This may be faster and also a better way to summarize and share with others.
I will list the AUDIT(test#letter) and then below it place Method of implementation: and if the field is marked in green, it is validated by someone
from linux-audit@redhat.com (Steve Grubb for example) and the text provided will answer the question for other sysadmins with similar requirements (on a per test#letter basis).


I am presenting what I need to know how to audit, in hopes to illicit a response of "BUILTIN" or a link or some text that clarifies what to do:

AUDIT(A): Logons/Logoffs (success/failure)
Method of implementation:  Builtin to AUDITD (enable auditd)

AUDIT(B): User {additions, deletions, modifications, suspensions and lockings}
Method of implementation:  Builtin to AUDITD (enable auditd)

AUDIT(C): Group and Role {additions, deletions and modifications}
Method of implementation:  Builtin to AUDITD (enable auditd)

AUDITD(D): Security or Audit Policies
Method of implementation:

AUDIT(E): Configuration Changes (please be patient with me, as I believe this is way too broad a definition from my security people; however, there is a field from aureport called "Number of changes in configuration:" too.
Method of implementation:
can this be done by;      -w /etc/  -p raw -k config_changes     even this seems too broad a solution and I don't believe it will capture the essence of AUDIT(E).

AUDIT(F): Admin/Root-level accesses
Method of implementation:
can this be done by;  -w /bin/su -p x -k running_as_root      -w /bin/sudo -p x -k running_as_root          -w /sbin/runuser -p x -k running_as_root 

AUDIT(G): Privilege/Role Escalation (I need to ask how this differs from AUDIT(F) from my management/security people)
Method of implementation:

AUDIT(H): System reboot/shutdown/change run-state
Method of implementation:
can this be done by;    -w /sbin/init -p x -k run_state      -w /sbin/telinit -p x -k run_state     -w /sbin/shutdown -p x -k run_state  -w /sbin/reboot -p x -k run_state  etc.. etc.. etc..

AUDIT(I): Application Initialization  (seems way to vague to me, don't you all agree?)
Method of implementation:

AUDIT(J): Writes/Downloads to external devices (thumdrives,media (like DvDs/CD), etc..)
Method of implementation:
can this be done by -a .... -F arch=b64  -S mount -S umount2 -F auid>=1000 -F auid!=4294967295 -k mount_datawrite_operations?  No, what do I use?

AUDIT(K): Print to a device or file
Method of implementation:

AUDIT(L): Audit data and log data access (nevremind, this would kill a system - correct, unless I limit monitoring to audit.log.*)
Method of implementation:

AUDIT(M): Device attach/detach mount/dismount (Perhaps this would catch 1 or more than 1 individual doing something devious as a team in conjunction with AUDIT(J)?)
Method of implementation:


Thank you for your vast patience and cooperation.
--------------------------
Warron French