Created
April 6, 2014 19:58
-
-
Save maus-/10010791 to your computer and use it in GitHub Desktop.
auditd template
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Remove any existing rules | |
| -D | |
| ## Buffer Size | |
| ## Feel free to increase this if the machine panic's | |
| -b 8192 | |
| ## Failure Mode | |
| ## Possible values are 0 (silent), 1 (printk, print a failure message), | |
| ## and 2 (panic, halt the system). | |
| -f 1 | |
| ## Audit the audit logs. | |
| ## successful and unsuccessful attempts to read information from the | |
| ## audit records; all modifications to the audit trail | |
| -w /var/log/audit/ -k auditlog | |
| ## Auditd configuration | |
| ## modifications to audit configuration that occur while the audit | |
| ## collection functions are operating. | |
| -w /etc/audit/ -p wa -k auditconfig | |
| -w /etc/libaudit.conf -p wa -k auditconfig | |
| -w /etc/audisp/ -p wa -k audispconfig | |
| ## Monitor for use of audit management tools | |
| -w /sbin/auditctl -p x -k audittools | |
| -w /sbin/auditd -p x -k audittools | |
| ## special files | |
| -a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles | |
| -a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles | |
| ## Mount operations | |
| -a exit,always -F arch=b32 -S mount -S umount -S umount2 -k mount | |
| -a exit,always -F arch=b64 -S mount -S umount2 -k mount | |
| ## changes to the time | |
| ## | |
| -a exit,always -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -k time | |
| -a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time | |
| ## Use stunnel | |
| -w /usr/sbin/stunnel -p x -k stunnel | |
| ## cron configuration & scheduled jobs | |
| -w /etc/cron.allow -p wa -k cron | |
| -w /etc/cron.deny -p wa -k cron | |
| -w /etc/cron.d/ -p wa -k cron | |
| -w /etc/cron.daily/ -p wa -k cron | |
| -w /etc/cron.hourly/ -p wa -k cron | |
| -w /etc/cron.monthly/ -p wa -k cron | |
| -w /etc/cron.weekly/ -p wa -k cron | |
| -w /etc/crontab -p wa -k cron | |
| -w /var/spool/cron/crontabs/ -k cron | |
| ## user, group, password databases | |
| -w /etc/group -p wa -k etcgroup | |
| -w /etc/passwd -p wa -k etcpasswd | |
| -w /etc/gshadow -k etcgroup | |
| -w /etc/shadow -k etcpasswd | |
| -w /etc/security/opasswd -k opasswd | |
| ## monitor usage of passwd | |
| -w /usr/bin/passwd -p x -k passwd_modification | |
| #Monitor for use of tools to change group identifiers | |
| -w /usr/sbin/groupadd -p x -k group_modification | |
| -w /usr/sbin/groupmod -p x -k group_modification | |
| -w /usr/sbin/addgroup -p x -k group_modification | |
| -w /usr/sbin/useradd -p x -k user_modification | |
| -w /usr/sbin/usermod -p x -k user_modification | |
| -w /usr/sbin/adduser -p x -k user_modification | |
| ## login configuration and information | |
| -w /etc/login.defs -p wa -k login | |
| -w /etc/securetty -p wa -k login | |
| -w /var/log/faillog -p wa -k login | |
| -w /var/log/lastlog -p wa -k login | |
| -w /var/log/tallylog -p wa -k login | |
| ## network configuration | |
| -w /etc/hosts -p wa -k hosts | |
| -w /etc/network/ -p wa -k network | |
| ## system startup scripts | |
| -w /etc/inittab -p wa -k init | |
| -w /etc/init.d/ -p wa -k init | |
| -w /etc/init/ -p wa -k init | |
| ## library search paths | |
| -w /etc/ld.so.conf -p wa -k libpath | |
| ## local time zone | |
| -w /etc/localtime -p wa -k localtime | |
| ## kernel parameters | |
| -w /etc/sysctl.conf -p wa -k sysctl | |
| ## modprobe configuration | |
| -w /etc/modprobe.conf -p wa -k modprobe | |
| ## pam configuration | |
| -w /etc/pam.d/ -p wa -k pam | |
| -w /etc/security/limits.conf -p wa -k pam | |
| -w /etc/security/pam_env.conf -p wa -k pam | |
| -w /etc/security/namespace.conf -p wa -k pam | |
| -w /etc/security/namespace.init -p wa -k pam | |
| ## GDS specific secrets | |
| -w /etc/puppet/ssl -p wa -k puppet_ssl | |
| ## postfix configuration | |
| -w /etc/aliases -p wa -k mail | |
| -w /etc/postfix/ -p wa -k mail | |
| ## ssh configuration | |
| -w /etc/ssh/sshd_config -k sshd | |
| ## changes to hostname | |
| -a exit,always -F arch=b32 -S sethostname -k hostname | |
| -a exit,always -F arch=b64 -S sethostname -k hostname | |
| ## changes to issue | |
| -w /etc/issue -p wa -k etcissue | |
| -w /etc/issue.net -p wa -k etcissue | |
| # log all commands executed by an effective id of 0 aka root. | |
| -a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd | |
| -a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd | |
| ## Capture all failures to access on critical elements | |
| -a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileacess | |
| -a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileacess | |
| -a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileacess | |
| -a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileacess | |
| -a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileacess | |
| -a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileacess | |
| -a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileacess | |
| -a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileacess | |
| ## Monitor for use of process ID change (switching accounts) applications | |
| -w /bin/su -p x -k priv_esc | |
| -w /usr/bin/sudo -p x -k priv_esc | |
| -w /etc/sudoers -p rw -k priv_esc | |
| ## Monitor usage of commands to change power state | |
| -w /sbin/shutdown -p x -k power | |
| -w /sbin/poweroff -p x -k power | |
| -w /sbin/reboot -p x -k power | |
| -w /sbin/halt -p x -k power | |
| ## Make the configuration immutable | |
| -e 2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment