Audit

kk1001 · 04-14-2011, 12:41 PM

Hi to all,
how should i know who has accessed /var/log folder except root. If anyone has tried to access any log files where will be the error message generated. As a admin, where should we can check. I also want to know who has modified what file on a daily basis.

Thanks
kk

unSpawn · 04-14-2011, 04:39 PM

Quote:

Originally Posted by kk1001

how should i know who has accessed /var/log folder except root. If anyone has tried to access any log files where will be the error message generated.

MAC works on top of DAC so if the DAC doesn't allow it then the MAC doesn't need to be queried and doesn't need to generate any rejects. And if there's no audit rules specified then they won't be triggered.

Quote:

Originally Posted by kk1001

I also want to know who has modified what file on a daily basis.

Without any details I'd say a combination of a logging shell (Rootsh), Auditd rules (or LoggedFS?), remote syslog.