Warning: Please keep in mind that the investigation of file modification is a task that is best suited for a systems administrator. Although this is not a cPanel related issue, we hope that the following guide will serve as a helpful resource.
cPanel support cannot assist with implementing the techniques below. Instead please reach out to a systems administrator for assistance.
Question
How to investigate unintended file modifications?
Answer
First and foremost, collect the timestamp information of the file with the following command:
# stat /root/testfile.txt
Each timestamp has a different use:
- Access - the last time the file was read
- Modify - the last time the file was modified (content has been modified)
- Change - the last time meta data of the file was changed (e.g. permissions)
Now that you have the timestamp information for the file start by checking related logs. This can take some outside of the box thinking based on what you know about the file and what kind of services may be interacting with it. A good first log to check is the cron log at:
- /var/log/cron
If, after reviewing related logs you come up short, you can monitor the file to see when it is modified. Below are basic instructions for modifying a file with Auditd.
Monitor a File with Audit Rules (auditctl / ausearch)
Most cPanel servers will come with Audit installed and ready to use by default. If Audit is not working for you, it is possible that you'll need to review the installation guide below to ensure that it is installed and enabled:
Comments
0 comments
Article is closed for comments.