Monitoring file access to critical files in real time

These steps can be used to monitor file access to critical files in real time.

1. Set up a list of critical files to be monitored for changes, for example all files in /etc and configure them for FILE_Write events in the objects file:

   find /etc -type f | awk '{printf("%s:\n\tw = FILE_Write\n\n",$1)}' >> /etc/security/audit/objects

2. Set up stream auditing to list all file writes. (This example lists all file writes to the console, but in a production environment you might want to have a backend that sends the events into an Intrusion Detection System.) The /etc/security/audit/streamcmds file is similar to the following:

   /usr/sbin/auditstream | /usr/sbin/auditselect -e "event == FILE_Write" |
   auditpr  -hhelpPRtTc -v > /dev/console &

3. Set up STREAM mode auditing in /etc/security/audit/config, add a class for the file write events and configure all users that should be audited with that class:

   start:
           binmode = off
           streammode = on
   
   stream:
           cmds = /etc/security/audit/streamcmds
   
   classes:
           filemon = FILE_write
   
   users:
           root = filemon
           afx = filemon
           ...

4. Now run audit start. All FILE_Write events are displayed on the console.