Linux Audit
March 4, 2017 — 15:43

Author: silver  Category: linux  Comments: Off

First make sure “auditd” is started

add rules:

auditctl -a always,exit -S all -F path=/etc/passwd -F key=config1
auditctl -w /etc/passwd -p rwa -k config2

del rules:

auditctl -d always,exit -S all -F path=/etc/passwd -F key=config1
auditctl -W /etc/passwd -p rwa -k config2

(or restart auditd)

make permanent:

add rules to /etc/audit/rules.d/audit.rules

show results:

ausearch -ts today -k config1
aureport -k

disable audit logs:

systemctl mask systemd-journald-audit.socket