{"id":132,"date":"2014-09-05T16:06:09","date_gmt":"2014-09-05T14:06:09","guid":{"rendered":"http:\/\/www.olivierdoucet.info\/blog\/?p=132"},"modified":"2014-09-05T16:06:09","modified_gmt":"2014-09-05T14:06:09","slug":"auditd-troubleshoot-file-reads","status":"publish","type":"post","link":"https:\/\/www.olivierdoucet.info\/blog\/2014\/09\/05\/auditd-troubleshoot-file-reads\/","title":{"rendered":"Using auditd to troubleshoot file reads"},"content":{"rendered":"

Today I will talk about auditd, a very powerfull tool to debug anything you need in a linux platform. In this very case, I had a problem with a mail server using all IO available. ‘iostat’ command told me it was reads ops that saturate it. A mail server has many process, so using \u00ab\u00a0strace\u00a0\u00bb is not helpful here. I choose to use auditd.<\/p>\n

<\/p>\n

auditd is using watch expressions to know what to report. By default, it will write to \/var\/log\/audit\/audit.log (at least on RHEL \/ CentOS). Take care to file size, it will grow soon \ud83d\ude09<\/p>\n

For my specific problem, I wanted to know all read ops to folder \/home\/vpopmail\/domains. Syntax to add the watch is :<\/p>\n

auditctl -w \/home\/vpopmail\/domains -p r<\/pre>\n
Let it play for a couple of minutes. To stop auditing, just replace -w by -W like this :<\/p>\n
 auditctl -W \/home\/vpopmail\/domains -p r<\/pre>\n
Then, inspect log file produced. A sample look like this :<\/p>\n
type=CWD msg=audit(1409925299.701:2195329): cwd=\"\/home\/vpopmail\/domains\/0\/redacted.com\/sarah.vardon\/Maildir\"\r\ntype=PATH msg=audit(1409925299.701:2195329): item=0 name=\".\/courierimapkeywords\/.4668285.1400358789.18892.mail.redacted.com,S=2782\" inode=2725095 dev=00:13 mode=0100644 ouid=89 ogid=89 rdev=00:00 nametype=NORMAL\r\ntype=SYSCALL msg=audit(1409925299.701:2195330): arch=40000003 syscall=5 success=yes exit=5 a0=90916b0 a1=0 a2=1b6 a3=0 items=1 ppid=13531 pid=7369 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 ses=229253 tty=(none) comm=\"imapd\" exe=\"\/usr\/local\/courier-imap\/bin\/imapd\" key=(null)<\/pre>\n
 <\/p>\n
You can report to this documentation for fields explanations :\u00a0http:\/\/doc.opensuse.org\/products\/draft\/SLES\/SLES-security_sd_draft\/cha.audit.comp.html<\/a><\/p>\n
I wanted to see TOP user accounts used by imapd process (it was a QMail install). By default, this process chdir to userbox\/Maildir. So with command line tools, I can create a TOP of these accounts :<\/p>\n
$ cat \/var\/log\/audit\/audit.log |fgrep CWD |awk '{print $3}' |sort |uniq -c |sort -rn |head\r\n213 cwd=\"\/home\/vpopmail\/domains\/0\/redacted.com\/sarah.dupont\/Maildir\"\r\n12 cwd=\"\/home\/vpopmail\/domains\/redacted2.net\/vincent\/Maildir\"\r\n6 cwd=\"\/home\/vpopmail\/domains\/0\/redacted.com\/rose.la\/Maildir\"<\/pre>\n
So now I do have the top mailboxes accessed with operations done inside. If a specific account is doing too much pressure, I can inspect a specific mailbox a little further.<\/p>\n
Conclusion : One day, I’ll move this server from Qmail to Postfix, I swear \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"
Today I will talk about auditd, a very powerfull tool to debug anything you need in a linux platform. In this very case, I had a problem with a mail server using all IO available. ‘iostat’ command told me it was reads ops that saturate it. A mail server has many process, so using \u00ab\u00a0strace\u00a0\u00bb … Continuer la lecture de Using auditd to troubleshoot file reads<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[60,30],"class_list":["post-132","post","type-post","status-publish","format-standard","hentry","category-informatique","tag-auditd","tag-linux"],"yoast_head":"\nUsing auditd to troubleshoot file reads - My thoughts<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.olivierdoucet.info\/blog\/2014\/09\/05\/auditd-troubleshoot-file-reads\/\" \/>\n<meta property=\"og:locale\" content=\"fr_FR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Using auditd to troubleshoot file reads - My thoughts\" \/>\n<meta property=\"og:description\" content=\"Today I will talk about auditd, a very powerfull tool to debug anything you need in a linux platform. In this very case, I had a problem with a mail server using all IO available. ‘iostat’ command told me it was reads ops that saturate it. A mail server has many process, so using \u00ab\u00a0strace\u00a0\u00bb … Continuer la lecture de Using auditd to troubleshoot file reads →\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.olivierdoucet.info\/blog\/2014\/09\/05\/auditd-troubleshoot-file-reads\/\" \/>\n<meta property=\"og:site_name\" content=\"My thoughts\" \/>\n<meta property=\"article:published_time\" content=\"2014-09-05T14:06:09+00:00\" \/>\n<meta name=\"author\" content=\"Olivier\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@odoucet\" \/>\n<meta name=\"twitter:site\" content=\"@odoucet\" \/>\n<meta name=\"twitter:label1\" content=\"\u00c9crit par\" \/>\n\t<meta name=\"twitter:data1\" content=\"Olivier\" \/>\n\t<meta name=\"twitter:label2\" content=\"Dur\u00e9e de lecture estim\u00e9e\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.olivierdoucet.info\/blog\/2014\/09\/05\/auditd-troubleshoot-file-reads\/\",\"url\":\"https:\/\/www.olivierdoucet.info\/blog\/2014\/09\/05\/auditd-troubleshoot-file-reads\/\",\"name\":\"Using auditd to troubleshoot file reads - My thoughts\",\"isPartOf\":{\"@id\":\"https:\/\/www.olivierdoucet.info\/blog\/#website\"},\"datePublished\":\"2014-09-05T14:06:09+00:00\",\"author\":{\"@id\":\"https:\/\/www.olivierdoucet.info\/blog\/#\/schema\/person\/d093cada9eddc4839cbae3de5c823a39\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.olivierdoucet.info\/blog\/2014\/09\/05\/auditd-troubleshoot-file-reads\/#breadcrumb\"},\"inLanguage\":\"fr-FR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.olivierdoucet.info\/blog\/2014\/09\/05\/auditd-troubleshoot-file-reads\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.olivierdoucet.info\/blog\/2014\/09\/05\/auditd-troubleshoot-file-reads\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.olivierdoucet.info\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Using auditd to troubleshoot file reads\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.olivierdoucet.info\/blog\/#website\",\"url\":\"https:\/\/www.olivierdoucet.info\/blog\/\",\"name\":\"My thoughts\",\"description\":\"En fran\u00e7ais and in english :)\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.olivierdoucet.info\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"fr-FR\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.olivierdoucet.info\/blog\/#\/schema\/person\/d093cada9eddc4839cbae3de5c823a39\",\"name\":\"Olivier\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-FR\",\"@id\":\"https:\/\/www.olivierdoucet.info\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/e75f77ace92ccb2dfab09f226ce3d329?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/e75f77ace92ccb2dfab09f226ce3d329?s=96&d=mm&r=g\",\"caption\":\"Olivier\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Using auditd to troubleshoot file reads - My thoughts","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.olivierdoucet.info\/blog\/2014\/09\/05\/auditd-troubleshoot-file-reads\/","og_locale":"fr_FR","og_type":"article","og_title":"Using auditd to troubleshoot file reads - My thoughts","og_description":"Today I will talk about auditd, a very powerfull tool to debug anything you need in a linux platform. In this very case, I had a problem with a mail server using all IO available. ‘iostat’ command told me it was reads ops that saturate it. A mail server has many process, so using \u00ab\u00a0strace\u00a0\u00bb … Continuer la lecture de Using auditd to troubleshoot file reads →","og_url":"https:\/\/www.olivierdoucet.info\/blog\/2014\/09\/05\/auditd-troubleshoot-file-reads\/","og_site_name":"My thoughts","article_published_time":"2014-09-05T14:06:09+00:00","author":"Olivier","twitter_card":"summary_large_image","twitter_creator":"@odoucet","twitter_site":"@odoucet","twitter_misc":{"\u00c9crit par":"Olivier","Dur\u00e9e de lecture estim\u00e9e":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.olivierdoucet.info\/blog\/2014\/09\/05\/auditd-troubleshoot-file-reads\/","url":"https:\/\/www.olivierdoucet.info\/blog\/2014\/09\/05\/auditd-troubleshoot-file-reads\/","name":"Using auditd to troubleshoot file reads - My thoughts","isPartOf":{"@id":"https:\/\/www.olivierdoucet.info\/blog\/#website"},"datePublished":"2014-09-05T14:06:09+00:00","author":{"@id":"https:\/\/www.olivierdoucet.info\/blog\/#\/schema\/person\/d093cada9eddc4839cbae3de5c823a39"},"breadcrumb":{"@id":"https:\/\/www.olivierdoucet.info\/blog\/2014\/09\/05\/auditd-troubleshoot-file-reads\/#breadcrumb"},"inLanguage":"fr-FR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.olivierdoucet.info\/blog\/2014\/09\/05\/auditd-troubleshoot-file-reads\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.olivierdoucet.info\/blog\/2014\/09\/05\/auditd-troubleshoot-file-reads\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.olivierdoucet.info\/blog\/"},{"@type":"ListItem","position":2,"name":"Using auditd to troubleshoot file reads"}]},{"@type":"WebSite","@id":"https:\/\/www.olivierdoucet.info\/blog\/#website","url":"https:\/\/www.olivierdoucet.info\/blog\/","name":"My thoughts","description":"En fran\u00e7ais and in english :)","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.olivierdoucet.info\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"fr-FR"},{"@type":"Person","@id":"https:\/\/www.olivierdoucet.info\/blog\/#\/schema\/person\/d093cada9eddc4839cbae3de5c823a39","name":"Olivier","image":{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/www.olivierdoucet.info\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/e75f77ace92ccb2dfab09f226ce3d329?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e75f77ace92ccb2dfab09f226ce3d329?s=96&d=mm&r=g","caption":"Olivier"}}]}},"_links":{"self":[{"href":"https:\/\/www.olivierdoucet.info\/blog\/wp-json\/wp\/v2\/posts\/132","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.olivierdoucet.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.olivierdoucet.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.olivierdoucet.info\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.olivierdoucet.info\/blog\/wp-json\/wp\/v2\/comments?post=132"}],"version-history":[{"count":1,"href":"https:\/\/www.olivierdoucet.info\/blog\/wp-json\/wp\/v2\/posts\/132\/revisions"}],"predecessor-version":[{"id":133,"href":"https:\/\/www.olivierdoucet.info\/blog\/wp-json\/wp\/v2\/posts\/132\/revisions\/133"}],"wp:attachment":[{"href":"https:\/\/www.olivierdoucet.info\/blog\/wp-json\/wp\/v2\/media?parent=132"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.olivierdoucet.info\/blog\/wp-json\/wp\/v2\/categories?post=132"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.olivierdoucet.info\/blog\/wp-json\/wp\/v2\/tags?post=132"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}