[Gllug] auditctl
Richard Jones
rich at annexia.org
Wed Aug 5 15:49:33 UTC 2009
On Wed, Aug 05, 2009 at 10:01:08AM +0100, Simon Morris wrote:
> Hello GLLUG,
>
> I'm reading the man page for auditctl and would appreciate any tips or
> tricks with file system auditing.
>
> Basically I'm track to track 'mysterious' file deletions from a RHEL5
> server - almost certainly a case of users accidentally deleting the file
> and then blaming the IT gremlins.
>
> What's the best way to use auditctl - I plan to ship the audit events to
> a Splunk server using syslog.
I asked someone at work here and he said:
<quote>
You could do:
# auditctl -a exit,always -F dir=/var/tmp -F arch=i386 -S unlink -S unlinkat
# auditctl -a exit,always -F dir=/var/tmp -F arch=x86_64 -S unlink -S unlinkat
This will audit all unlink and unlinkat system calls where the target
path is under /var/tmp. Note that you need both of the above directives
separately on an x86_64 machine.
You can make this persistent by adding the following to
/etc/audit/audit.rules:
-a exit,always -F dir=/var/tmp -F arch=i386 -S unlink -S unlinkat
-a exit,always -F dir=/var/tmp -F arch=x86_64 -S unlink -S unlinkat
</quote>
Rich.
--
Richard Jones
Red Hat
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list