I want to keep track on important system changes on GNU/Linux boxes, like disabling PaX, enabling traffic forwarding, ICMP redirects, changing printk verbosity level and so on. At general all these operations base on changes on /proc/sys/kernel/* files. And I didn't find any method of auditing procfs so far. Maybe setting up watch rule for 'write' syscalls with /proc/sys/kernel/* value as first argument (a0) would be feasible approach... just wondering. However there's no way of using wildcard in a0-3 auditd rules -F parameters, so in the worst case I would have to create separate rule for each important file in that directory. I'll appreciate any hints for this problem, thanks in advance.
Asked
Active
Viewed 139 times
