Link to home
Start Free TrialLog in
Avatar of sunhux
sunhux

asked on

ways to be notified when Solaris files' contents are being changed

I'm looking for ways (most likely auditctl or audit) to monitor Solaris files
(/etc/group, sudoers,  root's  cron.*) & if possible email out a notification
once content of the file(s) is modified.

Will need exact/detailed steps.

I'm on Solaris 10 x86.

File integrity monitoring (like those used by Tripwire) tools is not an
option as we just want to use built-in Solaris tools
ASKER CERTIFIED SOLUTION
Avatar of btan
btan
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sunhux
sunhux

ASKER

We are going for a simple SolarWinds SIEM : the audit needs to
be enabled to be sent to SIEM due to an incident where a staff
elevated his privilege (adding to group/sudoers), bypassing PAM.

Privileged commands (usermod, adduser) could be inserted to
root's  cron.daily/.weekly/.monthly as well so in the interim,
I'm exploring these
Avatar of sunhux
sunhux

ASKER

Can I say by default, auditing of changes to these files are not
enabled in Solaris 10?  

Also, for RHEL6, auditctl (to monitor these few files  sudoers,
group, privileged crons) are not enabled by default?
SOLUTION
Avatar of btan
btan
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sunhux
sunhux

ASKER

Bear with me, haven't digested the oracle & redhat links:

What does 'lo' & 1002, 1000 mean?
# auditconfig -setflags lo,+fw
user default audit flags = lo,+fw(0x1002,0x1000)

Do the 2 lines below mean to watch for changes to the file  /etc/hosts ?
  Raw
  -w /etc/hosts -p a -k monitor-hosts
SOLUTION
Avatar of btan
btan
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial