linux audit file changes

In the Rhel7centos7 era, the default service is controlled by SYSTEMD and the Systemctl command completes the start and stop. But not all services can be perfectly controlled by systemctl, such as the AUDITD to be mentioned today.Edit audit.rules after adding rules, of course, through the restart service to restart the effect, but bySystemctl Restart AUDITDThe following error will be reported:[Email protected]]# systemctl Restart auditdfailed to restart Auditd.service:Operation refused, unit Aud

started automatically. (The installation package creates a/VAR/ACCOUNT/PACCT file on the system). But on the red Hat/fedora core/cent OS, you need to start the PSACCT service manually. Create the/var/account/pacct file and start the Pacct service by typing the following two commands: # chkconfig Psacct on #/ETC/INIT.D/PSACCT start If you use SuSE

　 1. Login account Management The management of login user accounts under Linux is achieved through the utmp and wtmp tools. WTMP also records information about system reboots and system state changes. All data related to UTMP and wtmp are stored in the two files/var/run/utmp and/var/log/wtmp respectively. All two files are owned by the root user and access is set to 644, and the data in these files is enc

The following tests were passed under Rhel 6.4.1, write script command_history.sh, Production history command record file, the content is as follows#!/bin/mkdir -p/usr/lib/. Cmdlog cmdlog_file="/usr/lib/.cmdlog/cmdlog.$ ( Date +%f)"touchchmod666 ${cmdlog_file}chattr +a ${cmdlog_file}2, under the root user set crontab, timed daily 0 o'clock in the morning to execute command_history.sh script. 3. Edit the/etc/profile

If you are a server administrator, you may know that you want to protect your server, not only from the outside, but also from the inside. Linux has a built-in tool to view the users who finally log on to the server, which can help you protect the server. This command is last. It is very useful for tracking. Let's take a look at what last can do for you. What is the function of last command? Last displays all login (and logout) Users created from the

Audit for RM commands on Linux systems [Root@test ~]# Cat/etc/audit/audit.rules# This file contains the AUDITCTL rules and are loaded# Whenever the audit daemon is started via the initscripts.# The rules are simply the parameters that would to be passed# to Auditctl.# The Ru

1. Install aide software.[email protected] ~]# Yum install aide-y2. Modify aide configuration file.Basic cofigrations:# Define Db/log location.@ @define Dbdir/var/lib/aide@ @define Logdir/var/log/aide# Define DB location and name.Database=file:@@{dbdir}/aide.db.gzDatabase_out=file:@@{dbdir}/aide.db.new.gz# Compress aide DB.Gzip_dbout=yesVerbose=5# Define generate report write to logs and print in screen.Rep

recorded, it is possible to enter the log records directory, file deletion or file modification, it is necessary to upload these files to the Log collection server in a timely manner, preferably a background real-time monitoring process, the directory under the file changes, Directly trigger the synchronization operat

Linux Ops shared root account permissions Audithttp://mp.weixin.qq.com/s?__biz=MzA3OTgyMDcwNg==mid=2650626177idx=1sn= 8269a9debb9da7bde1765bce284e8b6echksm= 87a45a4cb0d3d35ab1d3a8ee522ea01a527db6f287e2c63bf577f16e8b0131b28d7e0aa1c324mpshare=1scene=23 Srcid=110447eedck6iflsskqfmryo#rd2016-11-04 Marco Linux operationsFirst, the application scenario in small and medium enterprises, the company's different oper

early as possible and take appropriate precautions before these changes cause data corruption. NetWrix The file Server Change Notification tool allows you to easily implement the following features:One: Based on Windows audit of file servers;II: Modification of files, folders, Shared Documents and permissions, deletio

/ssh_key_fingDone#如果是root用户, the secure file validates the fingerprint with the ppid number.if [$UID = = 0]ThenPpid= $PPIDElse#如果不是root用户, verify that the fingerprint is a different process numberPpid= '/bin/ps-ef | grep $PPID |grep ' sshd: ' |awk ' {print $} 'Fi#得到RSA_KEY和NAME_OF_KEY, used to bash4.1 get a history recordrsa_key= '/bin/egrep ' Found matching RSA KEY '/var/log/secure | /bin/egrep "$ppid" | /bin/awk ' {print $NF} ' | Tail-1 'If [-N ' $R

/#LogLevel info/logleveldebug/g ' /etc/ssh/sshd_config[[emailprotected]~]#servicesshdrestartStopping sshd: NBSP;NBSP;NBSP;NBSP;NBSP;NBSP;NBSP;NBSP;NBSP;NBSP;[NBSP;NBSP;OKNBSP;NBSP;]STARTINGNBSP;SSHD: [ok] VI. Verification6.1 Log in on CLIENT1 and delete files (Zhangsan)650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/790056/201605/790056-20160526201902897-912860951. JPG "style=" border:0px; "/>6.2 Log on CLIENT2, delete files, and execute a command to restart the service (LISI)6

In small and medium enterprises, the company's different operations and maintenance personnel are basically the root account of the server login management, lack of account authority audit system. No problem OK, out of the question, it is difficult to find the source.Here, how to use the Compile bash to enable different clients to log in using root server, log their operations, and can be combined with the Elk Log Analysis System, to collect logging o

Linux User Action Records we can see history by command, but if you delete important data because someone mistakenly manipulated it, then the Linux Historical command is basically not going to work much. How do we look at the Linux user operation record, there is no way to achieve by logging the IP address and a user name operation history? Answer: Yes.The first

How Linux systems change the character set supportHow to set Linux system Chinese Language, this is a lot of small partners in the beginning of the use of Linux, will encounter a problem, is the terminal input command echo when the Chinese display garbled. This situation typically occurs because the Chinese Language pack is not installed, or the default language

As a system administrator, we often encounter the need to increase or decrease a file system. Dynamic Logical Volume Management (LVM) is a great help for the mainstream OS and Linux on UNIX. However, Solaris Systems that do not support LVM can only be implemented in a stupid way. Assuming a work scenario, I need to add a separate file system to the server's hard

version When the device driver needs to support different kernel versions at the same time, in the compilation phase, the kernel module needs to know the version of the currently used kernel source code to use the corresponding kernel API. In the 2.4 and 2.6 kernels, the source code header file Linux/version. H is defined as follows: Linux_version_code: the binary representation of the kernel version. Each

$ (KDIR) M = $ (PWD)" and "$ (MAKE)-C $ (KDIR) SUBDIRS = $ (PWD) "is equivalent, and the latter is an old method of use. We recommend that you use M instead of SUBDIRS. The former is clearer.From the above comparison, we can see that in Makefile writing, In the 2.6 kernel, the kernel module compilation does not need to define complicated CFLAGS, and the file dependencies in the module are concise and clear. Listing 4: Makefile that can work in both t

characters; full path name and directory (/) complete file name is 4,096 characters According to FHS's official documents, their main purpose is to allow users to understand that the installed software is usually placed in that directory FHS set out four kinds of directory features: shareable, unshareable, static, variable and other four categories; The three-level main directory defined by FHS is:/,/var,/usr three layer; There are five direc

There's a train of thought lately. You want to monitor local file changes and upload to the specified server.I found a lot of information when I started thinking about it. about how to monitor file changes on Windows and LinuxFinally, a method for comparing MD5 values is selected.I wrote a paragraph, but it's quite sim