Live as if you were to die tomorrow. Learn as if you were to live forever.

Thursday 2 July 2015

Audit Policy Tracking in Linux

In some situations we need to monitor some files and wants to know when the files has been updated, which action has been take on the file and which user have made the changes on it.

To get such information we use audit policy tracking in linux.

Make sure that auditd service is running on the server.

If the daemon is not installed install it using below command

#yum install audit
#/etc/init.d/auditd start

Once you start the system fire the below command

#auditctl -w /etc/shadow -p rwxa -k shadowfile

Here,
auditctl : This command which is used to set the audit
w : Used to insert watch for file, here we are watching /etc/shadow file
p : set permission for file system watch (read, write, execute and watch)
k : Its used to set filter key on watch file. It is used while searching audit records

Once you done with above steps, you can use the below command to check who changed the file using below command

#ausearch -f /etc/shadow -i

Here,
f : Use this option along with file name
i : To make uid, pid in human readable form


Guys, Please comment if you have any query or feedback… J