Creating audit rules
Okay, let's start with something simple and work our way up to something awesome. First, let's check to see whether any audit rules are in effect:
[donnie@localhost ~]$ sudo auditctl -l [sudo] password for donnie: No rules [donnie@localhost ~]$
As you can see, the auditctl
command is what we use to manage audit rules. The -l
option lists the rules.
Auditing a file for changes
Now, let's say that we want to see when someone changes the /etc/passwd
file. (The command that we'll use will look a bit daunting, but I promise that it will make sense once we break it down.) Look at the following code:
[donnie@localhost ~]$ sudo auditctl -w /etc/passwd -p wa -k passwd_changes [sudo] password for donnie: [donnie@localhost ~]$ sudo auditctl -l -w /etc/passwd -p wa -k passwd_changes [donnie@localhost ~]$
Here's the breakdown:
-w
: This stands for where, and it points to the object that we want to monitor. In this case, it's/etc/passwd
.-p
: This indicates the object's permissions that...