auditd useful commands

#Adding/Modifying Rules
# Watch for files
auditctl –w /etc/yum.conf -p wa -k yum_watch
auditctl –w /usr/bin/nmap -p x -k nmap_watch
auditctl –w /etc/shadow -p rwa -k shadow_watch
# Remove a rule using auditctl
auditctl -W /etc/shadow -p rwa -k shadow_watch
# Watching for ptrace system call
auditctl -a entry,always -F arch=b64 -S ptrace -k info_scan
# Suppress 32bit clock_gettime & fstat64 system calls
-a entry,never -F arch=b32 -S clock_gettime -k clock_gettime
-a entry,never -F arch=b32 -S fstat64 -k fstat64
# Audit files opened by a specific user
auditctl -a exit,always -S open -F auid=2010
auditctl -a exit,always -F arch=b64 -F auid=2010 -F uid=2010 -F path=/etc/hosts -S open
# Audit unsuccessful attempts for multiple system calls where user id is greater than or equal to 500
auditctl -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500
auditctl -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500
#Reporting/Searching
# List all rules
auditctl -l
# List status
auditctl -s
# Report on watched files. Date format is local to the server’s date format.
aureport -f
aureport -f –start 02/18/10 17:42:00
aureport -f –start 02/18/10 17:00:00 –end 02/18/10 17:10:00
aureport -f -ts this-week
aureport -f -ts today
# Search by system call
ausearch -sc ptrace -i
# Search for user id or effective user id
ausearch -ui 2010
ausearch -ue 2010
# Lists all auth attempts and their result
aureport -au
# List just logins
aureport -l
# List account modification attempts.
aureport -m
# Search events where success value is no, User id is 500 and key is nmap_watch
ausearch -sv no -ua 500 -k nmap_watch
# Search by executable
ausearch -x /usr/bin/nmap
# Search by terminal
ausearch -tm pts/0
# Search by daemon. Stuff like cron log terminal as the daemon name
ausearch -tm cron

Best Rated Mobile Apps

Best Rated Books

Top Rated Movies

Best Rated Games

You may also like