These steps can be used to monitor file access to critical
files in real time.
Perform these steps:
- Set up a list of critical files to be monitored for changes,
for example all files in /etc and configure them
for FILE_Write events in the objects file:
find /etc -type f | awk '{printf("%s:\n\tw = FILE_Write\n\n",$1)}' >> /etc/security/audit/objects
- Set up stream auditing to list all file writes. (This example
lists all file writes to the console, but in a production environment
you might want to have a backend that sends the events into an Intrusion
Detection System.) The /etc/security/audit/streamcmds file is similar to the following:
/usr/sbin/auditstream | /usr/sbin/auditselect -e "event == FILE_Write" |
auditpr -hhelpPRtTc -v > /dev/console &
- Set up STREAM mode auditing in /etc/security/audit/config, add a class for the file write events and configure all users that
should be audited with that class:
start:
binmode = off
streammode = on
stream:
cmds = /etc/security/audit/streamcmds
classes:
filemon = FILE_write
users:
root = filemon
afx = filemon
...
- Now run audit start. All FILE_Write events are displayed on the console.