@AndySplunks, thanks! :3
I will reviewed some of my old use cases.
The main problem that I don't have any colleagues that are pro in Linux or had any CEH/OSCP cert. And it's hard for me to handle so much information in a solo. Ideally, I would have to study one thing to the ideal level, rather than focusing my attention on everything. Any security chats/forums it's only where I can get any people who works in InfoSec and can give me advice (what I am actively using)

Also, it's my own list of some use cases:

1. List of all log in attempts (either successful or not)
2. Alert after X failed log in attempts
3. List of all sudo commands executed, and the user who ran them
4. Addition/removal of users to the system
5. Activation/de-activation of services (e.g. A/V, IDS, firewall)
6. Unauthorized access attempts to deactivated accounts/files/services
7. Binaries with curvature rights to rais
8. If running any NMAP on machine
9. SSH, VPN on machines where it can't be installed
10. Detecting short-lived files in /temp (noise/false-positive)
11. Installing malware or non-upgraded software
12. Recording yourself to any startup
13. Change the settings of /etc/shadow, /etc/passwd, /etc/sudoers, including changing privileges for certain users
14. Detect what drives, flash drives are connected to the host system (including rubber ducky)
15. Monitoring browser extension

If you’re looking specifically for a list of behaviours to detect, MITRE’s ATT@CK Matrix is exactly what is required. On the other hand, if you want to know how to detect those behaviours, please see my conf talk already mentioned above.

@test_qweqwe: Please also see the slides from another conference session I presented last year that talks about how to use Auditd for detection: https://redhat.slides.com/dobrown/deck?token=BcavmnEs

@doksu, yeap, I already saw your presentation and it was very useful for me, although I still can't make puzzle in my head about monitoring by Auditd.

1. Logging all commands. I still don't understand even with your guide-video on youtube how to logging TTY. Your guides not working on my machine or I don't know what I'm doing wrong.

For example, to have at least something logging from TTY l I need to run one more command:
echo "session required pam_tty_audit.so enable=*" >> /etc/pam.d/system
And after it i can logging all commands, but only by user root. Commands by another users I still can't logging.

1. Watch a context of file. It's possible by auditd to parse context of file? I think it's important. For example, I made rules for changing such files as: /etc/passwd, /etc/shadow, /etc/crontab and auditd only can said me that something happen, but I can't see context of file to appreciate the whole picture. I can not assess the risks. Of course I can write scripts that will cover it

@test_qweqwe: it’s a different presentation as I indicated and you’re asking questions in comments here that are well outside the scope of the original question. Please submit separate questions on the site for each.

With regards to the PAM config, that is neither a Splunk issue nor an issue with the app so I suggest you contact your distribution’s support if the operating system is not functioning as expected.

@doksu Great, thank you for answer! 🙂

@AndySplunks provided some use cases. What can you add to his list?

About Mitre, when I having a free time I'm trying to do some cases from that list (while only offense part):
https://attack.mitre.org/wiki/Linux_Technique_Matrix
The first question, can auditd cover these use cases?
And the second, how to monitor commands? Sudo commands - easy, but what about other? (many of there use cases seems that can be success monitoring if you can logging commands)

Enable TTY logging by echo "session required pam_tty_audit.so enable=*" >> /etc/pam.d/password-auth-ac
I used it only 4 times and only one time it was worked. And I really don't understand why I can't logging any key-strokes by it (was tested on CentOS7)

The Splunk Answers site isn’t really the most appropriate place to discuss this in detail and it’s something that comes with experience. If you watch the video attached to the Linux Auditd app on Splunkbase, it will address several of the concrete questions here.