Linux Security: Working with the Audit Log

Linux Security: Working with the Audit Log

Create audit rules to watch `/etc/passwd` for reads, `/etc/sudoers/` for reads and writes, and `/sbin/visudo` for executions.

Run these commands

auditctl -w /etc/passwd -p w -k userwatch
auditctl -w /sbin/visudo -p x -k sudowatch
auditctl -w /etc/sudoers -p rw -k sudowatch

Generate an audit rule list in `/home/cloud_user/rules.txt`

Run this command

auditctl -l > /home/cloud_user/rules.txt

Generate logs by creating a new user and running the `visudo` command

Run this command

useradd bob
visudo

Generate the `userwatch.txt` and `sudowatch.txt` reports in `/home/cloud_user` by using the established audit keys `userwatch` and sudowatch

Run this command

ausearch -k userwatch > /home/cloud_user/userwatch.txt
ausearch -k sudowatch > /home/cloud_user/sudowatch.txt


Share Tweet Send
0 Comments
Loading...
You've successfully subscribed to Songer Tech
Great! Next, complete checkout for full access to Songer Tech
Welcome back! You've successfully signed in
Success! Your account is fully activated, you now have access to all content.