Linux Security: Working with the Audit Log

Create audit rules to watch `/etc/passwd` for reads, `/etc/sudoers/` for reads and writes, and `/sbin/visudo` for executions.

Run these commands

auditctl -w /etc/passwd -p w -k userwatch
auditctl -w /sbin/visudo -p x -k sudowatch
auditctl -w /etc/sudoers -p rw -k sudowatch

Generate an audit rule list in `/home/cloud_user/rules.txt`

Run this command

auditctl -l > /home/cloud_user/rules.txt

Generate logs by creating a new user and running the `visudo` command

Run this command

useradd bob
visudo

Generate the `userwatch.txt` and `sudowatch.txt` reports in `/home/cloud_user` by using the established audit keys `userwatch` and sudowatch

Run this command

ausearch -k userwatch > /home/cloud_user/userwatch.txt
ausearch -k sudowatch > /home/cloud_user/sudowatch.txt