In some situations we need to monitor some files and
wants to know when the files has been updated, which action has been take on
the file and which user have made the changes on it.
To get such information we use audit policy tracking in
linux.
Make sure that auditd service is running on the
server.
If the daemon is not installed install it using below
command
#yum install audit
#/etc/init.d/auditd start
Once you start the system fire the below command
#auditctl
-w /etc/shadow -p rwxa -k shadowfile
Here,
auditctl : This command which is used to set the audit
w : Used to insert watch for file, here we are
watching /etc/shadow file
p : set permission for file system watch (read, write,
execute and watch)
k : Its used to set filter key on watch file. It is
used while searching audit records
Once you done with above steps, you can use the below command
to check who changed the file using below command
#ausearch
-f /etc/shadow -i
Here,
f : Use this option along with file name
i : To make uid, pid in human readable form
Guys, Please comment if you have any query or feedback…
J
