Friday, 22 March 2013

AUDITD CONFIGURATION TO MONITOR ADDITION AND DELETION IN /VAR/WWW

Install auditd to monitor addition and deletion in /var/www
#To install auditd in ubuntu
apt-get install auditd

nano /etc/audit/audit.rules

# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 1024

-a exit,always -S unlink -S rmdir
-a exit,always -S stime.*
-a exit,always -S setrlimit.*
-w /var/www -p wa
-w /etc/group -p wa
-w /etc/passwd -p wa
-w /etc/shadow -p wa
-w /etc/sudoers -p wa

# Disable adding any additional rules - note that adding *new* rules will require a reboot
-e 2


Reboot the System and it will be working fine

To search addition or deletion activity on /var/www
ausearch -f /var/www

No comments:

Post a Comment