NixCraft: Linux audit files to see who made changes to a file
Mar 20, 2007, 18:25 (0 Talkback[s])
(Other stories by Vivek)
[ Thanks to Nobody for this link.
"Modern Linux kernel (2.6.x) comes with auditd daemon.
It’s responsible for writing audit records to the disk.
During startup, the rules in /etc/audit.rules are read by this
daemon. You can open /etc/audit.rules file and make changes such as
setup audit file log location and other option.In order to use
audit facility you need to use following utilities:
"=> auditctl - a command to assist controlling the
kernel’s audit system. You can get status, and add or delete
rules into kernel audit system."