This repository has been archived by the owner on Jan 20, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 16
/
audit.rules
78 lines (62 loc) · 2.38 KB
/
audit.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
audit.rules:
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all previous rules.
-D
## Enable the kernel audit subsystem.
# 1 means the configuration can be modified.
# 2 means immutable until reboot (only set 2 at the *end* of the rule file - else you'll shoot yourself in the foot)
-e 1
# Increase the acching buffers to survive spikes, without dropping events.
# You can make this bigger for busy systems.
# Value is x times an audit record size in kernel memory.
# Large value may use quite a few megs of kernel memory.
-b 16348
# Ignore errors (if file path doesn't exists, for example, don't stop processing rules).
-i
# Rate limit audit at the kernel level (msg/s)
-r 500
## Generic logging
# Bypass regular calls
#-a always,exit -F arch=b64 -S personality -k bypass
#-a always,exit -F arch=b32 -S personality -k bypass
## Exec logging
# We're first excluding quite a few binaries from exec logging.
# These are called often and do not provide significant value.
-A exit,never -F path=/bin/ls -F perm=x
-A exit,never -F path=/bin/sh -F perm=x
-A exit,never -F path=/bin/grep -F perm=x
-A exit,never -F path=/bin/egrep -F perm=x
-A exit,never -F path=/usr/bin/tail -F perm=x
-A exit,never -F path=/bin/stty -F perm=x
-A exit,never -F path=/usr/bin/tty -F perm=x
-A exit,never -F path=/usr/bin/wc -F perm=x
-A exit,never -F path=/bin/ping -F perm=x
-A exit,never -F path=/bin/sleep -F perm=x
-A exit,never -F path=/bin/touch -F perm=x
# Setup the exec monitoring for all other cases
-a exit,always -F arch=b64 -S execve -k exec
#-a exit,always -F arch=b32 -S execve -k exec
#-a entry,always -S clone -S fork -S vfork
#-a entry,always -S access -F a1=4
## Log changes to system configuration files.
# Modify audit configuration
-w /etc/audit/ -p wa -k audit
# Modify startup
-w /sbin/init -p wa -k init
-w /etc/systemd -p wa -k init
# Modify PAM
-w /etc/pam.d -p wa -k pam
-w /etc/security -p wa -k pam
-w /lib/security -p wa -k pam
# Users
-w /etc/group -p wa -k user
-w /etc/passwd -p wa -k user
-w /etc/gshadow -p wa -k user
-w /etc/shadow -p wa -k user
-w /etc/sudoers -p wa -k user
# Time changes
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change