ausearch to filter audit logs to show only read, write , attribute changes in file

Question

I want to filter audit logs for changes made to /etc/hosts file using ausearch (audit). I can see multiple entries for single modify action for file in ausearch like syscall=chmod, syscall=open etc.

Please help me to understand exact filter required for confirm there is change in file or its attributes.

score 0 · Accepted Answer · answered Oct 01 '18 at 04:34

Have you placed a file watch for writes and attribute changes? As per
auditctl -a always,exit -F path=/etc/hosts -F perm=wa

With this you can see who has modified the files attributes or has written to it.

To see what the change is requires some kind of file content monitoring capability.

ausearch to filter audit logs to show only read, write , attribute changes in file

1 Answers1