Linux audit files to see who made changes to a file

Posted by nixcraft on Mar 20, 2007 9:28 PM EDT
nixCraft		Mail this story
Print this story

This is one of the key questions asked by new admins - How do I audit file events such as read / write etc? How can I use audit to see who changed a file in Linux?

The answer is to use 2.6 kernel’s audit system. Modern Linux kernel (2.6.x) comes with auditd daemon. It’s responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. The default file is good enough to get started with auditd.

Full Story

  Nav
» Read more about: Story Type: Tutorial; Groups: Fedora, GNU, Kernel, Linux, Red Hat

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.