/
auditd
28 lines (21 loc) · 639 Bytes
/
auditd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
---
tags: [ security ]
---
## auditd
# To start/restart/stop auditd
service auditd start/restart/stop
# To list active audit rules
auditctl -l
# To create a watch rule for a file for audit purposes temporarily
auditctl -w <File to watch> -p <permission r/w/x/a> -k <Identifier>
# To make watch rules permanently
vim /etc/audit/rules.d/audit.rules
# and append with following syntax
-w <File to watch> -p <permission r/w/x/a> -k <Identifier>
# Reload the service with
service auditd reload
## Filtering and Searching
# To search after a identifier
ausearch -i -k <Identifier>
# To create a report and get the options
aureport --help