Home > Uncategorized > Quick Primer: using auditd

Quick Primer: using auditd

Check out /etc/audit/audit.rules.

A quick audit for denied access calls is to add the following to /etc/audit/audit.rules

-a exit,always -S write -F success=0 -F dir=/etc

Read, Write, Execute, attribute change for /etc/passwd with entries tagged fpasswd in audit.log:

-w /etc/passwd -p rwxa -k fpasswd

where -S is the syscall number or name (http://linux.die.net/man/2/syscalls), use ‘all’ if needed.

On-the-fly add by pre-pending ‘auditctl’ to the above lines.

To remove on-the-fly:

auditctl -W /etc/passwd -p rwxa -k fpasswd
auditctl -d exit,always -S write -F success=0 -F dir=/etc

See also: Quick Primer: SElinux

With reference:
Linux audit files…

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: