audit readme

services/audit-framework/README.md

@@ -0,0 +1,39 @@
+# Audit Framework
+
+## Kernel
+
+To ensure that all process which may have started before `auditd` are marked as auditable use boot time kernel param `audit=1`.
+
+## Userspace
+
+* Install the `audit` package, enable and start the `auditd.service`.
+* The config file is `auditd.conf`.
+* The rules are defined in `/etc/audit/audit.rules`.
+* `auditctl` can be used to edit rules on the fly.
+* `ausearch` and `aureport` are used to summarize and view data.
+
+
+## Rules
+
+* Read from `/etc/audit/auditd.rules`
+
+* If for example `/etc/audit/rules.d/syscalls.rules` is the sort of structure being followed,
+  `augenrules` is used to merge all the component rules files.
+    * It is recommended to run first with the `--check` flag and `--load` can be used if there were no errors found.
+    * The files are concatenated in order, based on their natural sort (see -v option of ls(1)) and stripped of empty and comment (#) lines.
+
+* rulesets:
+    * syscalls
+        * format: `-a action,list -S syscall -F field=value -k keyname`
+    * files
+        * format: `-w path-to-file -p permissions -k keyname`
+    * ..?
+
+
+
+## Further Reading
+
+* `man` pages (list here)
+* archwiki article
+* syscalls docs
+* update the format for rules

services/audit-framework/audit.md

@@ -1,13 +0,0 @@
-# Audit Framework
-
-## Kernel
-
-To ensure that all process which may have started before `auditd` are marked as auditable use boot time kernel param `audit=1`.
-
-## Userspace
-
-* Install the `audit` package, enable and start the `auditd.service`.
-* The config file is `auditd.conf`.
-* The rules are defined in `/etc/audit/audit.rules`.
-* `auditctl` can be used to edit rules on the fly.
-* `ausearch` and `aureport` are used to summarize and view data.