Its so simple …
What audit means – Check who made changes to a file like read or write !!
A daemon named auditd is in the linux kernel which is responsible for auditining the predefined files according to the rules defined in /etc/audit.rules ,but it can be customized for desired files .
It’s installed by default , if not then.
#yum install audit
Start the daemon if not started
#service auditd start
Make the daemon to start while system boots ,
#chkconfig auditd on
Customize for desired files to be audited
auditctl : The command used for controlling the kernel’s audit system to get status, and add or delete rules into kernel audit system. Set a a watch on the desired file to be audited as :
# auditctl -w /usr/sbin/crond -p rwxa -k cron-daemon
-w : optioon used to watch the file /usr/sbin/crond
-p : set permission to watch the file ,here w – write , r – read , x – execute , a- append
-k : set a filter key (a string upto 31 chars long) used to uniquely identify the audit records produced by watch