How do I audit file events such as read / write etc? How can I use audit to see who changed a file in Linux?
The answer is to use 2.6 kernelâ€™s audit system. Modern Linux kernel (2.6.x) comes with auditd daemon. Itâ€™s responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. The default file is good enough to get started with auditd.
In order to use audit facility you need to use following utilities
=> auditctl – a command to assist controlling the kernelâ€™s audit system. You can get status, and add or delete rules into kernel audit system. Setting a watch on a file is accomplished using this command:
=> ausearch – a command that can query the audit daemon logs based for events based on different search criteria.
=> aureport – a tool that produces summary reports of the audit system logs.
Note that following all instructions are tested on CentOS 4.x and Fedora Core and RHEL 4/5 Linux. 继续阅读
The audit service is provided for system auditing. By default, this service audits about SELinux AVC denials and certain types of security-relevant events such as system logins, account modifications, and authentication events performed by programs such as sudo.
Under its default configuration, auditd has modest disk space requirements, and should not noticeably impact system performance. The audit service, configured with at least its default rules, is strongly recommended for all sites, regardless of whether they are running SELinux. Networks with high security level often have substantial auditing requirements and auditd can be configured to meet these requirements:
- Ensure Auditing is Configured to Collect Certain System Events
- Information on the Use of Print Command (unsuccessful and successful)
- Startup and Shutdown Events (unsuccessful and successful)
- Ensure the auditing software can record the following for each audit event:
- When the event appears
- Who initiated the event
- Type of the event
- Success or failure of the event
- Origin of the request (example: terminal ID)
- For events that introduce an object into a user’s address space, and for object deletion events, the name of the object, and in MLS systems, the objects security level.
- Ensure daily of the audit logs
- Ensure that the audit data files have restrictive permissions (at least 640).
我们知道Linux系统上有一个叫 auditd 的审计工具。这个工具在大多数Linux操作系统中是默认安装的。那么auditd 是什么？该如何使用呢？下面我们开始介绍。