| Syscall Name | Rule | Description | Audit Implication | Recommendation for Tactical System | |
| chmod fchmod |
-a entry,always -S chmod -S fchmod | chmod changes the permissions of each given file according to mode, which can be either a symbolic representation of changes to make or an octal number representing the bit pattern for the new permission | monitors changes to file permissions | Audit all | |
| chown chown32 fchown fchown32 lchown lchonw32 |
-a entry,always -S chown -S chown32 -S fchown -S fchown32 -S lchown -S lchown32 | chown changes the user and/or group ownership of each given file | monitors changes to file ownership Note: Enable *32 rules only if you are running on i386 or s390. Do not use for x86_64, ia64, ppc, ppc64, or s390x. |
Audit all | |
| creat open |
-a entry,always -S creat -S open | opens and possible creates files or devices | monitors all file accesses occurring on a system WARNING: Implementing this rule will cause large amounts of audit data to be produced. Ensure the audit partition and log retention facilities are capable of handling large amounts of audit data before implementing this rule. |
Audit failures only | |
| truncate truncate64 ftruncate ftruncate64 |
-a entry,always -S truncate -S truncate64 -S ftruncate -S ftruncate64 | truncates a file to a specified length | monitors file content modification Note: Enable *64 rules if you are running on i386, ppc, ppc64 or s390. Do not use for x86_64, ia64, or s390x. |
Audit all | |
| unlink link symlink rename |
-a entry,always -S unlink -S link -S symlink -s rename | used to move, link or delete files | monitors file moving, removing, and linking | Audit all | |
| mknod | -a entry,always -S mknod | creates block or character special files | monitors the creation of special files | Audit all | |
| mount umount umount2 |
-a entry,always -S mount -S umount -S umount2 | Mounts or unmounts a file system | Monitors the mounting or unmounting of file systems Note: For x86_64 architecture, disable umount rule. For ia64 architecture, disable umount2 rule. |
Audit all | |
| clone clone2 fork vfork |
-a entry,always -S clone -S clone2 -S fork -S vfork | Creates child processes | monitors the creation of child processes Note: For ia64 architecture, disable fork and vfork and enable clone2. WARNING: Implementing this rule will cause large amounts of audit data to be produced. Ensure the audit partition and log retention facilities are capable of handling large amounts of audit data before implementing this rule. |
off | |
| umask | -a entry,always -S umask | user file creation mask | monitors changes to umask settings | Audit all | |
| adjtimex settimeofday |
-a entry,always -S adjtimex -S settimeofday | changes the system time | monitors changes to the system time | Audit all | |
| reboot | -a entry, always -S reboot | reboot or enable/disable Ctrl-Alt-Del | monitors system reboots | Audit all |