Creating Audit Rules

Create audit rules in the /etc/audit/audit.rules configuration file to collect more relevant data for analysis.

By default, auditing captures specific events such as system logins, modifications to accounts, and sudo actions. You can configure auditing to capture detailed system call activity and modifications to certain files. The kernel audit daemon (auditd) records the events that you configure, including the event type, a timestamp, the associated user ID, and whether a system call succeeded or failed.

The entries in the audit rules file, /etc/audit/audit.rules, configures which events are audited. Each rule is a command line option that's passed to the auditctl command. Configure this file to match organization's security policy.

The following are examples of rules that can be set in the /etc/audit/audit.rules file:

To record all unsuccessful exits from open and truncate system calls for files and store the information in the /etc directory hierarchy, add the following line: 

-a exit,always -S open -S truncate -F /etc -F success=0

To record all files opened by a user with a UID value of 10, add the following line: 

-a exit,always -S open -F uid=10

To record all files that have been revised or whose attributes were changed by any user who originally signed in with a UID value of 500 or greater, add the following line: 

-a exit,always -S open -F auid>=500 -F perm=wa

To record requests for write or for file attribute change access, you can store the records in the /etc/sudoers file and tag such a record with the string sudoers-change: 

-w /etc/sudoers -p wa -k sudoers-change

To record requests for write and for file attribute change access and store records in the /etc directory hierarchy, add the following line: 

-w /etc/ -p wa

To require a reboot after changing the audit configuration, add the following line:

-e 2

Note:

Defining a rule to reboot at the end of the /etc/audit/audit.rules file is considered good security practice.

For more examples of audit rules, see also the auditctl(8) and audit.rules(7) manual pages.