Issue:
What rules can be created to monitor file deletion operation.
Solution:
Add these two entry in /etc/audit/audit.rules .
# vi /etc/audit/audit.rules
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -k delete
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -k delete
After writing the rules, restart the service auditd and make it on in to retain across reboot.
# /etc/init.d/auditd restart
# chkconfig auditd on
Now for testing create a file and delete it same time.
# touc testing
# rm -rf testing
Trace the log from below path.
# tail -f /var/log/audit/audit.log
What rules can be created to monitor file deletion operation.
Solution:
Add these two entry in /etc/audit/audit.rules .
# vi /etc/audit/audit.rules
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -k delete
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -k delete
After writing the rules, restart the service auditd and make it on in to retain across reboot.
# /etc/init.d/auditd restart
# chkconfig auditd on
Now for testing create a file and delete it same time.
# touc testing
# rm -rf testing
Trace the log from below path.
# tail -f /var/log/audit/audit.log
No comments:
Post a Comment