Tracking Content Written to Files
F Rafi
farhanible at gmail.com
Thu Mar 7 12:36:11 UTC 2019
Audit will tell you when a "write" change occurs. Auditd has a plugin
framework to let you write a custom code which consumes audit events.
You can use that to orchestrate a file copy to save the file.
Something like:
https://github.com/karmab/audisp-simple
Farhan
On Wed, Mar 6, 2019 at 2:57 PM Wajih Ul Hassan <wajih.lums at gmail.com> wrote:
> Hi All,
> Can I use auditd to track content written to specific files? For example,
> in this case https://access.redhat.com/solutions/10107, how can I keep
> track of what string was written to `/etc/hosts` file over time and extract
> this information later from logs?
> The reason I asked this question is that I am trying to audit some
> simulated attack scenario and in this particular attack scenario I need to
> know the what content was written/changed to a sensitive file over time to
> fully understand the attack. Even if the attack deletes the contents of the
> sensitive file at time t_2, I need to extract what was written to file at
> time t_1.
>
> Thanks,
> Wajih
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20190307/e1d63b8a/attachment.htm>
More information about the Linux-audit
mailing list