$ yum install audit $ systemctl restart auditd $ systemctl enable auditd $ systemctl list-unit-files $ ls /usr/share/doc/auditd/examples auditd.cron capp.rules.gz lspp.rules.gz nispom.rules.gz stig.rules.gz $ augenrules --load -w <path-to-file> -p <permissions> -k <keyname> -a <action>,<list> -S <syscall> -F <field>=<value> -k <keyname> $ auditctl -w /usr/bin/docker -p rwxa -k docker-daemon $ auditctl -l chrisbinnie ~ # auditctl -l -w /usr/bin/docker -p rwxa -k docker-daemon $ docker pull chrisbinnie/super $ cat /var/log/audit/audit.log | grep -i christype=EXECVE msg=audit(1513507468.995:124): argc=4 a0="/bin/sh" a1="/usr/bin/docker" a2="pull" a3="chrisbinnie/super" $ man ausearch $ aureport -au --summary Authentication Summary Report ============================= total acct ============================= 366 somedude 21 chrisbinnie 16 root $ ausearch --start today --raw | aureport -x --summary Executable Summary Report ================================= total file ================================= 1223 /usr/bin/dpkg 591 /bin/ls 118 /bin/cp $ systemd-analyze Startup finished in 1.026s (kernel) + 5.925s (userspace) = 6.952s $ systemd-analyze blame | head -5 2.084s fail2ban.service 1.958s cloud-init.service 1.851s cloud-init-local.service 1.597s apache2.service 1.134s postfix.service GRUB_CMDLINE_LINUX="audit=1" $ grub-update $ grub2-mkconfig > /boot/grub2/grub.cfg msg=audit(1513507481.075:145) -e 2 $ augenrules --load /sbin/augenrules: No change auditctl -w /etc/shadow -p wa auditctl -a always,exit -F path=/etc/shadow -F perm=wa auditctl -w /etc/ -p wa auditctl -a always,exit -F dir=/etc/ -F perm=wa auditctl -a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid $ autrace /bin/ls