1
00:00:00,000 --> 00:00:10,880
So what we need is a slight modification to what we have done before.

2
00:00:10,880 --> 00:00:16,760
And I'm going to show you history, pipe, grab, audit, CTL.

3
00:00:16,760 --> 00:00:21,000
So really, it's based on this.

4
00:00:21,000 --> 00:00:22,000
And what do I want?

5
00:00:22,000 --> 00:00:29,000
Well, I want a line that is almost the same, but a little bit more basic.

6
00:00:29,000 --> 00:00:38,560
Audit CTL, minus A, always comma exit, minus F, there is slash home.

7
00:00:38,560 --> 00:00:50,680
And then I need minus F, UID is zero, and minus K, root, home, access.

8
00:00:50,680 --> 00:00:53,119
So that should be doing it.

9
00:00:53,119 --> 00:00:55,119
Now let's check it.

10
00:00:55,119 --> 00:01:01,919
I'm going in the slash home directory, and I'm going in the student directory, and I'm

11
00:01:01,919 --> 00:01:04,279
using cat on what?

12
00:01:04,279 --> 00:01:08,260
Well, let's do that on dot bash RC.

13
00:01:08,260 --> 00:01:17,919
And now I'm going to grab root, home, on var log audit, audit dot log.

14
00:01:17,919 --> 00:01:18,919
And look at that.

15
00:01:18,919 --> 00:01:22,360
There we can see that all root access has been logged.

16
00:01:22,360 --> 00:01:26,959
What you can also see here is that a lot of information is logged.

17
00:01:26,959 --> 00:01:30,879
One more interesting thing, do you see this number here?

18
00:01:30,879 --> 00:01:33,839
The first part of the number is the timestamp in epoch.

19
00:01:33,839 --> 00:01:40,040
As you have seen, use date, minus D, add timestamp to see what it is in human time.

20
00:01:40,040 --> 00:01:41,680
Then we have 859.

21
00:01:41,680 --> 00:01:45,320
The 859 is the audit event ID.

22
00:01:45,320 --> 00:01:49,760
And then within the audit event ID, you can see a sequence order.

23
00:01:49,760 --> 00:01:51,320
Now what does that mean?

24
00:01:51,320 --> 00:01:56,800
We have 859 starting 307 here up to 859 312.

25
00:01:56,800 --> 00:02:00,080
It all belongs to the same flow of events.

26
00:02:00,080 --> 00:02:05,879
So if you want to analyze step by step what exactly has happened, then you need to read

27
00:02:05,879 --> 00:02:08,199
all the lines for all these different events.

28
00:02:08,199 --> 00:02:11,320
But hey, I think this is enough for this lab, isn't it?