Hi all, I´m studing the audit system to get my systems more controlled and I have found some usefull links http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html http://kbase.redhat.com/faq/docs/DOC-10108 and I have included this rule in the audit.rules: -w /etc/passwd -p rw -k passwd-file and now when I do cat /etc/passwd I get this #ausearch -ts today -k passwd-file time->Wed Jun 9 17:37:39 2010 type=PATH msg=audit(1276097859.672:788685): item=0 name="/etc/passwd" inode=1849171 dev=08:05 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:file_t:s0 type=CWD msg=audit(1276097859.672:788685): cwd="/etc/audit" type=SYSCALL msg=audit(1276097859.672:788685): arch=40000003 syscall=5 success=yes exit=3 a0=bffe3b14 a1=8000 a2=0 a3=8000 items=1 ppid=19578 pid=28972 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=20293 comm="cat" exe="/bin/cat" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key="passwd-file" and this is great but, what else can I do? Has RHEL 5 any tool to alert me wheh this event happens. (I know that there are tools like swatch, logwatch, fail2ban... but I want to know how a RHCE will do this task (you can´t install anything that it's not in the distro)) Greetings, ESG -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
