$ yum install audit


$ systemctl restart auditd


$ systemctl enable auditd


$ systemctl list-unit-files


$ ls /usr/share/doc/auditd/examples
auditd.cron capp.rules.gz lspp.rules.gz nispom.rules.gz stig.rules.gz


$ augenrules --load


-w <path-to-file> -p <permissions> -k <keyname>


-a <action>,<list> -S <syscall> -F <field>=<value> -k <keyname>


$ auditctl -w /usr/bin/docker -p rwxa -k docker-daemon


$ auditctl -l


chrisbinnie ~ # auditctl -l
-w /usr/bin/docker -p rwxa -k docker-daemon


$ docker pull chrisbinnie/super


$ cat /var/log/audit/audit.log | grep -i christype=EXECVE msg=audit(1513507468.995:124): argc=4 a0="/bin/sh" a1="/usr/bin/docker" a2="pull" a3="chrisbinnie/super"


$ man ausearch


$ aureport -au --summary
Authentication Summary Report
=============================
total  acct
=============================
366  somedude
21  chrisbinnie
16  root


$ ausearch --start today --raw | aureport -x --summary
Executable Summary Report
=================================
total  file
=================================
1223  /usr/bin/dpkg
591  /bin/ls
118  /bin/cp


$ systemd-analyze
Startup finished in 1.026s (kernel) + 5.925s (userspace) = 6.952s


$ systemd-analyze blame | head -5
          2.084s fail2ban.service
          1.958s cloud-init.service
          1.851s cloud-init-local.service
          1.597s apache2.service
          1.134s postfix.service
          
          
GRUB_CMDLINE_LINUX="audit=1"


$ grub-update


$ grub2-mkconfig > /boot/grub2/grub.cfg


msg=audit(1513507481.075:145)


-e 2


$ augenrules --load
/sbin/augenrules: No change


auditctl -w /etc/shadow -p wa
auditctl -a always,exit -F path=/etc/shadow -F perm=wa


auditctl -w /etc/ -p wa
auditctl -a always,exit -F dir=/etc/ -F perm=wa


auditctl -a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid


$ autrace /bin/ls