Beta Branch extend tools/auditd.sh to allow Centos 7 to use augenrules in 123.09b…

extend tools/auditd.sh to allow Centos 7 to use augenrules in 123.09beta01

allow CentOS 7 to use augenrules command like CentOS 6 so you can drop in separate auditd rules files into /etc/audit/rules.d/ with .rules extensions which will be merged with the default custom rules.

---

Continue reading...

123.09beta01 branch

• Branch: https://github.com/centminmod/centminmod/tree/123.09beta01
• Commit History: https://github.com/centminmod/centminmod/commits/123.09beta01

 

Example to monitor Xenforo forum's library directory and below for write modifications just drop a custom rule into /etc/audit/rules.d/xf.rules file you create.

Add into /etc/audit/rules.d/xf.rules file the following rule

Code (Text):

-w /home/nginx/domains/domain.com/public/library -p wa -k xf-library-writemods

then run updaterules command

Code (Text):

./auditd.sh updaterules

Code (Text):

tools/auditd.sh updaterules

auditd rules list

...snipped...

-w /home/nginx/domains/domain.com/public/library/ -p wa -k xf-library-writemods

auditd rules updated

Using ausearch to filter on the key = xf-library-writemods

Code (Text):

ausearch -k xf-library-writemods
----
time->Mon Oct 10 00:54:09 2016
type=CONFIG_CHANGE msg=audit(1476060849.639:2492579): auid=0 ses=334255 op="add_rule" key="xf-library-writemods" list=4 res=1

here only entry is for the updaterules command itself adding the run to auditd op="add_rule"