I am trying to get through auditd and it confuses me sometimes. For example, if I want to monitor if the owner of a file changes, I would use something like
-a always,exit -F path=/home/user/test.txt -S chmod -k changed
But I have seen that there are different chmod system calls, fchmod, fchmodat. Would I need to specify all of them? Or is one of them enough.
I (somewhat) realise the difference from a programming poin of view, but is this relevant for auditd?
For example, if I use chmod, can it still happen that the owner is changed without auditd noticing it?
Or another example: Deleting a directory. rmdir, unlink, unlinkat.
What should I choose?
Thanks!
If you really want to implement security auditing then yes you should audit all these system calls.
For example if you read openSCAP Security Guide for RHEL 7 you'll see that you should audit fchown, fchownat, lchown, chmod, fchmod etc.