sunhux
asked on
ways to be notified when Solaris files' contents are being changed
I'm looking for ways (most likely auditctl or audit) to monitor Solaris files
(/etc/group, sudoers, root's cron.*) & if possible email out a notification
once content of the file(s) is modified.
Will need exact/detailed steps.
I'm on Solaris 10 x86.
File integrity monitoring (like those used by Tripwire) tools is not an
option as we just want to use built-in Solaris tools
(/etc/group, sudoers, root's cron.*) & if possible email out a notification
once content of the file(s) is modified.
Will need exact/detailed steps.
I'm on Solaris 10 x86.
File integrity monitoring (like those used by Tripwire) tools is not an
option as we just want to use built-in Solaris tools
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Can I say by default, auditing of changes to these files are not
enabled in Solaris 10?
Also, for RHEL6, auditctl (to monitor these few files sudoers,
group, privileged crons) are not enabled by default?
enabled in Solaris 10?
Also, for RHEL6, auditctl (to monitor these few files sudoers,
group, privileged crons) are not enabled by default?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Bear with me, haven't digested the oracle & redhat links:
What does 'lo' & 1002, 1000 mean?
# auditconfig -setflags lo,+fw
user default audit flags = lo,+fw(0x1002,0x1000)
Do the 2 lines below mean to watch for changes to the file /etc/hosts ?
Raw
-w /etc/hosts -p a -k monitor-hosts
What does 'lo' & 1002, 1000 mean?
# auditconfig -setflags lo,+fw
user default audit flags = lo,+fw(0x1002,0x1000)
Do the 2 lines below mean to watch for changes to the file /etc/hosts ?
Raw
-w /etc/hosts -p a -k monitor-hosts
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
be enabled to be sent to SIEM due to an incident where a staff
elevated his privilege (adding to group/sudoers), bypassing PAM.
Privileged commands (usermod, adduser) could be inserted to
root's cron.daily/.weekly/.monthl
I'm exploring these