A program for monitoring the system changes.

[hack3rcon]

Hello,
How can I watch the configuration changes on CentOS 8?
For example, a user logged to my system and I want to know which configuration he\she changed or which program installed or removed.

Thank you.

[KernelOops]

if they have root privileges, then its pretty impossible to monitor what they are doing because the root user can hide things. In corporate environments, those who need root, are usually forced to ssh as normal users and then change to root, so their login credentials can be recorded, but once they attain root, only a kernel module can track their progress.

for normal users, its possible to monitor processes and file i/o, nothing can be hidden and its easy to set limits (cpu/disk/net/etc).

if you are looking just for a file/directory integrity tool, take a look at AIDE. It is available in CentOS.

[hack3rcon]

Thank you.
Is "Audit" provide same feature?
I did a command like below :

Code: Select all

$ sudo auditctl -w /etc/ssh/sshd_config  -k sshconfigchange

But I want to see which part of the file changed!
How can I tune the Auditd service?

[BShT]

https://www.ossec.net/docs/manual/syscheck/index.html

[hack3rcon]

if they have root privileges, then its pretty impossible to monitor what they are doing because the root user can hide things. In corporate environments, those who need root, are usually forced to ssh as normal users and then change to root, so their login credentials can be recorded, but once they attain root, only a kernel module can track their progress.

for normal users, its possible to monitor processes and file i/o, nothing can be hidden and its easy to set limits (cpu/disk/net/etc).

if you are looking just for a file/directory integrity tool, take a look at AIDE. It is available in CentOS.

For use "AIDE", I must disable "auditd" service?
I guess "auditd" service disabled by default!!!

[aks]

For use "AIDE", I must disable "auditd" service?

No.

I guess "auditd" service disabled by default!!!

Auditd is notoriously "slow". I don't think it's improved over the years, but I could be wrong.
I don;t believe it is disabled by default (in CentOS).

[hack3rcon]

For use "AIDE", I must disable "auditd" service?

No.

I guess "auditd" service disabled by default!!!

Auditd is notoriously "slow". I don't think it's improved over the years, but I could be wrong.
I don;t believe it is disabled by default (in CentOS).

If I disable it then can it make any problem?

[aks]

That depends on your local setup and requirements.
I wouldn't.

[MartinR]

auditd is enabled by default. However the default configuration file (in C8) is:

Code: Select all

## This file is automatically generated from /etc/audit/rules.d
-D
-b 8192
-f 1
--backlog_wait_time 60000

Reading auditctl(8) this translates to:

• Delete all existing rules
• Set the number of backlog buffers to 8k
• Generate error messages on daemon failure.
• Hang the kernel for up to 1,000s if there is too many events queued.

One thing you'll notice is that there are no rules! The daemon runs happily doing no work and writing out no events.

To use the audit daemon you need to generate a ruleset, there are examples provided. Before doing this, read the Performance Tips section. Two points emerge:

1. Use filesystem auditing in preference to system call auditing, it's much faster, and
2. Avoid triggering multiple syscall rules, combine them if at all possible.

HTH.

[hack3rcon]

auditd is enabled by default. However the default configuration file (in C8) is:

Code: Select all

## This file is automatically generated from /etc/audit/rules.d
-D
-b 8192
-f 1
--backlog_wait_time 60000

Reading auditctl(8) this translates to:

• Delete all existing rules
• Set the number of backlog buffers to 8k
• Generate error messages on daemon failure.
• Hang the kernel for up to 1,000s if there is too many events queued.

One thing you'll notice is that there are no rules! The daemon runs happily doing no work and writing out no events.

To use the audit daemon you need to generate a ruleset, there are examples provided. Before doing this, read the Performance Tips section. Two points emerge:

1. Use filesystem auditing in preference to system call auditing, it's much faster, and
2. Avoid triggering multiple syscall rules, combine them if at all possible.

HTH.

The Auditd not have any conflict with AIDE? If both of them running.