Re: AUDIT(B) - USER add, delete, modify, suspend and lock
On Friday, July 14, 2017 4:48:11 PM EDT warron.french wrote:
Similar idea to the prior email:
I need to monitor local user account
*creation, modification, deletion, suspension and locking.*
These events are all hardwired too. The events that you are looking for are
part of this specification:
https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Account...
As long as audit is enabled, you will get the events.
-Steve
I know that I can monitor: */etc/passwd, /etc/group, /etc/shadow*
and
*/etc/gshadow*, but how do I monitor who modified wfrench inside
/etc/passwd?
Is:
*-w /etc/passwd -k monitor_account_manipulations*
Good enough?
--------------------------
Warron French