auditd packages on Debian/Ubuntu etc.
apt install auditd audispd-plugins
Then start the service if necessary:
systemctl start auditd
You can now create audit rules for files you want to inspect based on a set of rules.
auditctl -w /etc/hosts -p war -k hosts-file
wis the path to the file to watch
pis permissions filter (write, append, read)
kis a key to uniquely identify the audit records produced by the watch
Check that your rule is listed:
$ auditctl -l
-w /etc/hosts -p rwa -k hosts-file
Now we just have to wait for
auditctl to log some events!
As we used a filter key for our rule (
hosts-file) it is easy to search for event with the following command:
ausearch -ts today -k hosts-file