How do I setup audit to alert on write conditions for individual files? Thanks.
Less known Solaris features: Auditing - c0t0d0s0.org
Thanks to Joerg Moellenkamp for this outstanding work!
Unfortunately you can not audit individual files, it is all or nothing. The only way to filter it is to do it per user, using the audit_user file.
We have a short description here on how to audit file deletions, and if you replace fd with fm you audit file modifications, i.e. file writes and any change to the file meta data.
The link to the how to audit file deletions is broken. Is it available somewhere else?
I managed to get auditd to log file deletions but it also logged file creations as well. I'm only interested in file deletions for a particular user and trying to keep the log file as small as possible.
audit_control
-------------
dir:/var/audit
flags:
minfree:20
naflags:lo
audit_user
----------
root:lo:no
user1:lo,fd:no
Shouldn't only login/logout activities for root and user1 along with file deletions from user1 get logged? Why do file creations get logged as well? Any pointer is greatly appreciated.