[LINUX] Audit rules to monitor user activity

Monitoring 1-level directory changes

-a always,exit -F path=</path_dir> -F perm=w -k dir-to-watch

where </path_dir> is the directory you’d like to monitor.

Recursively monitoring directories changes

-a always,exit -F dir=</path_dir> -F perm=w -k dirs-to-watch

where </path_dir> is the path you’d like to recursively monitor.

Monitoring commands executed by specific users (syscall rules)

-a always,exit -F path=</path/command> -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged_users
-a always,exit -F path=</path/command> -F perm=x -F gid=333 -k normal_users

where </path/command> is the command path you’d like to monitor.

Monitoring commands executed by all users (FS rules)

-w </path/command> -p x

where </path/command> is the command path you’d like to monitor.

Excluding specific audit types, e.g. CWD and PATH

-a always,exclude -F msgtype=CWD
-a always,exclude -F msgtype=PATH

[LINUX] Add new APT repository

Adding a new APT repository to a Debian-based distro can be done running the following two commands:

~$ wget -O - <url_key> | sudo apt-key add -
~$ sudo wget -O /etc/apt/sources.list.d/<source>.list <url_source_list>

where:
<url_key> is the URL of the key
<source> is the name of the source
<url_source_list> is the URL of the remote source list file

The first command downloads the corresponding APT key, while the second one adds the repository into a new source list file.

Now you can update APT executing the usual command:

~$ sudo apt-get update