- Lab
- A Cloud Guru
Working with the Audit Log
Understanding the popular Linux auditing system Auditd is important for being able to efficiently and effectively monitor IT systems. The Auditd package allows fine-tuned monitoring that is crucially important for security applications such as host intrusion detection. In this hands-on lab, we will create and use custom audit rules to monitor sensitive configuration files.
Path Info
Table of Contents
-
Challenge
Create audit rules to watch `/etc/passwd` for reads, `/etc/sudoers/` for reads and writes, and `/sbin/visudo` for executions.
Run the following commands:
auditctl -w /etc/passwd -p w -k userwatchauditctl -w /sbin/visudo -p x -k sudowatchauditctl -w /etc/sudoers -p rw -k sudowatch
-
Challenge
Generate an audit rule list in `/home/cloud_user/rules.txt`.
Run the command:
auditctl -l > /home/cloud_user/rules.txt -
Challenge
Generate logs by creating a new user and running the `visudo` command.
Run the following commands:
useradd bobvisudo
-
Challenge
Generate the `userwatch.txt` and `sudowatch.txt` reports in `/home/cloud_user` by using the established audit keys `userwatch` and `sudowatch`, respectively.
Run the following commands:
ausearch -k userwatch > /home/cloud_user/userwatch.txtausearch -k sudowatch > /home/cloud_user/sudowatch.txt
What's a lab?
Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.
Provided environment for hands-on practice
We will provide the credentials and environment necessary for you to practice right within your browser.
Guided walkthrough
Follow along with the author’s guided walkthrough and build something new in your provided environment!
Did you know?
On average, you retain 75% more of your learning if you get time for practice.
