cancel
Showing results for 
Search instead for 
Did you mean: 

How to audit chmod?

SOLVED
Go to solution
Olga_1
Regular Advisor

How to audit chmod?

We have a situation where something/somebody changes group on an oracle file. How to audit who/what does it? chmod does not change the timestamp of the file, so we cannot even know when it is done.
Any information would be great.
3 REPLIES
James R. Ferguson
Acclaimed Contributor
Solution

Re: How to audit chmod?

Hi Olga:

You might look in the shell '.sh_history' file to see if you find any indication of interactive 'chmod' use.

You might also examine any script run as crontasks.

Changing the permissions or ownership or name of a file or directory will be reflected in the 'ctime' (change time) of the entity. That is, an:

# ls -lc

...will show the 'ctime'.

Be advised that this can be misleading, since many backup utilities will reset a file's last access timestamp ('atime' seen by 'ls -ul'). This change also toggles a change in the 'ctime'.

If the entity in question is a directory, any additions or deletions to the directory will change the directory's 'ctime'.

Regards!

...JRF...
Dennis Handly
Acclaimed Contributor

Re: How to audit chmod?

If you want to catch it in the future, you can turn on auditing.

Note: some sysadmin or DBA changed the permission.
Olga_1
Regular Advisor

Re: How to audit chmod?

We found that command crsctl that is part of the package shutdown changes the group of the executable.