Auditing File Changes in Linux: A DBA’s Quick Guide (auditctl vs strace)

 Auditing File Changes in Linux: A DBA’s Quick Guide (auditctl vs strace)

Intro:
As database administrators, we’re sometimes asked not for deep forensics, but simply: “Who changed that file, using what command, and when?” After a recent incident, I set out to compare two popular Linux tools—auditctl and strace—to see which delivers a straightforward audit trail with minimal fuss.

Main Content:
Objectives:

• Audit changes to a Linux file

• Identify the command/user/time of change

• Minimal setup, easy rollback

Options Explored:

1. auditctl (the Linux audit framework)

2. strace (versatile process tracing tool)

Quick Summary of Both Methods:

• auditctl — Minimal overhead, decent info for investigations, but needs root access.

• strace — Great for process-level tracing, accessible to non-root users (if you own the process), but can create overwhelming output.

Sample Commands from My Lab:

text

auditctl -w /home/oracle/dba/testaudit/file.out -p rwa -k file_change_watch1

strace -o /tmp/stracefilechng2.out -fftttTyy -p <pid>

Pros & Cons Table:

Tool	Pros	Cons
auditctl	Lightweight, easy, time-bounded, easy rollback	Needs root
strace	User-accessible, customizable output	Too verbose, not explicitly file-centric

Raw Output:

Explore Auditctl: /var/log/audit/audit.log auditctl -l auditctl -w /home/oracle/dba/testaudit/file.out -p rwa -k file_change_watch1 list the audit rules: auditctl -l ausearch -k file_change_watch historical commands: syscalls: aureport -s user executables: aureport -x user activities: aureport -u rollback: auditctl -W /home/oracle/dba/testaudit/file.out -p rwa -k file_change_watch

Auditctl:

time->Tue Nov 25 23:16:08 2025 type=CONFIG_CHANGE msg=audit(1764112568.801:1139): auid=54321 ses=6 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=add_rule key="file_change_watch" list=4 res=1 ---- time->Tue Nov 25 23:16:30 2025 type=PROCTITLE msg=audit(1764112590.315:1140): proctitle=7669002F686F6D652F6F7261636C652F6462612F7465737461756469742F66696C652E6F7574 type=PATH msg=audit(1764112590.315:1140): item=0 name="/home/oracle/dba/testaudit/file.out" inode=34093864 dev=fd:00 mode=0100644 ouid=54321 ogid=54321 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(1764112590.315:1140):  cwd="/home/oracle/dba/testaudit" type=SYSCALL msg=audit(1764112590.315:1140): arch=c000003e syscall=2 success=yes exit=3 a0=1e0a7a0 a1=0 a2=0 a3=7ffc94f41590 items=1 ppid=5273 pid=9021 auid=54321 uid=54321 gid=54321 euid=54321 suid=54321 fsuid=54321 egid=54321 sgid=54321 fsgid=54321 tty=pts1 ses=7 comm="vi" exe="/usr/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="file_change_watch" ----

Strace (after post processing using a parser):

strace -o /tmp/stracefilechng2.out -fftttTyy -p <pid>

[hostname]$ ./straceprocess_v3.bash /tmp/stracefilechng2.out.9360 Processing file: /tmp/stracefilechng2.out.9360 Timestamp: [2025-11-25 23:22:15.914404], Executed: /usr/bin/vi     File operated: /etc/ld.so.cache | Mode: O_RDONLY|O_CLOEXEC (at 2025-11-25 23:22:15.922599)     File operated: /lib64/libselinux.so.1 | Mode: O_RDONLY|O_CLOEXEC (at 2025-11-25 23:22:15.922812)     File operated: /lib64/libtinfo.so.5 | Mode: O_RDONLY|O_CLOEXEC (at 2025-11-25 23:22:15.923483)     File operated: /lib64/libacl.so.1 | Mode: O_RDONLY|O_CLOEXEC (at 2025-11-25 23:22:15.923810)     File operated: /lib64/libc.so.6 | Mode: O_RDONLY|O_CLOEXEC (at 2025-11-25 23:22:15.924325)     File operated: /lib64/libpcre.so.1 | Mode: O_RDONLY|O_CLOEXEC (at 2025-11-25 23:22:15.924707)     File operated: /lib64/libdl.so.2 | Mode: O_RDONLY|O_CLOEXEC (at 2025-11-25 23:22:15.925105)     File operated: /lib64/libattr.so.1 | Mode: O_RDONLY|O_CLOEXEC (at 2025-11-25 23:22:15.925598)     File operated: /lib64/libpthread.so.0 | Mode: O_RDONLY|O_CLOEXEC (at 2025-11-25 23:22:15.926035)     File operated: /usr/lib/locale/locale-archive | Mode: O_RDONLY|O_CLOEXEC (at 2025-11-25 23:22:15.934372)     File operated: . | Mode: O_RDONLY (at 2025-11-25 23:22:15.937359)     File operated: /usr/share/terminfo/x/xterm | Mode: O_RDONLY (at 2025-11-25 23:22:15.941108)     File operated: . | Mode: O_RDONLY (at 2025-11-25 23:22:15.942247)     File operated: /etc/virc | Mode: O_RDONLY (at 2025-11-25 23:22:15.942614)     File operated: . | Mode: O_RDONLY (at 2025-11-25 23:22:15.943293)     File operated: /home/oracle/.vimrc | Mode: O_RDONLY (at 2025-11-25 23:22:15.943822)     File operated: /home/oracle/_vimrc | Mode: O_RDONLY (at 2025-11-25 23:22:15.943870)     File operated: . | Mode: O_RDONLY (at 2025-11-25 23:22:15.943917)     File operated: /home/oracle/.vim/vimrc | Mode: O_RDONLY (at 2025-11-25 23:22:15.944241)     File operated: . | Mode: O_RDONLY (at 2025-11-25 23:22:15.944287)     File operated: /home/oracle/.exrc | Mode: O_RDONLY (at 2025-11-25 23:22:15.944831)     File operated: /etc/nsswitch.conf | Mode: O_RDONLY|O_CLOEXEC (at 2025-11-25 23:22:15.957681)     File operated: /etc/ld.so.cache | Mode: O_RDONLY|O_CLOEXEC (at 2025-11-25 23:22:15.958052)     File operated: /lib64/libnss_files.so.2 | Mode: O_RDONLY|O_CLOEXEC (at 2025-11-25 23:22:15.958334)     File operated: /etc/passwd | Mode: O_RDONLY|O_CLOEXEC (at 2025-11-25 23:22:15.958948)     File operated: /home/oracle/dba/testaudit/file.out | Mode: O_RDONLY (at 2025-11-25 23:22:15.961930)     File operated: /home/oracle/dba/testaudit/.file.out.swp | Mode: O_RDONLY (at 2025-11-25 23:22:15.962117)     File operated: /home/oracle/dba/testaudit/.file.out.swp | Mode: O_RDWR|O_CREAT|O_EXCL (at 2025-11-25 23:22:15.962194)     File operated: /home/oracle/dba/testaudit/.file.out.swx | Mode: O_RDONLY (at 2025-11-25 23:22:15.962369)     File operated: /home/oracle/dba/testaudit/.file.out.swx | Mode: O_RDWR|O_CREAT|O_EXCL (at 2025-11-25 23:22:15.962411)     File operated: /home/oracle/dba/testaudit/.file.out.swp | Mode: O_RDWR|O_CREAT|O_EXCL|O_NOFOLLOW (at 2025-11-25 23:22:15.962939)     File operated: 4913 | Mode: O_WRONLY|O_CREAT|O_EXCL|O_NOFOLLOW (at 2025-11-25 23:22:21.357528)     File operated: file.out | Mode: O_WRONLY|O_CREAT|O_TRUNC (at 2025-11-25 23:22:21.358269)

Code for straceprocess_v3.bash

#!/bin/bash # Usage: ./strace_human_summary.sh strace_output_file(s) for file in "$@"; do     echo "Processing file: $file"     awk '     function humantime(ts) {         # Split timestamp into seconds and microseconds         split(ts, parts, ".")         cmd = "date -d \"@" parts[1] "\" \"+%Y-%m-%d %H:%M:%S\""         cmd | getline out         close(cmd)         if (length(parts) > 1) {             out = out "." parts[2]         }         return out     }     /execve\(/ {         ts = $1         ht = humantime(ts)         match($0, /execve\("([^"]+)"/, arr)         bin = arr[1]         if (bin != "") {             printf("\nTimestamp: [%s], Executed: %s\n", ht, bin)         }     }     /(open|openat|creat)\(/ {         ts = $1         ht = humantime(ts)         if (match($0, /(open|openat|creat)\("([^"]+)", ([^,)]*)/, arr)) {             fileop = arr[2]             mode = arr[3]             if (fileop != "") {                 printf("    File operated: %s | Mode: %s (at %s)\n", fileop, mode, ht)             }         }     }     ' "$file"     echo "" done

Building and Customizing a Chrome Extension: My Experience with "Simple Auto Clicker"

Introduction

Recently, I set out to create my own Chrome extension to automate button clicks with controlled delay and repetition. As both a learning exercise and a practical tool, the aim was to build an extension that could repeatedly click any button I choose, based on CSS selectors I provide.

YouTube:

The Inspiration

The idea for building this Chrome extension originally came from my own need for an auto-click tool, but as I started researching, I stumbled upon a Reddit post from another user asking for the exact same functionality. It was encouraging to see that others had the same requirement—it confirmed the utility of this project and motivated me to share my approach and code.

Tools Used

• Comet AI browser (Perplexity)

• Portable Chrome (for easy extension testing)

Development Steps

1. Prompting Perplexity:
   I need a chrome extension which auto clicks a button with delay for the number of times  exactly I ask.The button (css code) will be fed manually. Give me the complete code for it.

2. Coding:
   I received complete sample code, which included:

• manifest.json

• popup.html

• popup.js

Download it here: https://github.com/svrajadba/BrowserExtension_SimpleAutoClick

3. Testing:
   Using Portable Chrome, I enabled Developer Mode and loaded the unpacked extension folder. This made it easy to test and refine the auto-click functionality.

4. Reverse generate the prompt (perplexity again) to summup all your fixup routine, such that the prompt can become a customizable request for future enhancements.

Generate a prompt which does the following: 1. develop the code you gave me in the last response 2. the prompt should provide me with options to tweak and customize the code further. REsult: Objective: Develop and customize a Chrome extension with the following requirements: PART 1: Initial Development Implement a Manifest V3 Chrome extension named "Simple Auto Clicker". Provide the full project structure: manifest.json, popup.html, and popup.js. The popup must allow the user to input: Any CSS selector (for target element to click) A delay (in milliseconds) before each click The number of times to recursively click the element On clicking the "Auto Click" button, execute the clicking logic on the active tab according to the user’s inputs. No need for listing detected buttons on the page—just use the user-supplied selector. PART 2: Customization Options Provide code, documentation, and examples for the following customization enhancements: Trigger Mode: Option to auto-click when the page loads or on a specific event (e.g., DOMContentLoaded, dynamic element appearance, navigation). Multiple Selectors: Allow the user to enter and manage multiple selectors for clicking different elements. Advanced Timing: Add support for random delay intervals, custom delay patterns, or more complex scheduling (e.g., click every X seconds for Y minutes). Condition Checks: Add advanced conditional logic: only click if element is visible, enabled, or contains specific inner text. Click Type: Offer the ability to emulate different click events (e.g., mouse events, double-clicks). Reporting: Create status or history logs in the popup UI showing click results, errors, or element information. Error Handling: Provide robust error management for missing selectors, failed clicks, or protected DOM elements (e.g., shadow DOM, iframe). Integration: Include options to trigger extension actions from a keyboard shortcut, context menu, or with REST API hooks. Extra: Document how to package and install the extension. Comment and explain the code in detail, guiding customization for users with different skill levels. Include example selectors for real web applications (YouTube Skip Ad, form submit buttons, shopping sites, etc.).

Features Implemented

• Manifest V3 Chrome extension named "Simple Auto Clicker"

• Inputs for:

• Any CSS selector (user supplied)

• Delay between clicks (in ms)

• Number of repetitions

The auto-click logic is triggered via the extension popup—no automatic button detection; the user supplies the selector.

Testing and Results

To verify functionality, I opened YouTube and used the extension with:

• Selector: .ytp-play-button

• Delay: 5000ms

• Repeat: 6

Result: The YouTube video paused and played 3 times as expected; which is 6 times click of the desired button.

Conclusion:
Developing and customizing Chrome extensions is accessible and rewarding, especially with AI-powered tools for ideation and coding support. “Simple Auto Clicker” is a great foundation for further automation and browser experimentation.