Rules

Youtube tutorial

Defult rules repo

# To Reastart auditd
service auditd restart

ausearch

Ausearch Docs - a tool to query audit daemon logs

Record types/Messages -m

The event type is specified in the type= field at the beginning of every Audit record.

Docs

Keys -k

Listing exisiting keys

auditctl -l

U can add new keys with

-w /path/to/file -p rwxa -k my_key

And query by them

ausearch -k passwd_changes

Succes value -sv

Use the -m option to identify specific messages and -sv to define the success value.

ausearch -m USER_LOGIN -sv no 

Selinux Logs

[Selinux MAIN]({{\< ref “posts/SELinux.md#logging”>}})

Summary

search for executubles

aureport  -i -x --summary

Ausyscall

It gives u description of the syscall

Example

#Response is execve which is privilege escalations
ausyscall 59

---

Loging on linux

tripwire

Redhat info