A program for monitoring the system changes.

Support for security such as Firewalls and securing linux
hack3rcon
Posts: 693
Joined: 2014/11/24 11:04:37

A program for monitoring the system changes.

Post by hack3rcon » 2020/08/16 08:19:21

Hello,
How can I watch the configuration changes on CentOS 8?
For example, a user logged to my system and I want to know which configuration he\she changed or which program installed or removed.

Thank you.

User avatar
KernelOops
Posts: 347
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: A program for monitoring the system changes.

Post by KernelOops » 2020/08/16 19:23:11

if they have root privileges, then its pretty impossible to monitor what they are doing because the root user can hide things. In corporate environments, those who need root, are usually forced to ssh as normal users and then change to root, so their login credentials can be recorded, but once they attain root, only a kernel module can track their progress.

for normal users, its possible to monitor processes and file i/o, nothing can be hidden and its easy to set limits (cpu/disk/net/etc).

if you are looking just for a file/directory integrity tool, take a look at AIDE. It is available in CentOS.
--
I love my computer - all my friends live there.
--

hack3rcon
Posts: 693
Joined: 2014/11/24 11:04:37

Re: A program for monitoring the system changes.

Post by hack3rcon » 2020/08/16 20:34:19

Thank you.
Is "Audit" provide same feature?
I did a command like below :

Code: Select all

$ sudo auditctl -w /etc/ssh/sshd_config  -k sshconfigchange
But I want to see which part of the file changed!
How can I tune the Auditd service?


hack3rcon
Posts: 693
Joined: 2014/11/24 11:04:37

Re: A program for monitoring the system changes.

Post by hack3rcon » 2020/08/23 07:19:33

KernelOops wrote:
2020/08/16 19:23:11
if they have root privileges, then its pretty impossible to monitor what they are doing because the root user can hide things. In corporate environments, those who need root, are usually forced to ssh as normal users and then change to root, so their login credentials can be recorded, but once they attain root, only a kernel module can track their progress.

for normal users, its possible to monitor processes and file i/o, nothing can be hidden and its easy to set limits (cpu/disk/net/etc).

if you are looking just for a file/directory integrity tool, take a look at AIDE. It is available in CentOS.
For use "AIDE", I must disable "auditd" service?
I guess "auditd" service disabled by default!!!

aks
Posts: 3032
Joined: 2014/09/20 11:22:14

Re: A program for monitoring the system changes.

Post by aks » 2020/08/23 07:33:59

For use "AIDE", I must disable "auditd" service?
No.
I guess "auditd" service disabled by default!!!
Auditd is notoriously "slow". I don't think it's improved over the years, but I could be wrong.
I don;t believe it is disabled by default (in CentOS).

hack3rcon
Posts: 693
Joined: 2014/11/24 11:04:37

Re: A program for monitoring the system changes.

Post by hack3rcon » 2020/08/23 07:48:28

aks wrote:
2020/08/23 07:33:59
For use "AIDE", I must disable "auditd" service?
No.
I guess "auditd" service disabled by default!!!
Auditd is notoriously "slow". I don't think it's improved over the years, but I could be wrong.
I don;t believe it is disabled by default (in CentOS).
If I disable it then can it make any problem?

aks
Posts: 3032
Joined: 2014/09/20 11:22:14

Re: A program for monitoring the system changes.

Post by aks » 2020/08/23 07:51:52

That depends on your local setup and requirements.
I wouldn't.

MartinR
Posts: 611
Joined: 2015/05/11 07:53:27
Location: UK

Re: A program for monitoring the system changes.

Post by MartinR » 2020/08/23 10:38:07

auditd is enabled by default. However the default configuration file (in C8) is:

Code: Select all

## This file is automatically generated from /etc/audit/rules.d
-D
-b 8192
-f 1
--backlog_wait_time 60000
Reading auditctl(8) this translates to:
  • Delete all existing rules
  • Set the number of backlog buffers to 8k
  • Generate error messages on daemon failure.
  • Hang the kernel for up to 1,000s if there is too many events queued.
One thing you'll notice is that there are no rules! The daemon runs happily doing no work and writing out no events. :o

To use the audit daemon you need to generate a ruleset, there are examples provided. Before doing this, read the Performance Tips section. Two points emerge:
  1. Use filesystem auditing in preference to system call auditing, it's much faster, and
  2. Avoid triggering multiple syscall rules, combine them if at all possible.
HTH.

hack3rcon
Posts: 693
Joined: 2014/11/24 11:04:37

Re: A program for monitoring the system changes.

Post by hack3rcon » 2020/08/23 11:12:28

MartinR wrote:
2020/08/23 10:38:07
auditd is enabled by default. However the default configuration file (in C8) is:

Code: Select all

## This file is automatically generated from /etc/audit/rules.d
-D
-b 8192
-f 1
--backlog_wait_time 60000
Reading auditctl(8) this translates to:
  • Delete all existing rules
  • Set the number of backlog buffers to 8k
  • Generate error messages on daemon failure.
  • Hang the kernel for up to 1,000s if there is too many events queued.
One thing you'll notice is that there are no rules! The daemon runs happily doing no work and writing out no events. :o

To use the audit daemon you need to generate a ruleset, there are examples provided. Before doing this, read the Performance Tips section. Two points emerge:
  1. Use filesystem auditing in preference to system call auditing, it's much faster, and
  2. Avoid triggering multiple syscall rules, combine them if at all possible.
HTH.
The Auditd not have any conflict with AIDE? If both of them running.

Post Reply

Return to “CentOS 8 - Security Support”