Showing results for 
Search instead for 
Did you mean: 

How to audit chmod?

Go to solution
Regular Advisor

How to audit chmod?

We have a situation where something/somebody changes group on an oracle file. How to audit who/what does it? chmod does not change the timestamp of the file, so we cannot even know when it is done.
Any information would be great.
James R. Ferguson
Acclaimed Contributor

Re: How to audit chmod?

Hi Olga:

You might look in the shell '.sh_history' file to see if you find any indication of interactive 'chmod' use.

You might also examine any script run as crontasks.

Changing the permissions or ownership or name of a file or directory will be reflected in the 'ctime' (change time) of the entity. That is, an:

# ls -lc

...will show the 'ctime'.

Be advised that this can be misleading, since many backup utilities will reset a file's last access timestamp ('atime' seen by 'ls -ul'). This change also toggles a change in the 'ctime'.

If the entity in question is a directory, any additions or deletions to the directory will change the directory's 'ctime'.



Re: How to audit chmod?

If you want to catch it in the future, you can turn on auditing.

Note: some sysadmin or DBA changed the permission.
Regular Advisor

Re: How to audit chmod?

We found that command crsctl that is part of the package shutdown changes the group of the executable.