Install the auditd packages on Debian/Ubuntu etc.
apt install auditd audispd-plugins
I didn’t add sudo by security but it is most probably required.
Then start the service if necessary:
systemctl start auditdYou can now create audit rules for files you want to inspect based on a set of rules.
auditctl -w /etc/hosts -p war -k hosts-fileWhere…
-
wis the path to the file to watch -
pis permissions filter (write, append, read) -
kis a key to uniquely identify the audit records produced by the watch
Check that your rule is listed:
$ auditctl -l
-w /etc/hosts -p rwa -k hosts-file
Now we just have to wait for auditctl to log some events!
As we used a filter key for our rule (hosts-file) it is easy to search for event with the following command:
ausearch -ts today -k hosts-file