Linux Security: Working with the Audit Log

Create audit rules to watch `/etc/passwd` for reads, `/etc/sudoers/` for reads and writes, and `/sbin/visudo` for executions.

Run these commands

auditctl -w /etc/passwd -p w -k userwatch
auditctl -w /sbin/visudo -p x -k sudowatch
auditctl -w /etc/sudoers -p rw -k sudowatch

Generate an audit rule list in `/home/cloud_user/rules.txt`

Run this command

auditctl -l > /home/cloud_user/rules.txt

Generate logs by creating a new user and running the `visudo` command

Run this command

useradd bob

Generate the `userwatch.txt` and `sudowatch.txt` reports in `/home/cloud_user` by using the established audit keys `userwatch` and sudowatch

Run this command

ausearch -k userwatch > /home/cloud_user/userwatch.txt
ausearch -k sudowatch > /home/cloud_user/sudowatch.txt

Full Video

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

A Website.

Up ↑

%d bloggers like this: