Sign in Subscribe
By Austin Songer in Audit

Linux Security: Working with the Audit Log

Linux Security: Working with the Audit Log

Create audit rules to watch `/etc/passwd` for reads, `/etc/sudoers/` for reads and writes, and `/sbin/visudo` for executions.

Run these commands

auditctl -w /etc/passwd -p w -k userwatch
auditctl -w /sbin/visudo -p x -k sudowatch
auditctl -w /etc/sudoers -p rw -k sudowatch

Generate an audit rule list in `/home/cloud_user/rules.txt`

Run this command

auditctl -l > /home/cloud_user/rules.txt

Generate logs by creating a new user and running the `visudo` command

Run this command

useradd bob
visudo

Generate the `userwatch.txt` and `sudowatch.txt` reports in `/home/cloud_user` by using the established audit keys `userwatch` and sudowatch

Run this command

ausearch -k userwatch > /home/cloud_user/userwatch.txt
ausearch -k sudowatch > /home/cloud_user/sudowatch.txt

Previous

Linux Security: Performing a Compliance Scan and Active Remediation Using OSCAP

 Next

Linux Security: Create a Custom Scan Policy with OpenSCAP

You might also like...