Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: user auditing
Top Forums Shell Programming and Scripting user auditing Post 302431443 by ygemici on Tuesday 22nd of June 2010 02:01:36 AM
Old 06-22-2010
Quote:
Originally Posted by tonijel
Hi guys,
i am not on solaris, i am on red hat ..
How can i do such detailed audit on red hat ?
Such auditing that would enable me to see what commands did userA executed
when i was logged with userA in winscp..
Smilie
if i do summarize issue

1-) determine the settings

let know default settings is in
Code:
# cat /etc/auditd.conf

and you can change or specialize this to man auditd.conf
you can leave any change too if you wish Smilie

2-) write rules

you must set up watch rules by auditctl (man auditctl for details)
watch myfolder for read write execution for id user with 500 --> UserA

Code:
# auditctl -w /myfolder/ -p rwx -F auid=500

and we save this rules in audit.rules for permanent

Code:
 
# vi /etc/audit.rules
.....
.....
-w /myfolder/ -p rwxa -F auid=500

-w --> watch path
-p --> permission (rwxa , read write , executive , attribute change )
-F auid --> watch this user
...
...

3-) start service
Code:
# service auditd start

4-) check results
and for log analysis i can advice below app

seaudit
Using seaudit for Audit Log Analysis
or
auditviewer
https://fedorahosted.org/audit-viewe...iewerDownloads


Regards
ygemici
 

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Question about Auditing

I was just going thru the auditing script .. 2 questions pop in mind .. Why did they move S81volmgmt .. What is the logic behind not loading it .. 2) Why the purpose of the device allocate entries (2 Replies)
Discussion started by: DPAI
2 Replies

2. AIX

Auditing User administrator

Background: I a trying to audit user administration on a AIX box. I am trying to make sure that any changes made by the System administrator to the user accounts (Add users, changing their attributes or deleting users) are accompanied by authorization i.e. the system admin does not make any... (0 Replies)
Discussion started by: gladiator
0 Replies

3. AIX

User Auditing

i want to audit user commands .. keep track of what commands each user has been giving .. can this be done by writing a script in engraving it in .profile of the user. or is there any other way of doing this ... rgds raj (2 Replies)
Discussion started by: rajesh_149
2 Replies

4. HP-UX

Auditing User's actions

Hi all I hope to find what i'm looking for in this forum as said in the topic i want to track user's actions on the system. i mean also the action of moving or removing files. I have an HP 9000 with HP UX 11i. the users log on the HP from a terminal window under WIndows XP Thx (3 Replies)
Discussion started by: Timberland
3 Replies

5. Solaris

Solaris 9 Auditing

How do I setup audit to alert on write conditions for individual files? Thanks. (3 Replies)
Discussion started by: dxs
3 Replies

6. UNIX for Advanced & Expert Users

Auditing

:)I need a little help. I have sent all of our logs to our log server, but I can't send the audit logs that are in /var/log/audit.log. Can someone give me some type of idea to transfer these logs. Thank You (2 Replies)
Discussion started by: aojmoj
2 Replies

7. Shell Programming and Scripting

Script for Oracle user activity auditing

Hi All, I need to put in place a UNIX shell script that calls three sql scripts & reports to the DBAs. I already have the three sql scripts in place & they perform the following database auditing actions: 1. actions.sql This script queries the DBA_AUDIT _TRAIL table to look for database user... (2 Replies)
Discussion started by: divroro12
2 Replies

8. Solaris

Solaris user auditing

Hello, I was wondering when Solaris auditing is enabled, If it is possible to keep track of users that are allowed to sudo to root. In other words, I would like to know which user did what on my Solaris box. (assumig that user can "sudo su -" ) Thanks. (2 Replies)
Discussion started by: niyazi
2 Replies

9. AIX

AIX auditing

In our customer place somebody removed and PV from the server. I want the information like which user removed this PV. Is there any way to get PV removal information. When did the PV removed from the server ? Whether AIX auding will help ? Where i can get these information ? Thank... (2 Replies)
Discussion started by: sunnybee
2 Replies

10. AIX

User auditing from AIX server

I am trying to find out the information of my local desktop when i use putty to login to an AIX server. This is what I do: 1. login to my PC 2. take a putty session to an AIX server Can i get information of my local desktop from the AIX server ? Is there a command available ? Thanks (8 Replies)
Discussion started by: Nagesh_1985
8 Replies

LEARN ABOUT SUSE

auditd

AUDITD(8)						  System Administration Utilities						 AUDITD(8)

NAME

       auditd - The Linux Audit daemon

SYNOPSIS

       auditd [-f] [-l] [-n] [-s disable|enable|nochange]

DESCRIPTION

       auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is
       done with the ausearch or aureport utilities. Configuring the audit rules is done with the auditctl utility. During startup, the  rules	in
       /etc/audit/audit.rules  are  read by auditctl. The audit daemon itself has some configuration options that the admin may wish to customize.
       They are found in the auditd.conf file.

OPTIONS

       -f     leave the audit daemon in the foreground for debugging. Messages also go to stderr rather than the audit log.

       -l     allow the audit daemon to follow symlinks for config files.

       -n     no fork. This is useful for running off of inittab

       -s=ENABLE_STATE
	      specify when starting if auditd should change the current value for the kernel enabled flag. Valid values for ENABLE_STATE are "dis-
	      able",  "enable"	or "nochange". The default is to enable (and disable when auditd terminates). The value of the enabled flag may be
	      changed during the lifetime of auditd using 'auditctl -e'.

SIGNALS

       SIGHUP causes auditd to reconfigure. This means that auditd re-reads the configuration file. If there are no syntax errors, it will proceed
	      to implement the requested changes. If the reconfigure is successful, a DAEMON_CONFIG event is recorded in the logs. If not success-
	      ful, error handling is controlled by space_left_action, admin_space_left_action, disk_full_action, and disk_error_action	parameters
	      in auditd.conf.

       SIGTERM
	      caused auditd to discontinue processing audit events, write a shutdown audit event, and exit.

       SIGUSR1
	      causes auditd to immediately rotate the logs. It will consult the max_log_size_action to see if it should keep the logs or not.

       SIGUSR2
	      causes auditd to attemp to resume logging. This is usually used after logging has been suspended.

FILES

       /etc/audit/auditd.conf - configuration file for audit daemon

       /etc/audit/audit.rules - audit rules to be loaded at startup

NOTES

       A  boot param of audit=1 should be added to ensure that all processes that run before the audit daemon starts is marked as auditable by the
       kernel. Not doing that will make a few processes impossible to properly audit.

       The audit daemon can receive audit events from other audit daemons via the audisp-remote audispd plugin. The audit  daemon  may	be  linked
       with tcp_wrappers to control which machines can connect. If this is the case, you can add an entry to hosts.allow and deny.

SEE ALSO

       auditd.conf(5), audispd(8), ausearch(8), aureport(8), auditctl(8), audit.rules(7).

AUTHOR

       Steve Grubb

Red Hat 							     Sept 2007								 AUDITD(8)
All times are GMT -4. The time now is 07:12 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy