Skip to content

Instantly share code, notes, and snippets.

@Ashex

Ashex/auditd_cis.pp

Created March 22, 2016 14:37
Show Gist options
  • Save Ashex/7ba1544f12314173b8d5 to your computer and use it in GitHub Desktop.
Save Ashex/7ba1544f12314173b8d5 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
auditd_cis.pp
include auditd
require auditd
auditd::rule { 'check for 64bit time adjustment syscalls':
content => '-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change',
order => 01,
}
auditd::rule { 'check for 32bit time adjustment syscalls':
content => '-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change',
order => 02,
}
auditd::rule { 'check for 64bit clock adjustment syscalls':
content => '-a always,exit -F arch=b64 -S clock_settime -k time-change',
order => 03,
}
auditd::rule { 'check for 32bit clock adjustment syscalls':
content => '-a always,exit -F arch=b32 -S clock_settime -k time-change',
order => 04,
}
auditd::rule { 'watch for changes to the local time file':
content => '-w /etc/localtime -p wa -k time-change',
order => 05,
}
auditd::rule { 'watch for changes to group file':
content => '-w /etc/group -p wa -k identity',
order => 06,
}
auditd::rule { 'watch for changes to passwd file':
content => '-w /etc/passwd -p wa -k identity',
order => 07,
}
auditd::rule { 'watch for changes to gshadow file':
content => '-w /etc/gshadow -p wa -k identity',
order => 08,
}
auditd::rule { 'watch for changes to shadow file':
content => '-w /etc/shadow -p wa -k identity',
order => 09,
}
auditd::rule { 'watch for changes to opasswd file':
content => '-w /etc/security/opasswd -p wa -k identity',
order => 10,
}
auditd::rule { 'check for 64bit hostname change syscalls':
content => '-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale',
order => 11,
}
auditd::rule { 'check for 32bit hostname change syscalls':
content => '-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale',
order => 12,
}
auditd::rule { 'watch for changes to issue notice file':
content => '-w /etc/issue -p wa -k system-locale',
order => 13,
}
auditd::rule { 'watch for changes to issue.net notice file':
content => '-w /etc/issue.net -p wa -k system-locale',
order => 14,
}
auditd::rule { 'watch for changes to hosts file':
content => '-w /etc/hosts -p wa -k system-locale',
order => 15,
}
auditd::rule { 'watch for changes to network config file':
content => '-w /etc/sysconfig/network -p wa -k system-locale',
order => 16,
}
auditd::rule { 'Record Events That Modify the Systems Mandatory Access Controls':
content => '-w /etc/selinux/ -p wa -k MAC-policy',
order => 17,
}
auditd::rule { 'Collect Login and Logout Events to faillog':
content => '-w /var/log/faillog -p wa -k logins',
order => 18,
}
auditd::rule { 'Collect Login and Logout Events to lastlog':
content => '-w /var/log/lastlog -p wa -k logins',
order => 19,
}
auditd::rule { 'Collect Login and Logout Events to tallylog':
content => '-w /var/log/tallylog -p wa -k logins',
order => 20,
}
auditd::rule { 'Collect Session Initiation Information for currently logged in users':
content => '-w /var/run/utmp -p wa -k session',
order => 21,
}
auditd::rule { 'Collect Session Initiation Information for login, logout, shutdown, and reboot events':
content => '-w /var/log/wtmp -p wa -k session',
order => 22,
}
auditd::rule { 'Collect Session Initiation Information for failed login attempts':
content => '-w /var/log/btmp -p wa -k session',
order => 23,
}
auditd::rule { 'Collect 64bit Discretionary Access Control Permission Modification Events fchmodat':
content => '-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod',
order => 24,
}
auditd::rule { 'Collect 32bit Discretionary Access Control Permission Modification Events fchmodat':
content => '-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod',
order => 25,
}
auditd::rule { 'Collect 64bit Discretionary Access Control Permission Modification Events fchownat':
content => '-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod',
order => 26,
}
auditd::rule { 'Collect 32bit Discretionary Access Control Permission Modification Events fchownat':
content => '-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod',
order => 27,
}
auditd::rule { 'Collect 64bit Discretionary Access Control Permission Modification Events attr':
content => '-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod',
order => 28,
}
auditd::rule { 'Collect 32bit Discretionary Access Control Permission Modification Events attr':
content => '-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod',
order => 29,
}
auditd::rule { 'Collect 64bit Unsuccessful Unauthorized Access Attempts to Files EACCES':
content => '-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access',
order => 30,
}
auditd::rule { 'Collect 32bit Unsuccessful Unauthorized Access Attempts to Files EACCES':
content => '-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access',
order => 31,
}
auditd::rule { 'Collect 64bit Unsuccessful Unauthorized Access Attempts to Files EPERM':
content => '-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access',
order => 32,
}
auditd::rule { 'Collect 32bit Unsuccessful Unauthorized Access Attempts to Files EPERM':
content => '-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access',
order => 33,
}
auditd::rule { 'Collect 64bit Successful File System Mounts':
content => '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts',
order => 34,
}
auditd::rule { 'Collect 32bit Successful File System Mounts':
content => '-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts',
order => 35,
}
auditd::rule { 'Collect 64bit File Deletion Events by User':
content => '-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete',
order => 36,
}
auditd::rule { 'Collect 32bit File Deletion Events by User':
content => '-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete',
order => 37,
}
auditd::rule { 'Collect Changes to System Administration Scope':
content => '-w /etc/sudoers -p wa -k scope',
order => 38,
}
auditd::rule { 'Collect System Administrator Actions (sudolog)':
content => '-w /var/log/sudo.log -p wa -k actions',
order => 39,
}
auditd::rule { 'Collect Kernel Module Loading and Unloading insmod':
content => '-w /sbin/insmod -p x -k modules',
order => 40,
}
auditd::rule { 'Collect Kernel Module Loading and Unloading rmmod':
content => '-w /sbin/rmmod -p x -k modules',
order => 41,
}
auditd::rule { 'Collect Kernel Module Loading and Unloading modprobe':
content => '-w /sbin/modprobe -p x -k modules',
order => 42,
}
auditd::rule { 'Collect 64bit programmatic Kernel Module Loading and Unloading':
content => '-a always,exit -F arch=b64 -S init_module -S delete_module -k modules',
order => 43,
}
auditd::rule { 'Make the Audit Configuration Immutable':
content => '-e 2',
order => 44,
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment