Introduction

Imagine this: You’re managing a WordPress site hosted on an AWS EC2 instance, and suddenly, critical files like wp-config.php or theme directories start behaving oddly. Permissions are mysteriously changing, exposing your site to security risks. Worse, with six users having SSH and root access, pinpointing the culprit feels like finding a needle in a haystack.

File permission changes might seem harmless, but they can lead to broken functionality, data leaks, or even full system compromises. In this guide, I’ll show you how to identify who’s altering file permissions on your Ubuntu server and automate alerts to stay ahead of unauthorized changes. Whether you’re a sysadmin or a developer, these steps will help you secure your EC2 instance like a pro.

---

Why Track File Permission Changes?

Before diving into the how, let’s address the why:

• Security Risks: Misconfigured permissions can expose sensitive files (e.g., wp-config.php stores database credentials).
• Compliance: Many regulations (GDPR, HIPAA) require audit trails for accountability.
• Troubleshooting: Quickly resolve “Permission Denied” errors by knowing who changed what.

---

Step 1: Manual Investigation Using auditd

What is auditd?

The Linux Audit Framework (auditd) is a powerful tool for logging system events, including file modifications, user commands, and permission changes. It’s pre-installed on most Linux distributions, including Ubuntu.

Setting Up Audit Rules

Install and Start auditd:

sudo apt update && sudo apt install auditd -y
sudo systemctl start auditd && sudo systemctl enable auditd

Create a Custom Rule:

Let’s monitor your WordPress directory (/var/www/html):

sudo auditctl -w /var/www/html -p wa -k file_permission_change

-w: Watch the directory.
-p wa: Log write and attribute changes (e.g., chmod, chown).
-k: Assign a keyword (file_permission_change) for easy log filtering.

Check Logs Manually:

sudo ausearch -k file_permission_change -i

This command parses logs for permission changes.

---

Decoding the Logs

Here’s a sample log entry you might encounter:

time->Tue Mar  4 10:53:17 2025
type=PROCTITLE msg=audit(...): proctitle=63686F776E00726F6F743A726F6F7400696E6465782E706870
type=PATH msg=audit(...): item=0 name="index.php"
type=CWD msg=audit(...): cwd="/var/www/permission-test"
type=SYSCALL msg=audit(...): auid=1000 uid=0 comm="chown" exe="/usr/bin/chown"

• Decode Hex Values:
  The proctitle field is in hex. Convert it to plaintext:

echo "63686F776E00726F6F743A726F6F7400696E6465782E706870" | xxd -r -p
# Output: chown.root:root.index.php

• Key Fields:

User: auid=1000 (Original user) → Use getent passwd 1000 to find the username.
File Affected: name=”index.php”
Timestamp: Tue Mar 4 10:53:17 2025
Working Directory: cwd=”/var/www/permission-test”

---

Step 2: Automate Alerts with Readable Email Notifications

Manually checking logs isn’t scalable. Let’s automate alerts to send actionable details to your inbox.

Script to Parse and Send Alerts
Create a script (/opt/audit-alert.sh):

#!/bin/bash
LOG_FILE="/var/log/audit/audit.log"
ALERT_KEY="file_permission_change"

process_entry() {
  entry="$1"
  timestamp=$(grep -oP "time->\K.*" <<< "$entry")
  proctitle_hex=$(grep -oP "proctitle=\K\w+" <<< "$entry")
  affected_file=$(grep -oP 'name="\K[^"]+' <<< "$entry")
  cwd=$(grep -oP 'cwd="\K[^"]+' <<< "$entry")
  auid=$(grep -oP "auid=\K\w+" <<< "$entry")
  username=$(getent passwd "$auid" | cut -d: -f1)
  
  # Decode hex command
  command_decoded=$(echo "$proctitle_hex" | xxd -r -p | tr '\0' ' ')

  # Format email
  echo "ALERT: File Permission Change Detected!"
  echo "User: $username (UID: $auid)"
  echo "File Affected: $affected_file"
  echo "Timestamp: $timestamp"
  echo "Working Directory: $cwd"
  echo "Command Executed: $command_decoded"
}

tail -n0 -F "$LOG_FILE" | while read line; do
  if echo "$line" | grep -q "key=\"$ALERT_KEY\""; then
    entry_data=$(sed -n '/^time=/H; /^type=SYSCALL/{x; p; q}')
    email_content=$(process_entry "$entry_data")
    echo "$email_content" | mail -s "EC2 Permission Change Alert" [email protected]
  fi
done

---

How It Works

• Monitors Logs in Real-Time: Uses tail -F to watch for new entries.
• Extracts Critical Data: Decodes hex values and maps user IDs to names.
• Sends Readable Alerts: Formats the email for clarity.

---

Sample Email Output

ALERT: File Permission Change Detected!  
User: ubuntu (UID: 1000)  
File Affected: index.php  
Timestamp: Tue Mar  4 10:53:17 2025  
Working Directory: /var/www/permission-test  
Command Executed: chown root:root index.php  

---

Step 3: Production Precautions

• Test First: Run the script in a non-production environment.
• Limit Permissions:

sudo chmod 700 /opt/audit-alert.sh
sudo chown root:root /opt/audit-alert.sh

• Use AWS SNS for Alerts: Replace the mail command with AWS CLI’s sns publish for reliability.
• Rotate Logs: Configure logrotate to prevent log files from consuming disk space.

---

Why This Works

• Transparency: Every change is tied to a user and timestamp.
• Proactive Security: Alerts help you act before minor changes become major breaches.
• Compliance Ready: Maintains an audit trail for regulatory requirements.

---

Conclusion

Tracking file permission changes isn’t just about fixing errors—it’s about owning your server’s security narrative. By combining auditd with automated alerts, you’re not just solving a mystery; you’re building a robust defense against insider threats and misconfigurations.

Whether you’re guarding a WordPress site or a custom app, these steps ensure you’re always one step ahead. Now, go forth and audit with confidence!

Need help for fine-tuning your WordPress security? Reach out to us at AWXOps. We’re here to provide tailored security solutions and keep your site running safely and smoothly.