Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Step 1: Create a temp working directory and move into it
- mkdir ~/intent_demo && cd ~/intent_demo
- # Step 2: Create a fake sensitive file
- echo "root:x:0:0:root:/root:/bin/bash" | sudo tee /tmp/shadow_backup.txt > /dev/null
- # Step 3: Simulate suspicious behavior BEFORE rule (optional, just to show what won't get logged)
- cat /tmp/shadow_backup.txt
- sudo chmod 777 /tmp/shadow_backup.txt
- # Step 4: Create and install the audit rule to watch the file
- echo "-a always,exit -F path=/tmp/shadow_backup.txt -F perm=rwxa -F auid>=1000 -F auid!=4294967295 -k intent_test" | sudo tee /etc/audit/rules.d/intent.rules > /dev/null
- # Step 5: Load the audit rules and restart auditd
- sudo augenrules --load
- sudo systemctl restart auditd
- # Step 6: Confirm rule is active
- sudo auditctl -l
- # Step 7: Perform suspicious actions AGAIN (after rule is active — these WILL be logged)
- cat /tmp/shadow_backup.txt
- sudo chmod 000 /tmp/shadow_backup.txt
- # Step 8: Search audit logs for intent evidence
- sudo ausearch -k intent_test
- # Step 9: (Optional) Save evidence to a log file for reporting
- sudo ausearch -k intent_test > ~/intent_evidence.log
- # Step 10: (Optional) View the saved evidence
- cat ~/intent_evidence.log
Advertisement
Add Comment
Please, Sign In to add comment
