[LINUX] Audit rules to monitor user activity

Monitoring 1-level directory changes

-a always,exit -F path=</path_dir> -F perm=w -k dir-to-watch

where </path_dir> is the directory you’d like to monitor.

Recursively monitoring directories changes

-a always,exit -F dir=</path_dir> -F perm=w -k dirs-to-watch

where </path_dir> is the path you’d like to recursively monitor.

Monitoring commands executed by specific users (syscall rules)

-a always,exit -F path=</path/command> -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged_users
-a always,exit -F path=</path/command> -F perm=x -F gid=333 -k normal_users

where </path/command> is the command path you’d like to monitor.

Monitoring commands executed by all users (FS rules)

-w </path/command> -p x

where </path/command> is the command path you’d like to monitor.

Excluding specific audit types, e.g. CWD and PATH

-a always,exclude -F msgtype=CWD
-a always,exclude -F msgtype=PATH