Get the most out of your Centmin Mod LEMP stack
Become a Member

Beta Branch tools/auditd.sh discussion thread for 123.09beta01

Discussion in 'Beta release code' started by eva2000, Oct 10, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    53,153
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:54 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Last edited: Aug 4, 2017
  2. eva2000

    eva2000 Administrator Staff Member

    53,153
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:54 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Centmin Mod 123.09beta01 branch after October 9th, 2016 has added Auditd setup and configuration for non-openvz systems like KVM, Xen, VMWare, and dedicated servers at tools/auditd.sh. The tools/auditd.sh script is a work in progress for 123.09beta01 so is disabled by default. Instructions for manually enabling it are below.

    Auditd Documentation & Guides



    How to use and interpret the auditd provided logs is left to end user as there's no support provided by me. The official Redhat documentation applies to CentOS as well so a starting point would be here.
    Then there's a few guides online

    tools/auditd.sh for Auditd



    To be able to use it right now, you need to set in persistent config file /etc/centminmod/custom_config.inc the variable below before running it:
    Code (Text):
    AUDITD_ENABLE='y'


    Full command options available:
    Code (Text):
    ./auditd.sh
    ./auditd.sh {setup|resetup|updaterules|disable_mariadbplugin|enable_mariadbplugin|backup}
    
    Command Usage:
    
    tools/auditd.sh setup
    tools/auditd.sh resetup
    tools/auditd.sh updaterules
    tools/auditd.sh disable_mariadbplugin
    tools/auditd.sh enable_mariadbplugin
    tools/auditd.sh backup
    


    To install and setup tools/auditd.sh run
    Code (Text):
    /usr/local/src/centminmod/tools/auditd.sh setup

    To reset the auditd configuration i.e. when tools/auditd.sh is updated with new rules, which you want to sync and update, run
    Code (Text):
    /usr/local/src/centminmod/tools/auditd.sh resetup

    When you add new nginx vhost sites, you may need to add more auditd rules to your current configuration, you could use the above resetup command which wipes existing audit config setup and adds the latest from tools/auditd.sh or you can use below updaterules command - which instead of wiping config, just appends nginx vhost specific new auditd rules to existing config.
    Code (Text):
    /usr/local/src/centminmod/tools/auditd.sh updaterules


    tools/auditd.sh for MariaDB Audit Plugin



    tools/auditd.sh also has a 2nd component to optionally install (disabled by default) MariaDB's on Audit Plugin. You need to set in persistent config file /etc/centminmod/custom_config.inc the variable below before running it:
    Code (Text):
    AUDIT_MARIADB='y'

    You can also disable MariaDB Audit Plugin later on too via disable_mariadbplugin option
    Code (Text):
    tools/auditd.sh disable_mariadbplugin
    
    Turn Off MariaDB Audit Plugin
    
    Update /etc/my.cnf for server_audit_logging off
    
    MariaDB Audit Plugin Turned Off
    

    You can also re-enable the MariaDB Plugin via enable_mariadbplugin option
    Code (Text):
    tools/auditd.sh enable_mariadbplugin
    
    Turn On MariaDB Audit Plugin
    
    *************************** 1. row ***************************
               PLUGIN_NAME: SERVER_AUDIT
            PLUGIN_VERSION: 1.4
             PLUGIN_STATUS: ACTIVE
               PLUGIN_TYPE: AUDIT
       PLUGIN_TYPE_VERSION: 3.2
            PLUGIN_LIBRARY: server_audit.so
    PLUGIN_LIBRARY_VERSION: 1.11
             PLUGIN_AUTHOR: Alexey Botchkov (MariaDB Corporation)
        PLUGIN_DESCRIPTION: Audit the server activity
            PLUGIN_LICENSE: GPL
               LOAD_OPTION: ON
           PLUGIN_MATURITY: Stable
       PLUGIN_AUTH_VERSION: 1.4.0
    
    Update /etc/my.cnf for server_audit_logging on
    
    MariaDB Audit Plugin Turned On
    
     
  3. eva2000

    eva2000 Administrator Staff Member

    53,153
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:54 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Centmin Mod Current Auditd Rules Set



    The current configured Auditd rules set is below:

    Code (Text):
    auditctl -l
    -w /etc/audit/ -p wa -k auditconfig
    -w /etc/libaudit.conf -p wa -k auditconfig
    -w /etc/audisp/ -p wa -k audispconfig
    -w /sbin/auditctl -p x -k audittools
    -w /sbin/auditd -p x -k audittools
    -w /etc/ssh/sshd_config -p rwxa -k sshd
    -w /etc/passwd -p wa -k passwd_changes
    -w /var/log/lastlog -p wa -k logins_lastlog
    -w /usr/bin/passwd -p x -k passwd_modification
    -w /etc/group -p wa -k group_changes
    -w /bin/su -p x -k priv_esc
    -w /usr/bin/sudo -p x -k priv_esc
    -w /usr/bin/ssh -p x -k ssh-execute
    -w /etc/sudoers -p rw -k priv_esc
    -w /sbin/shutdown -p x -k power
    -w /sbin/poweroff -p x -k power
    -w /sbin/reboot -p x -k power
    -w /sbin/halt -p x -k power
    -w /usr/sbin/groupadd -p x -k group_modification
    -w /usr/sbin/groupmod -p x -k group_modification
    -w /usr/sbin/addgroup -p x -k group_modification
    -w /usr/sbin/useradd -p x -k user_modification
    -w /usr/sbin/usermod -p x -k user_modification
    -w /usr/sbin/adduser -p x -k user_modification
    -w /etc/hosts -p wa -k hosts
    -w /etc/network -p wa -k network
    -w /etc/sysctl.conf -p wa -k sysctl
    -w /etc/cron.allow -p wa -k cron-allow
    -w /etc/cron.deny -p wa -k cron-deny
    -w /etc/cron.d/ -p wa -k cron.d
    -w /etc/cron.daily/ -p wa -k cron-daily
    -w /etc/cron.hourly/ -p wa -k cron-hourly
    -w /etc/cron.monthly/ -p wa -k cron-monthly
    -w /etc/cron.weekly/ -p wa -k cron-weekly
    -w /etc/crontab -p wa -k crontab
    -w /var/spool/cron/root -p rwxa -k crontab_root
    -a always,exit -F arch=b32 -S link,symlink -F key=symlinked
    -a always,exit -F arch=b64 -S link,symlink -F key=symlinked
    -a always,exit -F arch=b32 -S sethostname -F key=hostname
    -a always,exit -F arch=b32 -S open -F dir=/etc -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/bin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/sbin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/usr/bin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/usr/sbin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/var -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/home -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S sethostname -F key=hostname
    -a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/sbin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/usr/bin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -F key=unauthedfileacess
    -w /usr/local/nginx/conf/ -p wa -k nginxconf_changes
    -w /usr/local/nginx/conf/phpstatus.conf -p wa -k phpstatusconf_changes
    -w /usr/local/etc/php-fpm.conf -p wa -k phpfpmconf_changes
    -w /usr/local/lib/php.ini -p wa -k phpini_changes
    -w /etc/my.cnf -p wa -k mycnf_changes
    -w /root/.my.cnf -p wa -k mycnfdot_changes
    -w /etc/csf/csf.conf -p wa -k csfconf_changes
    -w /etc/csf/csf.pignore -p wa -k csfpignore_changes
    -w /etc/csf/csf.fignore -p wa -k csffignore_changes
    -w /etc/csf/csf.signore -p wa -k csfsignore_changes
    -w /etc/csf/csf.rignore -p wa -k csfrignore_changes
    -w /etc/csf/csf.mignore -p wa -k csfmignore_changes
    -w /etc/csf/csf.ignore -p wa -k csfignore_changes
    -w /etc/csf/csf.dyndns -p wa -k csfdyndns_changes
    -w /etc/centminmod/php.d/ -p wa -k phpconfigscandir_changes
    -w /etc/centminmod/custom_config.inc -p wa -k cmm_persistentconfig_changes
    -w /usr/local/src/centminmod/ -p wa -k centminmod_installdir
    -w /etc/pure-ftpd/pure-ftpd.conf -p wa -k pureftpd_changes
    -w /etc/init.d/memcached -p wa -k memcachedinitd_changes
    

    Then these are additional auditd system call rules that are dynamically generated and added to persistent auditd rule config file based on detected existing Nginx vhost domain name's log file directory i.e. newdomain.com to log deletions or file rename/moves within /home/nginx/domains/newdomain.com/log

    This is what is added when you run updaterules command, tools/auditd.sh transverses the /home/nginx/domains folders and looks for new vhost domain name's /log directories to append to existing auditd rules.
    Code (Text):
    -a always,exit -F arch=b32 -S unlink,rmdir,unlinkat -F dir=/home/nginx/domains/newdomain.com/log -F success=0 -F key=newdomain.com_logdeletion
    -a always,exit -F arch=b32 -S rename,renameat -F dir=/home/nginx/domains/newdomain.com/log -F success=0 -F key=newdomain.com_logrename
    -a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F dir=/home/nginx/domains/newdomain.com/log -F success=0 -F key=newdomain.com_logdeletion
    -a always,exit -F arch=b64 -S rename,renameat -F dir=/home/nginx/domains/newdomain.com/log -F success=0 -F key=newdomain.com_logrename
    
     
    Last edited: Oct 11, 2016
  4. eva2000

    eva2000 Administrator Staff Member

    53,153
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:54 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Adding Custom Auditd Rules



    Example to monitor Xenforo forum's library directory and below for write modifications just drop a custom rule into /etc/audit/rules.d/xf.rules file you create.

    Add into /etc/audit/rules.d/xf.rules file the following rule
    Code (Text):
    -w /home/nginx/domains/domain.com/public/library -p wa -k xf-library-writemods

    or if you want to track writes and modifications to entire web root change the full path to just webroot and change the auditd key to xf-webroot-writemods
    Code (Text):
    -w /home/nginx/domains/domain.com/public -p wa -k xf-webroot-writemods

    then run updaterules command
    Code (Text):
    ./auditd.sh updaterules

    Code (Text):
    tools/auditd.sh updaterules
    
    auditd rules list
    
    ...snipped...
    
    -w /home/nginx/domains/domain.com/public/library/ -p wa -k xf-library-writemods
    
    auditd rules updated
    

    Using ausearch to filter on the key = xf-library-writemods or xf-webroot-writemods
    Code (Text):
    ausearch -k xf-library-writemods
    ----
    time->Mon Oct 10 00:54:09 2016
    type=CONFIG_CHANGE msg=audit(1476060849.639:2492579): auid=0 ses=334255 op="add_rule" key="xf-library-writemods" list=4 res=1
    

    here only entry is for the updaterules command itself adding the rule to auditd op="add_rule"
     
    Last edited: Oct 11, 2016
  5. eva2000

    eva2000 Administrator Staff Member

    53,153
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:54 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Auditd Authentication Reports



    Auditd can also tally up and display reports of your authentication stats i.e. sshd logins via aureport command

    All authentication logs
    Code (Text):
    aureport -au -i
    

    Only successfully authenticated ones
    Code (Text):
    aureport -au -i --success
    

    Failed authentication ones
    Code (Text):
    aureport -au -i --failed
    

    Login specific failures
    Code (Text):
    aureport -l --failed
    

    Login specific successes
    Code (Text):
    aureport -l --success
    

    Login user summary
    Code (Text):
    aureport -l --success --summary -i
    
     
  6. eva2000

    eva2000 Administrator Staff Member

    53,153
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:54 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  7. eva2000

    eva2000 Administrator Staff Member

    53,153
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:54 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Auditd Tracking Sudo Users



    Quick example on CentOS 7, with tools/auditd.sh to setup and run tools/addsudousers.sh to add a sudo user named = george
    Code (Text):
    echo "AUDITD_ENABLE='y'" >> /etc/centminmod/custom_config.inc
    cd /usr/local/src/centminmod
    git stash
    git pull
    tools/auditd.sh setup
    tools/addsudousers.sh george
    

    Then I logged in as that new sudo user = george.

    The auditd logging reveals the log entries for the actual adduserusers.sh script which included invoking the useradd/usermod/passwd commands by root user as well as the sshd command for logging in as sudo user = george

    george id/group
    Code (Text):
    id george
    uid=1002(george) gid=1002(george) groups=1002(george),10(wheel)
    


    list syscalls itemised for timestamp after 13:21
    Code (Text):
    aureport -f -i -ts 13:21
    
    File Report
    ===============================================
    # date time file syscall success exe auid event
    ===============================================
    1. 08/04/2017 13:21:51 /usr/sbin/useradd execve yes /usr/sbin/useradd root 227
    2. 08/04/2017 13:21:51 /etc/passwd.2837 link yes /usr/sbin/useradd root 228
    3. 08/04/2017 13:21:51 /etc/passwd open yes /usr/sbin/useradd root 229
    4. 08/04/2017 13:21:51 /etc/group.2837 link yes /usr/sbin/useradd root 230
    5. 08/04/2017 13:21:51 /etc/group open yes /usr/sbin/useradd root 231
    6. 08/04/2017 13:21:51 /etc/gshadow.2837 link yes /usr/sbin/useradd root 232
    7. 08/04/2017 13:21:51 /etc/shadow.2837 link yes /usr/sbin/useradd root 233
    8. 08/04/2017 13:21:51 /var/log/lastlog open yes /usr/sbin/useradd root 235
    9. 08/04/2017 13:21:52 /etc/passwd ? yes ? root 237
    10. 08/04/2017 13:21:52 /etc/ rename yes /usr/sbin/useradd root 238
    11. 08/04/2017 13:21:52 /etc/group ? yes ? root 239
    12. 08/04/2017 13:21:52 /etc/ rename yes /usr/sbin/useradd root 240
    13. 08/04/2017 13:21:52 /usr/sbin/usermod execve yes /usr/sbin/usermod root 242
    14. 08/04/2017 13:21:52 /etc/passwd.2842 link yes /usr/sbin/usermod root 243
    15. 08/04/2017 13:21:52 /etc/passwd open yes /usr/sbin/usermod root 244
    16. 08/04/2017 13:21:52 /etc/shadow.2842 link yes /usr/sbin/usermod root 245
    17. 08/04/2017 13:21:52 /etc/group.2842 link yes /usr/sbin/usermod root 246
    18. 08/04/2017 13:21:52 /etc/group open yes /usr/sbin/usermod root 247
    19. 08/04/2017 13:21:52 /etc/gshadow.2842 link yes /usr/sbin/usermod root 248
    20. 08/04/2017 13:21:52 /etc/group ? yes ? root 251
    21. 08/04/2017 13:21:52 /etc/ rename yes /usr/sbin/usermod root 252
    22. 08/04/2017 13:21:52 /usr/bin/passwd execve yes /usr/bin/passwd root 253
    23. 08/04/2017 13:24:06 /var/log/ open yes /usr/sbin/sshd george 275
    


    list authentication logs for today which list root user sshd login and the sudo user = george sshd log
    Code (Text):
    aureport -au -i -ts today
    
    Authentication Report
    ============================================
    # date time acct host term exe success event
    ============================================
    1. 08/04/2017 13:10:43 root 192.168.xxx.xxx ssh /usr/sbin/sshd yes 86
    2. 08/04/2017 13:10:43 root 192.168.xxx.xxx ssh /usr/sbin/sshd yes 89
    3. 08/04/2017 13:17:10 root 192.168.xxx.xxx ssh /usr/sbin/sshd yes 197
    4. 08/04/2017 13:17:10 root 192.168.xxx.xxx ssh /usr/sbin/sshd yes 200
    5. 08/04/2017 13:24:00 george 192.168.xxx.xxx ssh /usr/sbin/sshd no 261
    6. 08/04/2017 13:24:02 george 192.168.xxx.xxx ssh /usr/sbin/sshd no 262
    7. 08/04/2017 13:24:06 george 192.168.xxx.xxx ssh /usr/sbin/sshd yes 263
    8. 08/04/2017 13:24:06 george 192.168.xxx.xxx ssh /usr/sbin/sshd yes 266
    


    after sudo user = george switches to root user the authentication log where there was a few '/usr/bin/su no' entries (entered wrong root user password so didn't switch) before '/usr/bin/su yes' (entered correct root user password).

    Code (Text):
    aureport -au -i -ts today
    
    Authentication Report
    ============================================
    # date time acct host term exe success event
    ============================================
    1. 08/04/2017 13:10:43 root 192.168.xxx.xxx ssh /usr/sbin/sshd yes 86
    2. 08/04/2017 13:10:43 root 192.168.xxx.xxx ssh /usr/sbin/sshd yes 89
    3. 08/04/2017 13:17:10 root 192.168.xxx.xxx ssh /usr/sbin/sshd yes 197
    4. 08/04/2017 13:17:10 root 192.168.xxx.xxx ssh /usr/sbin/sshd yes 200
    5. 08/04/2017 13:24:00 george 192.168.xxx.xxx ssh /usr/sbin/sshd no 261
    6. 08/04/2017 13:24:02 george 192.168.xxx.xxx ssh /usr/sbin/sshd no 262
    7. 08/04/2017 13:24:06 george 192.168.xxx.xxx ssh /usr/sbin/sshd yes 263
    8. 08/04/2017 13:24:06 george 192.168.xxx.xxx ssh /usr/sbin/sshd yes 266
    9. 08/04/2017 13:33:01 root ? pts/1 /usr/bin/su no 308
    10. 08/04/2017 13:33:09 root ? pts/1 /usr/bin/su no 310
    11. 08/04/2017 13:33:15 root ? pts/1 /usr/bin/su no 312
    12. 08/04/2017 13:33:47 george ? /dev/pts/1 /usr/bin/sudo yes 318
    13. 08/04/2017 13:34:08 root ? pts/1 /usr/bin/su no 322
    14. 08/04/2017 13:34:23 root ? pts/1 /usr/bin/su no 324
    15. 08/04/2017 13:35:02 root ? pts/1 /usr/bin/su no 333
    16. 08/04/2017 13:35:25 root ? pts/1 /usr/bin/su no 335
    17. 08/04/2017 13:35:31 root ? pts/1 /usr/bin/su no 337
    18. 08/04/2017 13:35:39 root ? pts/1 /usr/bin/su no 340
    19. 08/04/2017 13:35:52 root ? pts/1 /usr/bin/su yes 342
    

    Then as sudo user = george switched to root user, I ran centmin mod command shortcut = customconfig to invoke nano to edit or view /etc/centminmod/custom_config.inc and exited nano afterwards.

    Using auditd's ausearch I searched the auditd log at /var/log/audit/audit.log filtered by auid = auditd UID or original id of the user which for sudo user = george = 1002 so even if you switch to root user, auditd can track by original sudo user's id all commands and filter by timestamp after 13:40 will show that exe=/usr/bin/nano binary opened /etc/centminmod/custom_config.inc file using root user (uid/gid/euid/suid/fsuid etc) but originated from auid=george
    Code (Text):
    ausearch -ua 1002 -i -ts 13:40
    ----
    type=PATH msg=audit(08/04/2017 13:42:26.849:369) : item=1 name=/etc/centminmod/custom_config.inc inode=18678988 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 objtype=NORMAL
    type=PATH msg=audit(08/04/2017 13:42:26.849:369) : item=0 name=/etc/centminmod/ inode=18129140 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00 objtype=PARENT
    type=CWD msg=audit(08/04/2017 13:42:26.849:369) :  cwd=/root
    type=SYSCALL msg=audit(08/04/2017 13:42:26.849:369) : arch=x86_64 syscall=open success=yes exit=3 a0=0x1fff560 a1=O_WRONLY|O_CREAT|O_APPEND a2=0666 a3=0x63 items=2 ppid=3229 pid=3230 auid=george uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=3 comm=nano exe=/usr/bin/nano key=cmm_persistentconfig_changes
    

    and only reason why /etc/centminmod/custom_config.inc is tracked is tools/auditd.sh has custom rule added to track this when setup

    listing all tools/auditd.sh setup rules
    Code (Text):
    auditctl -l
    -w /etc/audit -p wa -k auditconfig
    -w /etc/libaudit.conf -p wa -k auditconfig
    -w /etc/audisp -p wa -k audispconfig
    -w /sbin/auditctl -p x -k audittools
    -w /sbin/auditd -p x -k audittools
    -w /etc/ssh/sshd_config -p rwxa -k sshd
    -w /etc/passwd -p wa -k passwd_changes
    -w /var/log/faillog -p wa -k logins_faillog
    -w /var/log/lastlog -p wa -k logins_lastlog
    -w /usr/bin/passwd -p x -k passwd_modification
    -w /etc/group -p wa -k group_changes
    -w /bin/su -p x -k priv_esc
    -w /usr/bin/sudo -p x -k priv_esc
    -w /usr/bin/ssh -p x -k ssh-execute
    -w /etc/sudoers -p rw -k priv_esc
    -w /sbin/shutdown -p x -k power
    -w /sbin/poweroff -p x -k power
    -w /sbin/reboot -p x -k power
    -w /sbin/halt -p x -k power
    -w /usr/sbin/groupadd -p x -k group_modification
    -w /usr/sbin/groupmod -p x -k group_modification
    -w /usr/sbin/addgroup -p x -k group_modification
    -w /usr/sbin/useradd -p x -k user_modification
    -w /usr/sbin/usermod -p x -k user_modification
    -w /usr/sbin/adduser -p x -k user_modification
    -w /etc/hosts -p wa -k hosts
    -w /etc/network -p wa -k network
    -w /etc/sysctl.conf -p wa -k sysctl
    -w /etc/cron.allow -p wa -k cron-allow
    -w /etc/cron.deny -p wa -k cron-deny
    -w /etc/cron.d -p wa -k cron.d
    -w /etc/cron.daily -p wa -k cron-daily
    -w /etc/cron.hourly -p wa -k cron-hourly
    -w /etc/cron.monthly -p wa -k cron-monthly
    -w /etc/cron.weekly -p wa -k cron-weekly
    -w /etc/crontab -p wa -k crontab
    -w /var/spool/cron/root -p rwxa -k crontab_root
    -a always,exit -F arch=b32 -S link,symlink -F key=symlinked
    -a always,exit -F arch=b64 -S link,symlink -F key=symlinked
    -a always,exit -F arch=b32 -S sethostname -F key=hostname
    -a always,exit -F arch=b32 -S open -F dir=/etc -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/bin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/sbin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/usr/bin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/usr/sbin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/var -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/home -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S sethostname -F key=hostname
    -a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/sbin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/usr/bin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -F key=unauthedfileacess
    -w /usr/local/nginx/conf -p wa -k nginxconf_changes
    -w /usr/local/nginx/conf/phpstatus.conf -p wa -k phpstatusconf_changes
    -w /usr/local/etc/php-fpm.conf -p wa -k phpfpmconf_changes
    -w /usr/local/lib/php.ini -p wa -k phpini_changes
    -w /etc/my.cnf -p wa -k mycnf_changes
    -w /root/.my.cnf -p wa -k mycnfdot_changes
    -w /etc/csf/csf.conf -p wa -k csfconf_changes
    -w /etc/csf/csf.blocklists -p wa -k csfpignore_changes
    -w /etc/csf/csf.pignore -p wa -k csfpignore_changes
    -w /etc/csf/csf.fignore -p wa -k csffignore_changes
    -w /etc/csf/csf.signore -p wa -k csfsignore_changes
    -w /etc/csf/csf.rignore -p wa -k csfrignore_changes
    -w /etc/csf/csf.mignore -p wa -k csfmignore_changes
    -w /etc/csf/csf.ignore -p wa -k csfignore_changes
    -w /etc/csf/csf.dyndns -p wa -k csfdyndns_changes
    -w /etc/centminmod/php.d -p wa -k phpconfigscandir_changes
    -w /etc/centminmod/custom_config.inc -p wa -k cmm_persistentconfig_changes
    -w /usr/local/src/centminmod -p wa -k centminmod_installdir
    -w /etc/pure-ftpd/pure-ftpd.conf -p wa -k pureftpd_changes
    -w /etc/init.d/memcached -p wa -k memcachedinitd_changes
    

    particular rule was which has a key = cmm_persistentconfig_changes
    Code (Text):
    -w /etc/centminmod/custom_config.inc -p wa -k cmm_persistentconfig_changes
    

    You can also track/search by keys i.e. cmm_persistentconfig_changes
    Code (Text):
    ausearch -k cmm_persistentconfig_changes -ts 13:40
    ----
    time->Fri Aug  4 13:42:26 2017
    type=PATH msg=audit(1501854146.849:369): item=1 name="/etc/centminmod/custom_config.inc" inode=18678988 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL
    type=PATH msg=audit(1501854146.849:369): item=0 name="/etc/centminmod/" inode=18129140 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 objtype=PARENT
    type=CWD msg=audit(1501854146.849:369):  cwd="/root"
    type=SYSCALL msg=audit(1501854146.849:369): arch=c000003e syscall=2 success=yes exit=3 a0=1fff560 a1=441 a2=1b6 a3=63 items=2 ppid=3229 pid=3230 auid=1002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="nano" exe="/usr/bin/nano" key="cmm_persistentconfig_changes"
    


    Just an example of how powerful auditd can be if you setup the right auditd rules and filters Centmin Mod Auditd Support Added In Latest 123.09beta01