How to track file and directory changes on the server with Plesk using auditd?

Question

• How to use auditd to monitor/track changes, who or what creates/modifies/deletes files on a Linux system?

Answer

1. Connect to the server via SSH

2. Install auditctl:
   • Debian-based OS:
     

     # apt-get install -y auditd

   • RedHat-based OS:
     

     # yum install -y auditd

3. Configure the monitoring rule:
   

   # auditctl -w /var/www/vhosts/example.com -p war -k web_access

   -w: watch the specified object (in this case, a directory).
   -p: - Specifies what types of access/actions to track:
       w - write recording (changing the contents of a file or folder)
       a - attribute change — changes to metadata (access rights, owner, SELinux labels, etc.)
       r - read — reading a file or directory
   -k web_access: key for simplified search of events in logs via ausearch.

4. Check that the rule was added:
   

   # auditctl -l

5. Once the changes to any file were made, review them as follows:
   

   # ausearch -f index.html -i
   # ausearch -k web_access

6. Once the investigation is over, remove the rules and stop the service:
   

   # auditctl -D
   # systemctl stop auditd.service
   # systemctl disable auditd.service