-->
  • Recent Articles

    How to Apply Audit rules in Linux to check what commands executed by root

    How to Apply Audit rules in Linux to check what commands executed by root?




    Solution:


    1. Edit the file : /etc/audit/audit.rules
    2. For 32 bit system: -a entry,always -F arch=b32 -F uid=0 -S execve
    3. For 64 bit systems: -a entry,always -F arch=b64 -F uid=0 -S execve
    TIP: entry is deprecated in RHEL6. use exit instead of entry
    4. For tracking these commands make following Entry: (you can choose your own)
    -w /sbin/reboot
    -w /sbin/shutdown
    -w /sbin/init

    5. To apply rules:
    chkconfig auditd on
    service auditd restart

    6. To search Logs:

    ausearch -if /var/log/audit/audit.log -i | less

    No comments