I apologize, but I am not sure how to go about determining the appropriate syscalls to use for various audit goals.

I know that recently I learned to use the ausyscall --dump command to list the ausyscalls; but apparently I mis-understood/interpreted the purpose of 1 or 2 of the syscalls and had to be corrected (thanks Steve).

Anyway, my organization has a goal to audit several things; of which I know how to manage most, for examples:

  1. File & Object
  • Creation (Success/Failure)                                   |  w
  • Access (Success/Failure)                                    |  r
  • Deletion (Success/Failure)                                   |  w
  • Content Modification (Success/Failure)                 |  a
  • Permission Modification (Success/Failure)            |  a
  • Ownership Modification (Success/Failure)             |  a
For these I would have used a watch (-w) rule and set the -p flags to r, w or a as shown above.  From what I understand though, correct me if I am wrong Steve, we should be getting away from the watch rules and move towards Syscalls and using -F path=/path/to/file, or
-F path=/path/to/several_files/   -- is this correct, both for RHEL6 and RHEL7?

Also, I need to audit (Success/Failure) for the following sort of things:
Authentications
Logons
Logoffs

Writes/downloads to external devices/media
Uploads from external devices/media (such as DvD, thumbdrive, etc)

User & Group events
User:  Creation, deletion, Modification, suspending/locking
Group/Role:  Creation, deletion, modification

Use of Privileged/Special Rights events (such as sudo, su, etc..)
Printing to a print-device
Printing to a file

Thanks in advance for any steering someone could provide to get me moving in the correct direction.

--------------------------
Warron French