{"id":5519,"date":"2023-10-04T14:03:50","date_gmt":"2023-10-04T19:03:50","guid":{"rendered":"https:\/\/www.incredigeek.com\/home\/?p=5519"},"modified":"2023-10-02T14:44:04","modified_gmt":"2023-10-02T19:44:04","slug":"using-auditd-to-monitor-changes-to-linux","status":"publish","type":"post","link":"https:\/\/www.incredigeek.com\/home\/using-auditd-to-monitor-changes-to-linux\/","title":{"rendered":"Using Auditd to monitor changes to Linux"},"content":{"rendered":"\n

Install and enable auditd with<\/p>\n\n\n\n

sudo dnf install auditd\nsudo systemctl enable auditd\nsudo systemctl start auditd<\/pre>\n\n\n\n
Add a file or directory to monitor with<\/p>\n\n\n\n
auditctl -w \/etc\/passwd -k password<\/pre>\n\n\n\n
-w is watch path
-k is a filter key we can use later to search through logs<\/p>\n\n\n\n
Now we can search with ausearch<\/p>\n\n\n\n
ausearch -k password<\/pre>\n\n\n\n
<\/p>\n\n\n\n
Using Preconfigured Rules<\/h2>\n\n\n\n
There are already some preconfigured rules in \/usr\/share\/audit\/sample-rules\/<\/p>\n\n\n\n
We can copy those to \/etc\/auditd\/rules.d\/ and use them.  <\/p>\n\n\n\n
cd \/usr\/share\/audit\/sample-rules\/\ncp 10-base-config.rules 30-stig.rules 31-privileged.rules 99-finalize.rules \/etc\/audit\/rules.d\/\naugenrules --load<\/pre>\n\n\n\n
Note on the 31-privileged.rules file.  You’ll need to run the commands in the file which will create a new file.  Then we can copy that to “\/etc\/auditd\/rules.d\/”<\/p>\n\n\n\n
find \/bin -type f -perm -04000 2>\/dev\/null | awk '{ printf \"-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\\n\", $1 }' > priv.rules\n#find \/sbin -type f -perm -04000 2>\/dev\/null | awk '{ printf \"-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\\n\", $1 }' >> priv.rules\n#find \/usr\/bin -type f -perm -04000 2>\/dev\/null | awk '{ printf \"-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\\n\", $1 }' >> priv.rules\n#find \/usr\/sbin -type f -perm -04000 2>\/dev\/null | awk '{ printf \"-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\\n\", $1 }' >> priv.rules\n#filecap \/bin 2>\/dev\/null | sed '1d' | awk '{ printf \"-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\\n\", $2 }' >> priv.rules\n#filecap \/sbin 2>\/dev\/null | sed '1d' | awk '{ printf \"-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\\n\", $2 }' >> priv.rules\n#filecap \/usr\/bin 2>\/dev\/null | sed '1d' | awk '{ printf \"-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\\n\", $2 }' >> priv.rules\n#filecap \/usr\/sbin 2>\/dev\/null | sed '1d' | awk '{ printf \"-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\\n\", $2 }' >> priv.rules<\/pre>\n\n\n\n
And Copy priv.rules to \/etc\/audit\/rules.d\/31-privileged.rules.  Overwrite the file there if needed.<\/p>\n\n\n\n
cp .\/priv.rules \/etc\/audit\/rules.d\/31-privileged.rules<\/pre>\n\n\n\n
Load the rules.<\/p>\n\n\n\n
augenrules --load<\/pre>\n\n\n\n
https:\/\/access.redhat.com\/documentation\/en-us\/red_hat_enterprise_linux\/8\/html\/security_hardening\/auditing-the-system_security-hardening<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Install and enable auditd with sudo dnf install auditd sudo systemctl enable auditd sudo systemctl start auditd Add a file or directory to monitor with auditctl -w \/etc\/passwd -k password -w is watch path-k is a filter key we can … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[23,24,3,22,573],"tags":[525,17,19,7,234,1250,235,989,134,538,503],"class_list":["post-5519","post","type-post","status-publish","format-standard","hentry","category-centos-linux","category-fedora-2","category-linux","category-redhat-linux","category-security","tag-auditd","tag-centos","tag-fedora","tag-linux-2","tag-log","tag-logging","tag-logs","tag-monitor","tag-monitoring","tag-rhel","tag-security"],"_links":{"self":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts\/5519","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/comments?post=5519"}],"version-history":[{"count":3,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts\/5519\/revisions"}],"predecessor-version":[{"id":5522,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts\/5519\/revisions\/5522"}],"wp:attachment":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/media?parent=5519"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/categories?post=5519"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/tags?post=5519"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}