title: “Audit Files And Directories”
date: 2016-03-24T15:06:19
slug: audit-files-and-directories
Audit files
auditctl -w /etc/passwd -p rwxa
With :
-
-w path ; this parameter will insert a watch for the file system object at path. On the example above, auditd will wacth /etc/passwd file
-
-p ; this parameter describes the permission access type that a file system watch will trigger on
-
rwxa ; are the attributes which bind to -p parameter above. r is read, w is write, x is execute and a is attribute
-
If ‘-p xxx’ is not specivied, all kinds of access are logged
Audit directories
To audit directories, we will use a similar command. Let’s take a look at the command below :
auditctl -w /production/
The above command will watch any access to the /production folder.