The Linux Audit system provides a way to determine the violator of the security policy and the actions they performed such as tracking malicious changes on the oracle executable.
Using Linux Audit system we can basically do the following activities :
- Watching file access
- Monitoring system calls
- Recording commands run by a user
- Recording security events
In this short blog post i will show how we can easily use it to catch changes in “./bin” directory.
Test ENV : OEL 6.6 / UEK 4.1
Just add a rule to “/etc/audit/audit.rules” and that’s it :
-w /app/home18c/bin -p wa -k oracle_bin
w— write access to a file or a directory.
a— change in the file’s or directory’s attribute.
Then restart auditd :
- service auditd restart
Let’s test it :
- touch /app/home18c/bin/test_file
- rm -f /app/home18c/bin/test_file
- chmod o+r /app/home18c/bin/lsnrctl
Extract from “/var/log/audit/audit.log”
Using “ausearch -k oracle_bin”
That’s it 😀