Revision as of 17:58, 3 December 2024

Configure Audit

Step 1: Create a Backup of the Files

To ensure safety, create backups of the audit configuration files:

cd /etc/security/audit

cp config config_original

cp streamcmds streamcmds_original

Modify the File /etc/security/audit/config

start:
       ignorenonexistentity = no
       binmode = off
       streammode = on
       fullpath = on
...
custom_audit =FILE_Open,FILE_Read,FILE_Write,FILE_Rename,...,PROC_Execute,USER_Shell

users:
   default = custom_audit

Save and close

Modify the File /etc/security/audit/streamcmds

/usr/sbin/auditstream | auditpr -t0 -h eclrRpPd -w > stream.out

Save and close

Run audit

1) Stop Audit

audit shutdown

2) Start Audit

audit start

Sample output

Thu Jul 25 19:56:22 2024 FILE_Open       cecuser  cecuser  OK          ls                              7471614  7274804          flags: 67108864 mode: 0 fd: 3 filename /home/SW/dir1
Thu Jul 25 19:56:22 2024 FILE_Close      cecuser  cecuser  OK          ls                              7471614  7274804          file descriptor = 3

Ver também

Mais Artigos sobre Linux / UNIX / AIX

@@ Line 47: / Line 47: @@
 == Sample output ==
-<small><nowiki>Thu Jul 25 19:56:22 2024 FILE_Open       cecuser  cecuser  OK          ls                              7471614  7274804          flags: 67108864 mode: 0 fd: 3 filename /home/SW/dir1
+ <small><nowiki>Thu Jul 25 19:56:22 2024 FILE_Open       cecuser  cecuser  OK          ls                              7471614  7274804          flags: 67108864 mode: 0 fd: 3 filename /home/SW/dir1
 Thu Jul 25 19:56:22 2024 FILE_Close      cecuser  cecuser  OK          ls                              7471614  7274804          file descriptor = 3</nowiki></small>
 = Ver também =