🔗 Description

The audit package provides tools and utilities to monitor and analyze system security audits. The audit-libs package contains the dynamic libraries needed by the audit tools and other applications to incorporate auditing capabilities. This test case ensures that the audit utilities and audit-libs work correctly for system auditing.

🔗 Setup

1. Ensure you have a Fedora system.
2. Install the audit and audit-libs packages: sudo dnf install audit audit-libs.

🔗 How to test

1. Open a terminal.
2. Start the audit daemon using the command: sudo service auditd start.
3. Ensure the daemon is running: sudo service auditd status.
4. Create a rule to monitor a specific file for changes, e.g., /etc/passwd: sudo auditctl -w /etc/passwd -p wa -k passwd_changes.
5. Make a change to the monitored file, e.g., sudo echo "# test comment" >> /etc/passwd.
6. Query the audit logs for any related events: sudo ausearch -k passwd_changes.
7. Review the results for the relevant event indicating the change.

🔗 Expected Results

1. The audit daemon (auditd) should start without any errors.
2. The status command should indicate that auditd is actively running.
3. After setting an audit rule on /etc/passwd, any modification to the file should trigger an audit event.
4. The ausearch utility should display a log entry related to the change made to the monitored file, indicating details like the action performed, user, timestamp, and more.

🔗 Optional

For enhanced testing depth: 1. Try creating more complex audit rules involving multiple files, system calls, or specific users. 2. Use the autrace utility to trace a specific process for all the system calls it makes. 3. Test the audit utilities on different filesystem types. 4. Ensure that audit-libs functions correctly by running applications or tools that depend on it and verifying their audit-related capabilities.