Last active
October 12, 2017 09:11
-
-
Save naavveenn/78976f1ff6fa46093a17b93778305a15 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Audit Logs | |
| apt-get install auditd audispd-plugins -y | |
| systemctl enable auditd | |
| #Ensure audit logs are not automatically deleted | |
| echo ""max_log_file_action = keep_logs"" >> /etc/audit/auditd.conf | |
| #Ensure events that modify date and time information are collected | |
| echo ""-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change"" >> /etc/audit/audit.rules | |
| echo ""-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change"" >> /etc/audit/audit.rules | |
| echo ""-a always,exit -F arch=b64 -S clock_settime -k time-change"" >> /etc/audit/audit.rules | |
| echo ""-a always,exit -F arch=b32 -S clock_settime -k time-change"" >> /etc/audit/audit.rules | |
| echo ""-w /etc/localtime -p wa -k time-change"" >> /etc/audit/audit.rules | |
| #Ensure events that modify user/group information are collected### | |
| echo ""-w /etc/group -p wa -k identity"" >> /etc/audit/audit.rules | |
| echo ""-w /etc/passwd -p wa -k identity"" >> /etc/audit/audit.rules | |
| echo ""-w /etc/gshadow -p wa -k identity"" >> /etc/audit/audit.rules | |
| echo ""-w /etc/shadow -p wa -k identity"" >> /etc/audit/audit.rules | |
| echo ""-w /etc/shadow -p wa -k identity"" >> /etc/audit/audit.rules | |
| echo ""-w /etc/security/opasswd -p wa -k identity"" >> /etc/audit/audit.rules | |
| #Ensure events that modify the system's network environment are collected## | |
| echo ""-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale"" >> /etc/audit/audit.rules | |
| echo ""-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale"" >> /etc/audit/audit.rules | |
| echo ""-w /etc/issue -p wa -k system-locale"" >> /etc/audit/audit.rules | |
| echo ""-w /etc/issue.net -p wa -k system-locale"" >> /etc/audit/audit.rules | |
| echo ""-w /etc/hosts -p wa -k system-locale"" >> /etc/audit/audit.rules | |
| echo ""-w /etc/network -p wa -k system-locale"" >> /etc/audit/audit.rules | |
| echo ""-w /etc/networks -p wa -k system-locale"" >> /etc/audit/audit.rules | |
| #Ensure events that modify the system's Mandatory Access Controls are collected## | |
| echo ""-w /etc/selinux/ -p wa -k MAC-policy"" >> /etc/audit/audit.rules | |
| echo ""-w /etc/apparmor/ -p wa -k MAC-policy"" >> /etc/audit/audit.rules | |
| echo ""-w /etc/apparmor.d/ -p wa -k MAC-policy"" >> /etc/audit/audit.rules | |
| #Ensure login and logout events are collected### | |
| echo ""-w /var/log/faillog -p wa -k logins"" >> /etc/audit/audit.rules | |
| echo ""-w /var/log/lastlog -p wa -k logins"" >> /etc/audit/audit.rules | |
| echo ""-w /var/log/tallylog -p wa -k logins"" >> /etc/audit/audit.rules | |
| #Ensure session initiation information is collected## | |
| echo ""-w /var/run/utmp -p wa -k session"" >> /etc/audit/audit.rules | |
| echo ""-w /var/log/wtmp -p wa -k session"" >> /etc/audit/audit.rules | |
| echo ""-w /var/log/btmp -p wa -k session"" >> /etc/audit/audit.rules | |
| #Ensure discretionary access control permission modifiechoion events are collected## | |
| echo ""-a always,exit -F arch=b64 -S sudo chmod -S fsudo chmod -S fsudo chmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod"" >> /etc/audit/audit.rules | |
| echo ""-a always,exit -F arch=b32 -S sudo chmod -S fsudo chmod -S fsudo chmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod"" >> /etc/audit/audit.rules | |
| echo ""-a always,exit -F arch=b64 -S sudo chown -S fsudo chown -S fsudo chownat -S lsudo chown -F auid>=1000 -F auid!=4294967295 -k perm_mod"" >> /etc/audit/audit.rules | |
| echo ""-a always,exit -F arch=b32 -S sudo chown -S fsudo chown -S fsudo chownat -S lsudo chown -F auid>=1000 -F auid!=4294967295 -k perm_mod"" >> /etc/audit/audit.rules | |
| echo ""-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod"" >> /etc/audit/audit.rules | |
| echo ""-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod"" >> /etc/audit/audit.rules | |
| #Ensure unsuccessful unauthorized file access attempts are collected## | |
| echo ""-a always,exit -F arch=b64 -S creat -S open -S openat -S trunechoe -S ftrunechoe -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access"" >> /etc/audit/audit.rules | |
| echo ""-a always,exit -F arch=b32 -S creat -S open -S openat -S trunechoe -S ftrunechoe -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access"" >> /etc/audit/audit.rules | |
| echo ""-a always,exit -F arch=b64 -S creat -S open -S openat -S trunechoe -S ftrunechoe -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access"" >> /etc/audit/audit.rules | |
| echo ""-a always,exit -F arch=b32 -S creat -S open -S openat -S trunechoe -S ftrunechoe -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access"" >> /etc/audit/audit.rules | |
| ##Ensure successful file system mounts are collected## | |
| echo ""-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts"" >> /etc/audit/audit.rules | |
| echo ""-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts"" >> /etc/audit/audit.rules | |
| ##Ensure file deletion events by users are collected## | |
| echo ""-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete"" >> /etc/audit/audit.rules | |
| echo ""-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete"" >> /etc/audit/audit.rules | |
| ##Ensure changes to system administration scope (sudoers) is collected## | |
| echo ""-w /etc/sudoers -p wa -k scope"" >> /etc/audit/audit.rules | |
| echo ""-w /etc/sudoers.d -p wa -k scope"" >> /etc/audit/audit.rules | |
| ##Ensure system administrator actions (sudolog) are collected## | |
| echo ""-w /var/log/sudo.log -p wa -k actions"" >> /etc/audit/audit.rules | |
| ##Ensure kernel module loading and unloading is collected## | |
| echo ""-w /sbin/insmod -p x -k modules"" >> /etc/audit/audit.rules | |
| echo ""-w /sbin/rmmod -p x -k modules"" >> /etc/audit/audit.rules | |
| echo ""-w /sbin/modprobe -p x -k modules"" >> /etc/audit/audit.rules | |
| echo ""-a always,exit arch=b64 -S init_module -S delete_module -k modules"" >> /etc/audit/audit.rules | |
| ###Ensure the audit configuration is immutable## | |
| echo ""-e 2"" >> /etc/audit/audit.rules |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment