06-08-2008
how to enable file auditing
Hi expert ,
Can you show me the steps to enable file auditing ? Thanks .
10 More Discussions You Might Find Interesting
1. Solaris
Hi, I was wondering if anyone has had the problem I'm having or knows how to fix it. I need to audit one of our servers at work. I turned on BSM auditing and modified the audit_control file to only flag the "lo" class(login/outs) then I rebooted. I viewed the log BSM created and it shows a whole... (0 Replies)
Discussion started by: BlueKalel
0 Replies
2. UNIX for Dummies Questions & Answers
Hello everbody:
I have a file on the system, I need to check who was the last user who accessed or modified it, and if i can get any further details i can get like IP or access time,etc.
do you have any idea about simple concept or way i can do that in unix tru64 or solaris 9?
thanks in advance... (2 Replies)
Discussion started by: aladdin
2 Replies
3. Solaris
How do I setup audit to alert on write conditions for individual files? Thanks. (3 Replies)
Discussion started by: dxs
3 Replies
4. UNIX for Advanced & Expert Users
:)I need a little help. I have sent all of our logs to our log server, but I can't send the audit logs that are in /var/log/audit.log. Can someone give me some type of idea to transfer these logs.
Thank You (2 Replies)
Discussion started by: aojmoj
2 Replies
5. UNIX for Advanced & Expert Users
Hi All,
I have a requirement to report us on changing a group of static files.
Those are the binary files that run in Production every day.
Due to the in sercure environment situations, I found many are indulging in there own changes to the binaries by doing some changes in the souce code.
... (1 Reply)
Discussion started by: mohan_kumarcs
1 Replies
6. UNIX for Advanced & Expert Users
Hello,
We need to log the operations that specific user on Solaris 10 (SPARC) is performing on one directory and it's contents. I was able to configure solaris auditing service (auditd) and it works fine. The only problem is that auditd logs huge amount of unneeded information. We need to log... (0 Replies)
Discussion started by: +Yan
0 Replies
7. Solaris
I want to periodically check if ASCII password/config files on Unix have 400 or 600 access. Folders and files are owned by designated group and user. Folders and Files do not have world write access.
Are there any tools/scripts available for this kind of auditing that I can use on Solaris? (7 Replies)
Discussion started by: kchinnam
7 Replies
8. Shell Programming and Scripting
I need a command line that will ls -l a directory and pick (grep?) all files that don't match a desired owner without losing track of the filename at any point. This way I can list later on "here are all the files with an incorrect owner". Thanks in advance (4 Replies)
Discussion started by: stevensw
4 Replies
9. SCO
edit: solution found
Auditing Quick Start and Compatibility Notes (1 Reply)
Discussion started by: Linusolaradm1
1 Replies
10. Solaris
Hello Solaris Team,
We would like to implement some audit policy (using a log file) in Solaris 10 in order to record the following data in columns per all users:
1. Date
2. Time
3. User
4. Command executed
5. Terminal
6. IP Address
Could you please help me in order to... (2 Replies)
Discussion started by: csierra
2 Replies
LEARN ABOUT CENTOS
pam_tty_audit
PAM_TTY_AUDIT(8) Linux-PAM Manual PAM_TTY_AUDIT(8)
NAME
pam_tty_audit - Enable or disable TTY auditing for specified users
SYNOPSIS
pam_tty_audit.so [disable=patterns] [enable=patterns]
DESCRIPTION
The pam_tty_audit PAM module is used to enable or disable TTY auditing. By default, the kernel does not audit input on any TTY.
OPTIONS
disable=patterns
For each user matching one of comma-separated glob patterns, disable TTY auditing. This overrides any previous enable option matching
the same user name on the command line.
enable=patterns
For each user matching one of comma-separated glob patterns, enable TTY auditing. This overrides any previous disable option matching
the same user name on the command line.
open_only
Set the TTY audit flag when opening the session, but do not restore it when closing the session. Using this option is necessary for
some services that don't fork() to run the authenticated session, such as sudo.
log_passwd
Log keystrokes when ECHO mode is off but ICANON mode is active. This is the mode in which the tty is placed during password entry. By
default, passwords are not logged. This option may not be available on older kernels (3.9?).
MODULE TYPES PROVIDED
Only the session type is supported.
RETURN VALUES
PAM_SESSION_ERR
Error reading or modifying the TTY audit flag. See the system log for more details.
PAM_SUCCESS
Success.
NOTES
When TTY auditing is enabled, it is inherited by all processes started by that user. In particular, daemons restarted by an user will still
have TTY auditing enabled, and audit TTY input even by other users unless auditing for these users is explicitly disabled. Therefore, it is
recommended to use disable=* as the first option for most daemons using PAM.
To view the data that was logged by the kernel to audit use the command aureport --tty.
EXAMPLES
Audit all administrative actions.
session required pam_tty_audit.so disable=* enable=root
SEE ALSO
aureport(8), pam.conf(5), pam.d(5), pam(8)
AUTHOR
pam_tty_audit was written by Miloslav Trma <mitr@redhat.com>. The log_passwd option was added by Richard Guy Briggs <rgb@redhat.com>.
Linux-PAM Manual 09/04/2013 PAM_TTY_AUDIT(8)