first look at audit system, question for RH experts
ESGLinux
esggrupos at gmail.com
Wed Jun 9 15:37:33 UTC 2010
Hi all,
I´m studing the audit system to get my systems more controlled and I have
found some usefull links
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html
http://kbase.redhat.com/faq/docs/DOC-10108
and I have included this rule in the audit.rules:
-w /etc/passwd -p rw -k passwd-file
and now when I do cat /etc/passwd I get this
#ausearch -ts today -k passwd-file
time->Wed Jun 9 17:37:39 2010
type=PATH msg=audit(1276097859.672:788685): item=0 name="/etc/passwd"
inode=1849171 dev=08:05 mode=0100644 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:file_t:s0
type=CWD msg=audit(1276097859.672:788685): cwd="/etc/audit"
type=SYSCALL msg=audit(1276097859.672:788685): arch=40000003 syscall=5
success=yes exit=3 a0=bffe3b14 a1=8000 a2=0 a3=8000 items=1 ppid=19578
pid=28972 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts4 ses=20293 comm="cat" exe="/bin/cat"
subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key="passwd-file"
and this is great but, what else can I do? Has RHEL 5 any tool to alert me
wheh this event happens. (I know that there are tools like swatch, logwatch,
fail2ban... but I want to know how a RHCE will do this task (you can´t
install anything that it's not in the distro))
Greetings,
ESG
More information about the redhat-list
mailing list