Welcome to Linux Forums! With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.
Find the answer to your Linux question:
Write an article for LinuxForums Today! Win Great Prizes!
Enanble audit for specific file. --------------------------------
[root@power tmp]# auditctl -w /etc/passwd -p war -k password-file
* -w /etc/passwd : Insert a watch for the file system object at given path i.e. watch file called /etc/passwd * -p war : Set permissions filter for a file system watch. It can be r for read, w for write, x for execute, a for append. * -k password-file : Set a filter key on a /etc/passwd file (watch). The password-file is a filterkey (string of text that can be up to 31 bytes long). It can uniquely identify the audit records produced by the watch. You need to use password-file string or phrase while searching audit logs.
aureport is a tool that produces summary reports of the audit system logs.
[root@power ~]# aureport
Summary Report ====================== Range of time in logs: 12/18/2009 10:54:25.260 - 02/17/2010 10:01:01.315 Selected time for report: 12/18/2009 10:54:25 - 02/17/2010 10:01:01.315 Number of changes in configuration: 68 Number of changes to accounts, groups, or roles: 10 Number of logins: 65 Number of failed logins: 95 Number of authentications: 87 Number of failed authentications: 90 Number of users: 2 Number of terminals: 18 Number of host names: 4 Number of executables: 35 Number of files: 6 Number of AVC's: 1 Number of MAC events: 4 Number of failed syscalls: 5 Number of anomaly events: 236 Number of responses to anomaly events: 0 Number of crypto events: 0 Number of keys: 2 Number of process IDs: 832 Number of events: 3259