This issue is easy to solve.
Audit and audit-libs can be installed in Fedora distro Linux
using the DNF utility:
1 2 3 | [root@desk mythcat]# dnf install -y audit audit-libs ... Complete! |
Check the service to be active:
1 | [mythcat@desk ~]$ sudo service auditd status |
If this is not active try to start or restart it with these commands:
1 2 3 4 | [mythcat@desk ~]$ sudo service auditd start ... [mythcat@desk ~]$ sudo service auditd restart ... |
Let’s create a audit rule configured on the server with the label/key named sshconfigchange to log every access or modification to the file: /etc/ssh/sshd_config, with this command:
1 | [mythcat@desk ~]$ sudo auditctl -w /etc/ssh/sshd_config -p rwxa -k sshconfigchange |
The changes can be see with:
1 2 3 4 | [mythcat@desk ~]$ sudo ausearch -k sshconfigchange ---- time->Tue May 4 22:02:30 2021 type=CONFIG_CHANGE msg=audit(1620154950.473:566): auid=1000 ses=1 subj=kernel op=add_rule key="sshconfigchange" list=4 res=1 |