How to configure auditd to record all the activity from events which run with WinSCP

Question

I have a requirement from a customer (I have no idea if it can be implemented, after days of searching). This is the request: "The auditlog rules should be extended for events (create, delete, update, change, rename) independent from a user. I hope I will then also see the events which run with WinSCP."

My auditd configuration:

[root@host1~]# auditctl -l
-a always,exit -F arch=b64 -S execve -F euid=44055 -F key=user-activity
-a always,exit -F arch=b32 -S execve -F euid=44055 -F key=user-activity
-a always,exit -F arch=b64 -S execve -F euid=2971 -F key=user-activity
-a always,exit -F arch=b32 -S execve -F euid=2971 -F key=user-activity
-a always,exit -F arch=b64 -S execve -F euid=2961 -F key=user-activity
-a always,exit -F arch=b32 -S execve -F euid=2961 -F key=user-activity
-a always,exit -F arch=b64 -S execve -F euid=44057 -F key=user-activity
-a always,exit -F arch=b32 -S execve -F euid=44057 -F key=user-activity
-a always,exit -F arch=b64 -S execve -F euid=2341 -F key=user-activity
-a always,exit -F arch=b32 -S execve -F euid=2341 -F key=user-activity
-a always,exit -S oldlstat,swapon
-w /etc/group -p wa
-w /etc/passwd -p wa
-w /etc/shadow -p wa
-w /etc/sudoers -p wa
You have new mail in /var/spool/mail/root

Thank you, Best Regards, Jul

Answer 1

Add a rule to watch the directory where you expect users to upload files.

 -w /home -k home-events

This will watch for all open() flags on any activity under /home recursively. May be high volume, in which case you can pick a more specific directory, or use more -F options to filter.

Unless you have locked sftp/scp down, this will not be every place they could upload files, there also is /tmp.