171184 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:httpd_sys_content_t:s0

The solution is from: https://serverfault.com/questions/434483/monitor-or-log-directory-permission-changes