Can Auditbeat help to tell the difference between a read and a copy of files?


The primary reason for creating the monitoring that we are putting in place is to check when people are copying code from the server for improper reasons.

From what I can see, there is very little difference, if any, between system calls for viewing the contents of a file and copying it. Both require a read and if copying off the server, that is all you see.

The problem is that the team need to read the contents of the files, but have no need to copy them.

There are clearly certain file types that even reading doesn't make sense for our set-up such as archives so we can monitor by file types, but is there anything in the system calls that differentiates between a read for a copy and just a read to open.

We are not too worried about the odd file here and there, this is about mass copying of files so there will also probably be some sort of rate that comes in to play if that is needed.

While I recognise that this is more a Linux Audit question, just wondered if there was something in Auditbeat or the people using it, that might know of something. If I can clearly see the difference, makes it very much easier!

Cheers, N

(Adrian Serrano) #2

The short answer will be No, there is no way to tell if a read is there to copy a file or just to visualize it.

If the copy is local, you can use the file_integrity module to detect the files being created in some directory (user home, mounted disk, etc).

If the copy is remote it depends on the protocol used to make the copies, packetbeat may help.


Hi @adrisr. Thanks and pretty much what I thought. We are not worried about it being copied elsewhere on the same server, it is actually copying it off the server that is the issue and suspect that this will be as much as monitoring the network using Packetbeats to see when there is network activity and look at what that activity was and who was doing it. Cheers N.