Which parts of system changed and by who?

Message

hack3rcon · #1 Post by **hack3rcon** » 2019-08-17 05:54

Hello,
How can I find which parts of system changed and by who? For example, the IP address of a NIC or content of a file.

Thank you.

ruwolf · #2 Post by **ruwolf** » 2019-08-17 20:29

You probably want something like auditd.

hack3rcon · #3 Post by **hack3rcon** » 2019-08-19 10:34

ruwolf wrote:You probably want something like auditd.

I guess it is installed by default? A log file like "audit" under "var" directory never tell me that which parts of system changed. For example, the IP address of eth0 was 192.168.0.1 and "jason" user changed it to "192.168.0.2" .

ruwolf · #4 Post by **ruwolf** » 2019-08-19 12:03

I do not think, it is installed by default.
You should install it and configure it for which file(s) you want to monitor...

hack3rcon · #5 Post by **hack3rcon** » 2019-08-20 07:01

I installed it and did a test as below:

Code: Select all

# auditctl -w "/etc/networks" -k "network_log"

Then open that file with "nano" and added a comment line then:

Code: Select all

# ausearch -k "network_log" | aureport -f -i

But it can't show me the line that I added.
Any idea?

Debian User Forums

Which parts of system changed and by who?

Which parts of system changed and by who?

Re: Which parts of system changed and by who?

Re: Which parts of system changed and by who?

Re: Which parts of system changed and by who?

Re: Which parts of system changed and by who?