Thursday, August 23, 2018

Monitoring Audit Log Linux File Access, File Open , Changes and Data Modifications

Monitoring Audit Log Linux File Access, File Open, 
Changes and Data Modifications

Step -1

Create an audit policy watch rule.

[root@muthayammal ssh]# auditctl -w /etc/passwd -p war -k password-file

Step -2

finding audit log linux file open / file open detect  and modification / changes.

[root@muthayammal ssh]# ausearch -f /etc/passwd -i
time->Thu Aug 23 14:55:36 2018
type=PROCTITLE msg=audit(1535016336.242:81887): proctitle=67726570002D2D636F6C6F723D6175746F00736F6D657468696E67002F6574632F706173737764
type=PATH msg=audit(1535016336.242:81887): item=0 name="/etc/passwd" inode=134980183 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1535016336.242:81887):  cwd="/etc/ssh"type=SYSCALL msg=audit(1535016336.242:81887): arch=c000003e syscall=257 success=yes exit=3 a0=ffffffffffffff9c a1=7ffd11eb181d a2=0 a3=0 items=1 ppid=14653 pid=15174 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4275 comm="grep" exe="/usr/bin/grep" key="password-file

Step -3

List running audit policy.

[root@muthayammal etc]# auditctl -l
-w /etc/passwd -p rwa -k password-file

Step -4

Delete Audit policy using below command.

[root@muthayammal etc]# auditctl -D -k password-file
No rules

