Member-only story
Configuring Auditctl on CentOS to monitor GCC logs (or anything really)
Auditing changes on a Linux Operating System might seem like a daunting task. It is not — really. Especially after understanding how simple it would be.
Upon googling, there are a lot of articles to teach you on how to audit changes for Linux. In this article, I will be using CentOS 7 as an example. This will cover auditctl configuration + verification of the triggered logs + piping audit logs to external syslog receiver.
Goal: To monitor and audit any commands that invokes gcc command on CentOS then pipe the audit logs to an external syslog server
- Check that you have the package on your CentOS by running:
# rpm -qa | grep audit
2. If you do not have the packages listed above, proceed to download and install first if not you will not be able to progress from here.
3. Using your favorite text editor, edit this file:
# vi /etc/audit/rules.d/audit.rules
4. Add in the following lines to audit.rules file. This can be edited per your requirement. In this example, we want to monitor the 3 folders/files with any read/write/execute being performed on it: