## CYB 102 PROJECT 2 ( auditd) To begin, I established a Secure Shell (SSH) connection to the virtual machine (VM) hosted on my M1 MacBook by executing the following command: ```bash ssh -i ~/Downloads/ubuntu_key.pem codepath@20.55.67.169 ``` Given that `auditd` was downloaded during the lab session, it should already be installed on the VM. If it is not present, please refer to the initial commands provided in Lab 2. ### Retrieving the Project Files The next step involves fetching the project files from GitHub using the `wget` command: ```bash wget https://github.com/codepath/project2/archive/main.zip ``` After downloading, proceed to extract the contents of the zip file: ```bash unzip main.zip ``` ### Configuring Audit Rules With the files extracted, it's necessary to add specific rules to the audit system using the `vi` editor. This can be accomplished with the following command: ```bash sudo vi /etc/audit/rules.d/audit.rules ``` Within this file, append the rules as shown below to monitor specific activities related to the project files: ```bash -w /home/codepath/project2-main/protected_files/car_sales.txt -p wa -k car_sales -w /home/codepath/project2-main/protected_files/cloudia.txt -p wa -k cloudia ... ``` (Include all the specified paths and keys as detailed in the original instructions.) ### Restarting and Verifying the Audit Service To apply the new rules, restart the `auditd` service: ```bash sudo systemctl restart auditd ``` Verify that the rules have been successfully added: ```bash sudo auditctl -l ``` ### Preparing for and Executing the Attack Simulation Ensure you are in the correct directory, which is crucial for the subsequent steps: ```bash cd /home ``` List the directory contents to locate the `project2-main` directory, then navigate into it: ```bash ls cd project2-main ``` To facilitate easier command line navigation, utilize the tab key for auto-completion. Adjust the permissions on the attack simulation files to make them executable: ```bash chmod u+x attack-a chmod u+x attack-b chmod u+x attack-c ``` Execute each attack script to simulate the attack scenarios: ```bash ./attack-a ./attack-b ./attack-c ``` ### Verifying the Attack and Final Steps Finally, use the `ausearch` command to correlate each simulated attack with the respective monitoring key, thereby identifying which file was targeted: ```bash sudo ausearch -k car_sales sudo ausearch -k cloudia ... ``` (Continue this process for each key associated with the files.) Congratulations on completing the setup and simulation process. Though challenging, this task is achievable with careful attention to detail.