Overview

“On Linux there is an audit RPM named audit, which provides auditd service to monitor the processes and the commands as well. Using audit RPM we can audit some simple file operation like read, write and execution. This post will introduce a method to monitor the file access on the Linux system. Like “When the file was read/modified?”, “Who edit the specific file?””

Step

1. start the auditd service first if its not running.

...

        # systemctl start auditd     ### CentOS/RHEL 7

use auditctlcommand to specify which files you want to monitor:

     # auditctl -w /etc/hosts -p war -k hostswrap

...