FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.

» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Red Hat Linux

LinkBack Thread Tools
Old 06-09-2010, 03:37 PM
Default first look at audit system, question for RH experts

Hi all,

Im studing the audit system to get my systems more controlled and I have
found some usefull links

and I have included this rule in the audit.rules:
-w /etc/passwd -p rw -k passwd-file

and now when I do cat /etc/passwd I get this

#ausearch -ts today -k passwd-file
time->Wed Jun 9 17:37:39 2010
type=PATH msg=audit(1276097859.672:788685): item=0 name="/etc/passwd"
inode=1849171 dev=08:05 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1276097859.672:788685): cwd="/etc/audit"
type=SYSCALL msg=audit(1276097859.672:788685): arch=40000003 syscall=5
success=yes exit=3 a0=bffe3b14 a1=8000 a2=0 a3=8000 items=1 ppid=19578
pid=28972 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts4 ses=20293 comm="cat" exe="/bin/cat"
subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key="passwd-file"

and this is great but, what else can I do? Has RHEL 5 any tool to alert me
wheh this event happens. (I know that there are tools like swatch, logwatch,
fail2ban... but I want to know how a RHCE will do this task (you cant
install anything that it's not in the distro))


redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe

Thread Tools

All times are GMT. The time now is 08:33 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org