[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

first look at audit system, question for RH experts



Hi all,

I´m studing the audit system to get my systems more controlled and I have
found some usefull links
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html
http://kbase.redhat.com/faq/docs/DOC-10108

and I have included this rule in the audit.rules:
-w /etc/passwd -p rw -k passwd-file

and now when I do cat /etc/passwd I get this

#ausearch -ts today -k passwd-file
time->Wed Jun  9 17:37:39 2010
type=PATH msg=audit(1276097859.672:788685): item=0 name="/etc/passwd"
inode=1849171 dev=08:05 mode=0100644 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:file_t:s0
type=CWD msg=audit(1276097859.672:788685):  cwd="/etc/audit"
type=SYSCALL msg=audit(1276097859.672:788685): arch=40000003 syscall=5
success=yes exit=3 a0=bffe3b14 a1=8000 a2=0 a3=8000 items=1 ppid=19578
pid=28972 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts4 ses=20293 comm="cat" exe="/bin/cat"
subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key="passwd-file"

and this is great but, what else can I do? Has RHEL 5 any tool to alert me
wheh this event happens. (I know that there are tools like swatch, logwatch,
fail2ban... but I want to know how a RHCE will do this task (you can´t
install anything that it's not in the distro))


Greetings,

ESG


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]