2011-12-16 10:13 AEST by Arthur Barrett - In Red Hat Linux 5 (and later) the 'auditctl' command is available to 'watch' changes to configuration 
files.

During RPM install we should do a simple 'test' for auditctl, and if it is installed then configure 'watches' 
on the CVS Suite Server configuration files:

/etc/cvsnt/PServer
/etc/cvsnt/server
/etc/cvsnt/Bugs
/etc/cvsnt/Make
/etc/cvsnt/cvsmanager

The only 'hiccup' is that we don't actually 'install' these files (the user is supposed to create them from 
the templates).  So in this case we may need to 'test' for the existance of each file, if it doesn't exist then 
create it from the template.

Other things that could be 'watched' include:
/etc/cvsnt/License
/etc/pam.d/cvsnt
/etc/init.d/cvslockd
/etc/init.d/cvsmanager
/path/to/repo/CVSROOT/passwd
/path/to/repo/CVSROOT/group
/path/to/repo/CVSROOT/admins
/path/to/repo/CVSROOT/users

Creating 'watches' on the repo would be more difficult - I wonder if there is some API of if the idea is 
just to write directly to audit.rules?  I can see some references to audit_add_rule() in libaudit.h
http://linux.die.net/man/3/audit_add_rule

A quick google shows that auditd seems to be available on solaris and mac os x as well, but this is 
based on the Solaris API (security/auditd.h) and the OpenBPM API from McAfee and is really just an API 
to syslog().

2013-01-14 11:53 AEST by Arthur Barrett - related to bug 6633, but not a dependency.

2015-03-27 16:35 AEST by Arthur Barrett - include a link to the red hat dock on this:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-
Defining_Audit_Rules_and_Controls.html

the current Url for this bug is a non-redhat article:
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html

2024-05-26 18:06 AEST by Arthur Barrett - On debian/ubuntu a similar system is 'tripwire', eg:
https://docs.vultr.com/how-to-install-tripwire-intrusion-detection-system-on-debian-11

and
https://forums.debian.net/viewtopic.php?t=122475