Which parts of system changed and by who?

Kernels & Hardware, configuring network, installing services

Which parts of system changed and by who?

Postby hack3rcon » 2019-08-17 05:54

Hello,
How can I find which parts of system changed and by who? For example, the IP address of a NIC or content of a file.

Thank you.
hack3rcon
 
Posts: 293
Joined: 2015-02-16 09:54

Re: Which parts of system changed and by who?

Postby ruwolf » 2019-08-17 20:29

You probably want something like auditd.
User avatar
ruwolf
 
Posts: 392
Joined: 2008-02-18 05:04
Location: Slovakia, Banovce nad Bebravou, Matice slovenskej 1260/4-7

Re: Which parts of system changed and by who?

Postby hack3rcon » 2019-08-19 10:34

ruwolf wrote:You probably want something like auditd.

I guess it is installed by default? A log file like "audit" under "var" directory never tell me that which parts of system changed. For example, the IP address of eth0 was 192.168.0.1 and "jason" user changed it to "192.168.0.2" .
hack3rcon
 
Posts: 293
Joined: 2015-02-16 09:54

Re: Which parts of system changed and by who?

Postby ruwolf » 2019-08-19 12:03

I do not think, it is installed by default.
You should install it and configure it for which file(s) you want to monitor...
User avatar
ruwolf
 
Posts: 392
Joined: 2008-02-18 05:04
Location: Slovakia, Banovce nad Bebravou, Matice slovenskej 1260/4-7

Re: Which parts of system changed and by who?

Postby hack3rcon » 2019-08-20 07:01

I installed it and did a test as below:
Code: Select all
# auditctl -w "/etc/networks" -k "network_log"

Then open that file with "nano" and added a comment line then:
Code: Select all
# ausearch -k "network_log" | aureport -f -i

But it can't show me the line that I added.
Any idea?
hack3rcon
 
Posts: 293
Joined: 2015-02-16 09:54


Return to System configuration

Who is online

Users browsing this forum: No registered users and 8 guests

fashionable