Monitor Web Site Files With Auditd
Tuesday, January 21st, 2014 - 2:51 pm - Security, System Administration
The Linux Auditing System and auditd are a great way to monitor who and when changes are made to the files in your website. To install and configure follow these steps:
1. Install auditd and related utilities:
1 | yum install audit |
2. Make sure auditd is running:
1 | /sbin/chkconfig --list auditd |
2 | auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off |
3. Edit /etc/audit/auditd.conf and change:
1 | action_mail_acct = [your email address] |
This sets any action emails to go to your preferred address.
4. Edit /etc/audit/audit.rules and add a line like this to the bottom:
1 | -w [path_to_website] -p wa -k [key] |
So if you website is located at:
/var/www/vhosts/mysite.com/httpdocs
Then a command like:
1 | -w /var/www/vhosts/mysite.com/httpdocs -p wa -k mysite |
would setup auditing of write and attribute change requests. Events matching this rule would be tagged with the “mysite” key.
1 | /sbin/service auditd restart |
Audit logs go to:
1 | /var/log/audit/audit.log |