1
Linux 监控文件被什么进程修改
source link: https://fann.im/blog/2015/11/19/linux-audit-file-change/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Linux 监控文件被什么进程修改
Nov 19, 2015
安装: apt-get install auditd
.
auditd
是后台守护进程,负责监控记录auditctl
配置规则的工具auditsearch
搜索查看aureport
根据监控记录生成报表
比如,监控 /root/.ssh/authorized_keys
文件是否被修改过:
aditctl -w /root/.ssh/authorized_keys -p war -k auth_key
-w
指明要监控的文件-p awrx
要监控的操作类型,append, write, read, execute-k
给当前这条监控规则起个名字,方便搜索过滤
查看修改纪录:ausearch -i -k auth_key
,生成报表 aureport
.
Was this page helpful?
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK