Creating and viewing auditd rules
With auditd you can get logs of changes in files and folders at Linux system. Since everything is a file in Linux, you can create logs of user creation, password change, etc.
Install auditd:
apt install auditdEdit rules file and add desired rules:
nano /etc/audit/rules.d/audit.rulesAudit main system folders with this rule set:
-w /bin -p w -k bin-folder-change
-w /sbin -p w -k sbin-folder-change
-w /sbin/insmod -p x -k module-insertion
-w /usr/sbin -p w -k usr-sbin-folder-change
-w /usr/bin -p w -k usr-bin-folder-change
-w /usr/local/bin -p w -k usr-local-bin-folder-change
-w /usr/local/sbin -p w -k usr-local-sbin-folder-change
-w /opt/bin -p w -k opt-bin-folder-change
-w /opt/sbin -p w -k opt-sbin-folder-change
-w /lib -p w -k lib-folder-change
-w /usr/lib -p w -k usr-lib-folder-change
-w /usr/local/lib -p w -k usr-local-lib-folder-change
-w /lib64 -p w -k lib64-folder-change
-w /usr/lib64 -p w -k usr-lib64-folder-change
-w /root -p w -k root-folder-change
-w /etc -p w -k etc-folder-change
-w /etc/passwd -p wa -k passwd-change
-w /etc/selinux/ -p wa -k selinux-change
And save the file. Restart the auditd service:
systemctl restart auditdWhat does w,p,k means in the rules?
-w specifies the file or folder you want to watch
-p specifies the activity you want to watch (read, write, execute, append)
-k creates a tag which you can use later to filter/search about the rule
So, "-w /etc -p w -k etc-folder-change" means:
Watch the "/etc" folder, report "write" actions, tag as "etc-folder-change"
You can list your rules with this command:
auditctl -lYou can search triggered rules with this command:
ausearchFor example, you can list triggered "etc-folder-change" rules with this command:
ausearch -i -k etc-folder-change
You can see in the screenshot that we captured the creation of /etc/test.txt with our "etc-folder-change" rule.
