Re: Tracking Content Written to Files
Audit will tell you when a "write" change occurs. Auditd has a plugin
framework to let you write a custom code which consumes audit events.
You can use that to orchestrate a file copy to save the file.
Something like:
https://github.com/karmab/audisp-simple
Farhan
On Wed, Mar 6, 2019 at 2:57 PM Wajih Ul Hassan <wajih.lums(a)gmail.com> wrote:
Hi All,
Can I use auditd to track content written to specific files? For example,
in this case https://access.redhat.com/solutions/10107, how can I keep
track of what string was written to `/etc/hosts` file over time and extract
this information later from logs?
The reason I asked this question is that I am trying to audit some
simulated attack scenario and in this particular attack scenario I need to
know the what content was written/changed to a sensitive file over time to
fully understand the attack. Even if the attack deletes the contents of the
sensitive file at time t_2, I need to extract what was written to file at
time t_1.
Thanks,
Wajih
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Attachments:
- attachment.html (text/html — 2.3 KB)