Created
February 1, 2018 01:06
-
-
Save alias454/78e18a8f07a51c992ddd649860badf76 to your computer and use it in GitHub Desktop.
audit rules
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This file contains the auditctl rules that are loaded | |
| # whenever the audit daemon is started via the initscripts. | |
| # The rules are simply the parameters that would be passed | |
| # to auditctl. | |
| # First rule - delete all | |
| -D | |
| # Increase the buffers to survive stress events. | |
| # Make this bigger for busy systems | |
| -b 2048 | |
| # Feel free to add below this line. See auditctl man page | |
| ## Failure Mode | |
| ## Possible values are 0 (silent), 1 (printk, print a failure message), | |
| ## and 2 (panic, halt the system). | |
| -f 1 | |
| ## Audit the audit logs. | |
| ## successful and unsuccessful attempts to read information from the | |
| ## audit records; all modifications to the audit trail | |
| -w /var/log/audit/ -k auditlog | |
| ## Auditd configuration | |
| ## modifications to audit configuration that occur while the audit | |
| ## collection functions are operating. | |
| -w /etc/audit/ -p wa -k auditconfig | |
| -w /etc/libaudit.conf -p wa -k auditconfig | |
| -w /etc/audisp/ -p wa -k audispconfig | |
| ## Monitor for use of audit management tools | |
| -w /sbin/auditctl -p x -k audittools | |
| -w /sbin/auditd -p x -k audittools | |
| ## special files | |
| -a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles | |
| -a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles | |
| ## Mount operations | |
| -a exit,always -F arch=b32 -S mount -S umount -S umount2 -k mount | |
| -a exit,always -F arch=b64 -S mount -S umount2 -k mount | |
| ## changes to the time | |
| ## | |
| -a exit,always -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -k time | |
| -a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time | |
| ## Use stunnel | |
| -w /usr/sbin/stunnel -p x -k stunnel | |
| ## cron configuration & scheduled jobs | |
| -w /etc/cron.allow -p wa -k cron | |
| -w /etc/cron.deny -p wa -k cron | |
| -w /etc/cron.d/ -p wa -k cron | |
| -w /etc/cron.daily/ -p wa -k cron | |
| -w /etc/cron.hourly/ -p wa -k cron | |
| -w /etc/cron.monthly/ -p wa -k cron | |
| -w /etc/cron.weekly/ -p wa -k cron | |
| -w /etc/crontab -p wa -k cron | |
| -w /var/spool/cron/crontabs/ -k cron | |
| ## user, group, password databases | |
| -w /etc/group -p wa -k etcgroup | |
| -w /etc/passwd -p wa -k etcpasswd | |
| -w /etc/gshadow -k etcgroup | |
| -w /etc/shadow -k etcpasswd | |
| -w /etc/security/opasswd -k opasswd | |
| ## monitor usage of passwd | |
| -w /usr/bin/passwd -p x -k passwd_modification | |
| #Monitor for use of tools to change group identifiers | |
| -w /usr/sbin/groupadd -p x -k group_modification | |
| -w /usr/sbin/groupmod -p x -k group_modification | |
| -w /usr/sbin/addgroup -p x -k group_modification | |
| -w /usr/sbin/useradd -p x -k user_modification | |
| -w /usr/sbin/usermod -p x -k user_modification | |
| -w /usr/sbin/adduser -p x -k user_modification | |
| ## login configuration and information | |
| -w /etc/login.defs -p wa -k login | |
| -w /etc/securetty -p wa -k login | |
| -w /var/log/faillog -p wa -k login | |
| -w /var/log/lastlog -p wa -k login | |
| -w /var/log/tallylog -p wa -k login | |
| ## network configuration | |
| -w /etc/hosts -p wa -k hosts | |
| -w /etc/network/ -p wa -k network | |
| ## system startup scripts | |
| -w /etc/inittab -p wa -k init | |
| -w /etc/init.d/ -p wa -k init | |
| -w /etc/init/ -p wa -k init | |
| ## library search paths | |
| -w /etc/ld.so.conf -p wa -k libpath | |
| ## local time zone | |
| -w /etc/localtime -p wa -k localtime | |
| ## kernel parameters | |
| -w /etc/sysctl.conf -p wa -k sysctl | |
| ## modprobe configuration | |
| -w /etc/modprobe.conf -p wa -k modprobe | |
| ## pam configuration | |
| -w /etc/pam.d/ -p wa -k pam | |
| -w /etc/security/limits.conf -p wa -k pam | |
| -w /etc/security/pam_env.conf -p wa -k pam | |
| -w /etc/security/namespace.conf -p wa -k pam | |
| -w /etc/security/namespace.init -p wa -k pam | |
| ## postfix configuration | |
| -w /etc/aliases -p wa -k mail | |
| -w /etc/postfix/ -p wa -k mail | |
| ## ssh configuration | |
| -w /etc/ssh/sshd_config -k sshd | |
| ## changes to hostname | |
| -a exit,always -F arch=b32 -S sethostname -k hostname | |
| -a exit,always -F arch=b64 -S sethostname -k hostname | |
| ## changes to issue | |
| -w /etc/issue -p wa -k etcissue | |
| -w /etc/issue.net -p wa -k etcissue | |
| ## this was to noisy currently. | |
| # log all commands executed by an effective id of 0 aka root. | |
| -a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd | |
| -a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd | |
| ## Capture all failures to access on critical elements | |
| -a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileacess | |
| -a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileacess | |
| -a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileacess | |
| -a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileacess | |
| -a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileacess | |
| -a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileacess | |
| -a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileacess | |
| -a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileacess | |
| ## Monitor for use of process ID change (switching accounts) applications | |
| -w /bin/su -p x -k priv_esc | |
| -w /usr/bin/sudo -p x -k priv_esc | |
| -w /etc/sudoers -p rw -k priv_esc | |
| ## Monitor usage of commands to change power state | |
| -w /sbin/shutdown -p x -k power | |
| -w /sbin/poweroff -p x -k power | |
| -w /sbin/reboot -p x -k power | |
| #Enable auditd | |
| -e 1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment