[Index][RHEL 7,8,9] How to monitor something using linux audit

Abstract

Link collection to "How to monitor ~~~ using audit?" KCS solutions.

Environment

• Red Hat Enterprise Linux 7, 8 and 9
• audit

Official Documents and articles of linux audit

• RHEL 7 Document
• RHEL 8 Document

• RHEL 9 Document

• RHEL Audit System Reference

auditd basics

• RHEL8/9: What is logged by default in auditd?
• How to send auditd logs to a remote log server in Red Hat Enterprise Linux

Customizing auditd

• /var/log/audit/audit.log permission to 0640
• /var/log/audit permission to 0700(or 0750)?
• How to rotate RHEL auditd log?
• Audit log rotation based on time

"How to monitor" KCS Solutions

System Call

• A specific SYSCALL

File operation

• How to monitor filesystem changes with auditd
• How to find out what executed a program or modified a file on the system

For Specific Operations:

• Permission, ownership or any other change to a particular directory or file
• File deletion
• Particular file deletion

• SUID, SGID permissions

• Changes on a specific path for remote file system

• Particular directories and file access

  • Monitor /dev/null permission change

• Events limited to a single directory

• Exclude specific users or groups when using auditd to watch files

Networking

• Network connection

Commands

• A specific command
• All commands run in the system
• All commands by a specific user
• All the commands that are run by root

For Specific commands:

• User activity for grep or egrep commands.
• chmod command
• All outgoing ssh connections
• All SSH port forwarding and X11 forwarding

System Operation

• Reboot the system
• System time changes
• Sending SIGKILL to a process
• Starts, stops, and restarts a service

Reducing audit logs

• A system call with specific flags
• Stopping audit logs for an executable.
• Exclude crond from audit logs
• Exclude specific users or groups when using auditd to watch files

Upstream documents

• Linux Audit Userspace
• Linux Audit Documentation Project