A program for monitoring the system changes.
A program for monitoring the system changes.
Hello,
How can I watch the configuration changes on CentOS 8?
For example, a user logged to my system and I want to know which configuration he\she changed or which program installed or removed.
Thank you.
How can I watch the configuration changes on CentOS 8?
For example, a user logged to my system and I want to know which configuration he\she changed or which program installed or removed.
Thank you.
- KernelOops
- Posts: 428
- Joined: 2013/12/18 15:04:03
- Location: xfs file system
Re: A program for monitoring the system changes.
if they have root privileges, then its pretty impossible to monitor what they are doing because the root user can hide things. In corporate environments, those who need root, are usually forced to ssh as normal users and then change to root, so their login credentials can be recorded, but once they attain root, only a kernel module can track their progress.
for normal users, its possible to monitor processes and file i/o, nothing can be hidden and its easy to set limits (cpu/disk/net/etc).
if you are looking just for a file/directory integrity tool, take a look at AIDE. It is available in CentOS.
for normal users, its possible to monitor processes and file i/o, nothing can be hidden and its easy to set limits (cpu/disk/net/etc).
if you are looking just for a file/directory integrity tool, take a look at AIDE. It is available in CentOS.
--
R.I.P. CentOS
--
R.I.P. CentOS
--
Re: A program for monitoring the system changes.
Thank you.
Is "Audit" provide same feature?
I did a command like below :
But I want to see which part of the file changed!
How can I tune the Auditd service?
Is "Audit" provide same feature?
I did a command like below :
Code: Select all
$ sudo auditctl -w /etc/ssh/sshd_config -k sshconfigchange
How can I tune the Auditd service?
Re: A program for monitoring the system changes.
For use "AIDE", I must disable "auditd" service?KernelOops wrote: ↑2020/08/16 19:23:11if they have root privileges, then its pretty impossible to monitor what they are doing because the root user can hide things. In corporate environments, those who need root, are usually forced to ssh as normal users and then change to root, so their login credentials can be recorded, but once they attain root, only a kernel module can track their progress.
for normal users, its possible to monitor processes and file i/o, nothing can be hidden and its easy to set limits (cpu/disk/net/etc).
if you are looking just for a file/directory integrity tool, take a look at AIDE. It is available in CentOS.
I guess "auditd" service disabled by default!!!
Re: A program for monitoring the system changes.
No.For use "AIDE", I must disable "auditd" service?
Auditd is notoriously "slow". I don't think it's improved over the years, but I could be wrong.I guess "auditd" service disabled by default!!!
I don;t believe it is disabled by default (in CentOS).
Re: A program for monitoring the system changes.
If I disable it then can it make any problem?
Re: A program for monitoring the system changes.
That depends on your local setup and requirements.
I wouldn't.
I wouldn't.
Re: A program for monitoring the system changes.
auditd is enabled by default. However the default configuration file (in C8) is:
Reading auditctl(8) this translates to:
To use the audit daemon you need to generate a ruleset, there are examples provided. Before doing this, read the Performance Tips section. Two points emerge:
Code: Select all
## This file is automatically generated from /etc/audit/rules.d
-D
-b 8192
-f 1
--backlog_wait_time 60000
- Delete all existing rules
- Set the number of backlog buffers to 8k
- Generate error messages on daemon failure.
- Hang the kernel for up to 1,000s if there is too many events queued.
To use the audit daemon you need to generate a ruleset, there are examples provided. Before doing this, read the Performance Tips section. Two points emerge:
- Use filesystem auditing in preference to system call auditing, it's much faster, and
- Avoid triggering multiple syscall rules, combine them if at all possible.
Re: A program for monitoring the system changes.
The Auditd not have any conflict with AIDE? If both of them running.MartinR wrote: ↑2020/08/23 10:38:07auditd is enabled by default. However the default configuration file (in C8) is:Reading auditctl(8) this translates to:Code: Select all
## This file is automatically generated from /etc/audit/rules.d -D -b 8192 -f 1 --backlog_wait_time 60000
One thing you'll notice is that there are no rules! The daemon runs happily doing no work and writing out no events.
- Delete all existing rules
- Set the number of backlog buffers to 8k
- Generate error messages on daemon failure.
- Hang the kernel for up to 1,000s if there is too many events queued.
To use the audit daemon you need to generate a ruleset, there are examples provided. Before doing this, read the Performance Tips section. Two points emerge:HTH.
- Use filesystem auditing in preference to system call auditing, it's much faster, and
- Avoid triggering multiple syscall rules, combine them if at all possible.