#Adding/Modifying Rules # Watch for files auditctl -w /etc/yum.conf -p wa -k yum_watch auditctl -w /usr/bin/nmap -p x -k nmap_watch auditctl -w /etc/shadow -p rwa -k shadow_watch # Remove a rule using auditctl auditctl -W /etc/shadow -p rwa -k shadow_watch # Watching for ptrace system call auditctl -a entry,always -F arch=b64 -S ptrace -k info_scan # Suppress 32bit clock_gettime & fstat64 system calls -a entry,never -F arch=b32 -S clock_gettime -k clock_gettime -a entry,never -F arch=b32 -S fstat64 -k fstat64 # Audit files opened by a specific user auditctl -a exit,always -S open -F auid=2010 auditctl -a exit,always -F arch=b64 -F auid=2010 -F uid=2010 -F path=/etc/hosts -S open # Audit unsuccessful attempts for multiple system calls where user id is greater than or equal to 500 auditctl -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 auditctl -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 #Reporting/Searching # List all rules auditctl -l # List status auditctl -s # Report on watched files. Date format is local to the server's date format. aureport -f aureport -f --start 02/18/10 17:42:00 aureport -f --start 02/18/10 17:00:00 --end 02/18/10 17:10:00 aureport -f -ts this-week aureport -f -ts today # Search by system call ausearch -sc ptrace -i # Search for user id or effective user id ausearch -ui 2010 ausearch -ue 2010 # Lists all auth attempts and their result aureport -au # List just logins aureport -l # List account modification attempts. aureport -m # Search events where success value is no, User id is 500 and key is nmap_watch ausearch -sv no -ua 500 -k nmap_watch # Search by executable ausearch -x /usr/bin/nmap # Search by terminal ausearch -tm pts/0 # Search by daemon. Stuff like cron log terminal as the daemon name ausearch -tm cron