Description

The audit package provides tools and utilities to monitor and analyze system security audits. The audit-libs package contains the dynamic libraries needed by the audit tools and other applications to incorporate auditing capabilities. This test case ensures that the audit utilities and audit-libs work correctly for system auditing.

Setup

1. Ensure you have a Fedora system.
2. Install the audit and audit-libs packages: sudo dnf install audit audit-libs

How to test

1. Open a terminal.
2. Ensure the audit daemon is running without any errors: sudo systemctl status auditd
3. List all rules, sudo auditctl -l
4. Create new rule to monitor a specific file(e.g. /etc/passwd) for changes: sudo auditctl -a always,exit -F path=/etc/passwd -F perm=wa -k passwd_changes.
5. List your rules, sudo auditctl -l
6. Make a change to the monitored file, e.g., sudo echo "# test comment" >> /etc/passwd
7. Query the audit logs for any related events: sudo ausearch -k passwd_changes
8. Review the results for the relevant event indicating the change.

Expected Results

1. The audit daemon (auditd) should start without any errors.
2. The status command should indicate that auditd is actively running.
3. After setting an audit rule on /etc/passwd, any modification to the file should trigger an audit event.
4. The ausearch utility should display a log entry related to the change made to the monitored file, indicating details like the action performed, user, timestamp, and more.

Optional

For enhanced testing depth: 1. Try creating more complex audit rules involving multiple files, system calls, or specific users. 2. Use the autrace utility to trace a specific process for all the system calls it makes. 3. Test the audit utilities on different filesystem types. 4. Ensure that audit-libs functions correctly by running applications or tools that depend on it and verifying their audit-related capabilities.