We can add and configure rules with the auditctl command.
Possible options are:
- -l — print out a list of existing rules
- -а — add a new rule
- -d — delete an existing rule
- -D — delete all existing rules
To create a new rule, we have to run a command with the following syntax:
auditctl -a , -S -F
After the -a option, we enter the list we wish to add rules to. There are five kinds of lists:
- task — events related to creating new processes
- entry — events that take place on system call entrance
- exit — events that take place on system call exit
- user — events that use user space parameters
- exclude — used for excluding events
Then we enter the action to be taken when the event occurs. Here we have two options: always (enter the event in the log) or never (don’t enter the event).
After the -S option, we enter the name of the system call the event needs to be intercepted for (open, close, etc.).
#We can set additional filters after the -F option. For example, if we need to audit references to files from the /etc catalog, the rule would like like the following:
$ auditctl -a exit,always -S open -F path =/etc/
#We can add an extra filter:
$ auditctl -a exit,always -S open -F path =/etc/ -F perm = aw
The aw abbreviation can be broken down as: а – attribute change, w -write. The formula perm = aw means that all attribute changes and writes in the /etc directory need to be tracked.
When configuring tracking for individual files, we can retract the -S option, for example:
$ auditctl -a exit,always -F path =/etc/ -F perm = aw
Restart auditd for picking up newchanges from /etc/auditd/rules.d/
service auditd restart