tene (owner)

Revisions

gist: 220929 Download_button fork
public
Public Clone URL: git://gist.github.com/220929.git
Embed All Files: show embed
audit.log #
raw 
1
2
3
4

type=SYSCALL msg=audit(1256769228.713:6126): arch=c000003e syscall=2 success=yes exit=3 a0=2467ec0 a1=441 a2=1b6 a3=76 items=1 ppid=30850 pid=30995 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=1 comm="bash" exe="/bin/bash" key="etcwatch"
type=CWD msg=audit(1256769228.713:6126):  cwd="/etc/audit"
type=PATH msg=audit(1256769228.713:6126): item=0 name="/etc/hosts" inode=537171857 dev=fd:01 mode=0100664 ouid=0 ogid=0 rdev=00:00
 
ausearch|aureport #
raw 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

[sweeks@kweh ~]$ sudo ausearch -k etcwatch | aureport --file 
Error opening config file (Permission denied)
NOTE - using built-in logs: /var/log/audit/audit.log
 
File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 10/28/2009 16:32:39 /etc/hosts 2 yes /bin/cat 500 6124
2. 10/28/2009 16:33:28 /etc/hosts 2 yes /bin/cat 500 6125
3. 10/28/2009 16:33:48 /etc/hosts 2 yes /bin/bash 500 6126
4. 10/28/2009 16:33:59 /etc/hosts 2 yes /usr/lib64/firefox-3.5.3/firefox 500 6127
5. 10/28/2009 16:33:59 /etc/hosts 2 yes /usr/lib64/firefox-3.5.3/firefox 500 6128
6. 10/28/2009 16:33:59 /etc/hosts 2 yes /usr/lib64/firefox-3.5.3/firefox 500 6129
7. 10/28/2009 16:33:59 /etc/hosts 2 yes /usr/lib64/firefox-3.5.3/firefox 500 6130
8. 10/28/2009 16:34:00 /etc/hosts 2 yes /usr/lib64/firefox-3.5.3/firefox 500 6131
9. 10/28/2009 16:34:00 /etc/hosts 2 yes /usr/lib64/firefox-3.5.3/firefox 500 6132
10. 10/28/2009 16:34:00 /etc/hosts 2 yes /usr/lib64/firefox-3.5.3/firefox 500 6133
11. 10/28/2009 16:34:00 /etc/hosts 2 yes /usr/lib64/firefox-3.5.3/firefox 500 6134
12. 10/28/2009 16:34:00 /etc/hosts 2 yes /usr/lib64/firefox-3.5.3/firefox 500 6135
13. 10/28/2009 16:34:00 /etc/hosts 2 yes /usr/lib64/firefox-3.5.3/firefox 500 6136
14. 10/28/2009 16:34:14 /etc/hosts 2 yes /usr/lib64/firefox-3.5.3/firefox 500 6137
15. 10/28/2009 16:34:39 /etc/hosts 2 yes /usr/lib64/firefox-3.5.3/firefox 500 6138
16. 10/28/2009 16:36:26 /etc/hosts 2 yes /bin/bash 500 6148
17. 10/28/2009 16:41:36 /etc/hosts 2 yes /usr/bin/vim 500 6161
 
[sweeks@kweh ~]$ sudo ausearch -k etcwatch | aureport --file --summary
Error opening config file (Permission denied)
NOTE - using built-in logs: /var/log/audit/audit.log
 
File Summary Report
===========================
total  file
===========================
17  /etc/hosts