What process has modified the Linux monitor file
- 2020-05-14 05:51:36
- OfStack
Installation: apt-get install auditd.
1.auditd is the background daemon responsible for monitoring records
2.auditctl configuration rule tool
3.auditsearch search view
4.aureport generates reports based on monitoring records
For example, monitor whether the file /root/.ssh /authorized_keys has been modified:
aditctl -w /root/.ssh/authorized_keys -p war -k auth_key
The & # 8226; -w specifies the file to monitor
The & # 8226; - types of operations to be monitored by p awrx, append, write, read, execute
The & # 8226; -k gives the current monitoring rule a name to facilitate search filtering
View modification records: ausearch-i-k auth_key, generate report aureport.