Using ausearch and aureport
The auditd daemon logs events to the /var/log/audit/audit.log file. Although you could directly read the file with something such as less, you really don’t want to. The ausearch and aureport utilities will help you translate the file into a language that makes some sort of sense.
Searching for file change alerts
Let’s start by looking at the rule that we created that will alert us whenever a change is made to the /etc/passwd file:
sudo auditctl -w /etc/passwd -p wa -k passwd_changes
Now, let’s make a change to the file and look for the alert message. Rather than add another user, since I’m running out of cats whose names I can use, I’ll just use the chfn utility to add contact information to the comment field for Cleopatra’s entry:
[donnie@localhost etc]$ sudo chfn cleopatra
Changing finger information for cleopatra.
Name []: Cleopatra Tabby Cat
Office []: Donnie's back yard
Office Phone...
