vi test.file
2) auditctl -w test.file -p war -k a_name_to_identify
-w => file path
-p => permission access
w --> write
a --> attribute change
r --> read
x --> execute
-k => a name for easy identification your rule
3) Now try changing contents, permission etc
4) ausearch -ts today -k a_name_to_identify
-ts => timestamp (now, recent etc)
5) From the output example
type=SYSCALL msg=audit(1516519721.163:11525): arch=c000003e syscall=191 success=no exit=-61 a0=7ffd0f605450 a1=7f4bf8291cddf a2=0 a3=0 items=1 ppid=26079 pid=29390 auid=116824 uid=116824 gid=5014 euid=116824 suid=116824 fsuid=116824 egid=5014 sgid=5014 fsgid=5014 tty=pts1 ses=1468 comm="ls" exe="/usr/bin/ls" key="asarootuser"
uid => user id (in this example 116824, to identify 'getent passwd 116824')
comm => command executed (in this example command executed is 'ls')
***
To make these changes persistent, update the line in /etc/audit/audit.rules
-w test.file -p war -k a_name_to_identify
and check the status by sudo service auditd status
***
No comments:
Post a Comment