Auditd: Monitoring System Events

Modern DevSecOps (The Hard Way)

Tracking Changes with Auditd

If a hacker changes a file, how do you know? auditd is the Linux auditing system.

Usage:

Install: sudo apt install auditd.
Watch a file: sudo auditctl -w /etc/passwd -p wa -k passwd_changes.
Search logs: ausearch -k passwd_changes.

Practice:

Create a rule to monitor any modifications to your website's source code directory.