Auditing Linux

Parent Previous Next

Configure auditing


Install audit on your machine if it is not installed yet. To find out if auditd is installed follow the following steps:


1. Open the terminal

2. Go to the installation directory of the agent (e.g. /home/.../.../bin)

3. Execute this command: ./audit_manager check


If there is no output, then you do not have to install auditd. However, if the output says “Please install auditd” you have to install auditd


Examples for installing auditd

sudo apt-get install auditd or yum install auditd.



Configure file auditing


Adding directory to audit:

1. Open the terminal

2. Go to the installation directory of the agent (e.g. /home/.../.../bin)

3. Execute this command: ./audit_manager add <full path of directory surrounded by quotes>

Example:

./audit_manager add “/home/username/Documents/”

Deleting directory to audit:

1. Open the terminal

2. Go to the installation directory of the agent (e.g. /home/.../.../bin)

3. Execute this command: ./audit_manager delete <full path of directory surrounded by quotes>

Example:

./audit_manager delete “/home/username/Documents/”

List audit rules:

1. Open the terminal

2. Go to the installation directory of the agent (e.g. /home/.../.../bin))

3. Execute this command: ./audit_manager list