Linux audit files to see who made changes to a file

How do I audit file events such as read / write etc? How can I use audit to see who changed a file in Linux?

The answer is to use 2.6 kernel’s audit system. Modern Linux kernel (2.6.x) comes with auditd daemon. It’s responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. The default file is good enough to get started with auditd.

In order to use audit facility you need to use following utilities
=> auditctl – a command to assist controlling the kernel’s audit system. You can get status, and add or delete rules into kernel audit system. Setting a watch on a file is accomplished using this command:

=> ausearch – a command that can query the audit daemon logs based for events based on different search criteria.

=> aureport – a tool that produces summary reports of the audit system logs.

Note that following all instructions are tested on CentOS 4.x and Fedora Core and RHEL 4/5 Linux. 继续阅读

HOWTO configure the auditing of the system (auditd)


The audit service is provided for system auditing. By default, this service audits about SELinux AVC denials and certain types of security-relevant events such as system logins, account modifications, and authentication events performed by programs such as sudo.

Under its default configuration, auditd has modest disk space requirements, and should not noticeably impact system performance. The audit service, configured with at least its default rules, is strongly recommended for all sites, regardless of whether they are running SELinux. Networks with high security level often have substantial auditing requirements and auditd can be configured to meet these requirements:

  • Ensure Auditing is Configured to Collect Certain System Events
  • Information on the Use of Print Command (unsuccessful and successful)
  • Startup and Shutdown Events (unsuccessful and successful)
  • Ensure the auditing software can record the following for each audit event:
    • When the event appears
    • Who initiated the event
    • Type of the event
    • Success or failure of the event
    • Origin of the request (example: terminal ID)
    • For events that introduce an object into a user’s address space, and for object deletion events, the name of the object, and in MLS systems, the objects security level.
  • Ensure daily of the audit logs
  • Ensure that the audit data files have restrictive permissions (at least 640).




在本教程中,您将了解到如何通过预防对数据或其他数据库对象进行未授权查看和更改来保障数据安全。此处提供的材料主要包括考试第 8 部分的相关内容,标题为 Security,本教程涉及的主题包括:

  • 连接安全
  • 网络加密
  • 审计
  • 自主访问控制



  • 了解身份验证、授权和加密的概念及使用方法
  • 允许 non-OS 用户访问数据库
  • 利用 onaudit 在数据库服务器上设置并配置安全审计
  • 利用可信连接和可信上下文连接来增强安全性
  • 使用角色特权来保护数据安全
  • 设置角色分离来加强对数据库服务器用户的访问控制


Informix 11.70 安装在本系列教程的第 1 部分进行了介绍。如果还没安装,可下载并安装 IBM Informix 11.70 的副本。Informix 服务器能够帮助您了解 IBM Informix V11.70 系统管理认证考试当中涉及的许多概念。


学习本教程时,不需要 IBM Informix 的副本。但是,如果下载了 Informix Innovator-C Edition(参见 参考资料)的免费试用版,并与本教程配套使用,您将收获更大。 继续阅读




存储过程通过建立他们自己的,有别于数据库的许可权限而提供了附加的安全机制。存储过程的所有者向用户授予执行该存储过程的权限,允许用户执行该存储过程中所有的SQL操作,但对其他的数据库访问加以限制。通过使用存储过程来限制用户执行某些用户执行某些数据库的操作,数据库管理员可以提高系统的安全性 继续阅读

Setting up IDS auditing, onaudit

Technote (FAQ)


What are the minimum requirements needed to start IDS auditing?
What are the minimum requirements needed to start onaudit?



IBM® Informix® Dynamic Server™ (IDS) auditing enables the recording of selected user activities on the database server.

This article briefly discusses the set up procedure and provides a demonstration for database server-managed auditing using Informix Dynamic Server for Unix without Role Separation.


MySQL Python tutorial

This is MySQL Python programming tutorial. It covers the basics of MySQL programming with Python. It uses the MySQLdb module. The examples were created and tested on Ubuntu Linux.

There is a similar PostgreSQL Python tutorial, MySQL Visual Basic tutorial, or MySQL PHP tutorial on ZetCode. SQLAlchemy tutorial covers SQLAlchemy SQL Toolkit and Object Relational Mapper. If you need to refresh your knowledge of the Python language, there is a full Python tutorial. You may also consider to look at the MySQL tutorial, too.

About MySQL database

MySQL is a leading open source database management system. It is a multi user, multithreaded database management system. MySQL is especially popular on the web. It is one part of the very popular LAMP platform which consists of Linux, Apache, MySQL, and PHP. Currently MySQL is owned by Oracle. MySQL database is available on most important OS platforms. It runs on BSD Unix, Linux, Windows, or Mac OS. Wikipedia and YouTube use MySQL. These sites manage millions of queries each day. MySQL comes in two versions: MySQL server system and MySQL embedded system. 继续阅读

Python — imaplib IMAP example with Gmail

I couldn’t find all that much information about IMAP on the web, other than the RFC3501.

The IMAP protocol document is absoutely key to understanding the commands available, but let me skip attempting to explain and just lead by example where I can point out the common gotchas I ran into.

Logging in to the inbox

import imaplib
mail = imaplib.IMAP4_SSL('imap.gmail.com')
mail.login('myusername@gmail.com', 'mypassword')
# Out: list of "folders" aka labels in gmail.
mail.select("inbox") # connect to inbox.

Getting all mail and fetching the latest

Let’s start by searching our inbox for all mail with the search function.
Use the built in keyword “ALL” to get all results (documented in RFC3501).

We’re going to extract the data we need from the response, then fetch the mail via the ID we just received.

result, data = mail.search(None, "ALL")
ids = data[0] # data is a list.
id_list = ids.split() # ids is a space separated string
latest_email_id = id_list[-1] # get the latest
result, data = mail.fetch(latest_email_id, "(RFC822)") # fetch the email body (RFC822) for the given ID
raw_email = data[0][1] # here's the body, which is raw text of the whole email
# including headers and alternate payloads

Using UIDs instead of volatile sequential ids


How to enable SNMP monitoring for VMWare ESXi 6.0/6.5

You can do a lot of configuration of ESXi through the GUI, but one thing I’ve found that you cannot do is configure SNMP.

I can see in  the GUI that SNMP service is stopped, and that’s about it:


  • Even if you can manage to get the service started from the GUI, you’ll still have to set your community string somehow. I couldn’t exactly find a place to set that, so it’s off to the CLI we go.

So here’s how to enable SNMP and configure the community string/firewall on ESXi 6.0 or 6.5:


VeraCrypt is a software for establishing and maintaining an on-the-fly-encrypted volume (data storage device). On-the-fly encryption means that data is automatically encrypted right before it is saved and decrypted right after it is loaded, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. Entire file system is encrypted (e.g., file names, folder names, contents of every file, free space, meta data, etc).

Files can be copied to and from a mounted VeraCrypt volume just like they are copied to/from any normal disk (for example, by simple drag-and-drop operations). Files are automatically being decrypted on the fly (in memory/RAM) while they are being read or copied from an encrypted VeraCrypt volume. Similarly, files that are being written or copied to the VeraCrypt volume are automatically being encrypted on the fly (right before they are written to the disk) in RAM. Note that this does not mean that the whole file that is to be encrypted/decrypted must be stored in RAM before it can be encrypted/decrypted. There are no extra memory (RAM) requirements for VeraCrypt. For an illustration of how this is accomplished, see the following paragraph.

Let’s suppose that there is an .avi video file stored on a VeraCrypt volume (therefore, the video file is entirely encrypted). The user provides the correct password (and/or keyfile) and mounts (opens) the VeraCrypt volume. When the user double clicks the icon of the video file, the operating system launches the application associated with the file type – typically a media player. The media player then begins loading a small initial portion of the video file from the VeraCrypt-encrypted volume to RAM (memory) in order to play it. While the portion is being loaded, VeraCrypt is automatically decrypting it (in RAM). The decrypted portion of the video (stored in RAM) is then played by the media player. While this portion is being played, the media player begins loading another small portion of the video file from the VeraCrypt-encrypted volume to RAM (memory) and the process repeats. This process is called on-the-fly encryption/decryption and it works for all file types (not only for video files).






# yum -y install fail2ban




[root@s108c fail2ban]# ll /etc/fail2ban/jail.d/jail.local
-rw-r–r– 1 root root 174 Sep 12 10:27 /etc/fail2ban/jail.d/jail.local
[root@s108c fail2ban]# ll /etc/fail2ban/filter.d/authdaemond.conf
-rw-r–r– 1 root root 962 Sep 12 10:08 /etc/fail2ban/filter.d/authdaemond.conf


将/etc/fail2ban/fail2ban.conf配置中logtarget 指向日志要保存的文件

logtarget = /var/log/fail2ban.log 继续阅读