#Adding/Modifying Rules

#    Watch for files 

auditctl -w /etc/yum.conf -p wa  -k yum_watch
auditctl -w /usr/bin/nmap -p x   -k nmap_watch
auditctl -w /etc/shadow   -p rwa -k shadow_watch

#    Remove a rule using auditctl 

auditctl -W /etc/shadow -p rwa -k shadow_watch

#    Watching for ptrace system call 

auditctl -a entry,always -F arch=b64 -S ptrace -k info_scan

#    Suppress 32bit clock_gettime & fstat64 system calls 

-a entry,never -F arch=b32 -S clock_gettime -k clock_gettime
-a entry,never -F arch=b32 -S fstat64 -k fstat64

#    Audit files opened by a specific user 

auditctl -a exit,always -S open -F auid=2010
auditctl -a exit,always -F arch=b64 -F auid=2010  -F uid=2010 -F path=/etc/hosts -S open

#    Audit unsuccessful attempts for multiple system calls where user id is greater than or equal to 500 

auditctl -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 
auditctl -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 

#Reporting/Searching

#    List all rules 

auditctl -l

#    List status 

auditctl -s

#    Report on watched files. Date format is local to the server's date format. 

aureport -f
aureport -f --start 02/18/10 17:42:00
aureport -f --start 02/18/10 17:00:00 --end 02/18/10 17:10:00
aureport -f -ts this-week
aureport -f -ts today

#    Search by system call 

ausearch -sc ptrace -i

#    Search for user id or effective user id 

ausearch -ui 2010
ausearch -ue 2010

#    Lists all auth attempts and their result 

aureport -au

#    List just logins 

aureport -l

#    List account modification attempts. 

aureport -m

#    Search events where success value is no, User id is 500 and key is nmap_watch 

ausearch -sv no -ua 500 -k nmap_watch

#    Search by executable 

ausearch -x /usr/bin/nmap

#    Search by terminal 

ausearch -tm pts/0

#    Search by daemon. Stuff like cron log terminal as the daemon name 

ausearch -tm cron