Created
March 22, 2016 14:37
-
-
Save Ashex/7ba1544f12314173b8d5 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
include auditd | |
require auditd | |
auditd::rule { 'check for 64bit time adjustment syscalls': | |
content => '-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change', | |
order => 01, | |
} | |
auditd::rule { 'check for 32bit time adjustment syscalls': | |
content => '-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change', | |
order => 02, | |
} | |
auditd::rule { 'check for 64bit clock adjustment syscalls': | |
content => '-a always,exit -F arch=b64 -S clock_settime -k time-change', | |
order => 03, | |
} | |
auditd::rule { 'check for 32bit clock adjustment syscalls': | |
content => '-a always,exit -F arch=b32 -S clock_settime -k time-change', | |
order => 04, | |
} | |
auditd::rule { 'watch for changes to the local time file': | |
content => '-w /etc/localtime -p wa -k time-change', | |
order => 05, | |
} | |
auditd::rule { 'watch for changes to group file': | |
content => '-w /etc/group -p wa -k identity', | |
order => 06, | |
} | |
auditd::rule { 'watch for changes to passwd file': | |
content => '-w /etc/passwd -p wa -k identity', | |
order => 07, | |
} | |
auditd::rule { 'watch for changes to gshadow file': | |
content => '-w /etc/gshadow -p wa -k identity', | |
order => 08, | |
} | |
auditd::rule { 'watch for changes to shadow file': | |
content => '-w /etc/shadow -p wa -k identity', | |
order => 09, | |
} | |
auditd::rule { 'watch for changes to opasswd file': | |
content => '-w /etc/security/opasswd -p wa -k identity', | |
order => 10, | |
} | |
auditd::rule { 'check for 64bit hostname change syscalls': | |
content => '-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale', | |
order => 11, | |
} | |
auditd::rule { 'check for 32bit hostname change syscalls': | |
content => '-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale', | |
order => 12, | |
} | |
auditd::rule { 'watch for changes to issue notice file': | |
content => '-w /etc/issue -p wa -k system-locale', | |
order => 13, | |
} | |
auditd::rule { 'watch for changes to issue.net notice file': | |
content => '-w /etc/issue.net -p wa -k system-locale', | |
order => 14, | |
} | |
auditd::rule { 'watch for changes to hosts file': | |
content => '-w /etc/hosts -p wa -k system-locale', | |
order => 15, | |
} | |
auditd::rule { 'watch for changes to network config file': | |
content => '-w /etc/sysconfig/network -p wa -k system-locale', | |
order => 16, | |
} | |
auditd::rule { 'Record Events That Modify the Systems Mandatory Access Controls': | |
content => '-w /etc/selinux/ -p wa -k MAC-policy', | |
order => 17, | |
} | |
auditd::rule { 'Collect Login and Logout Events to faillog': | |
content => '-w /var/log/faillog -p wa -k logins', | |
order => 18, | |
} | |
auditd::rule { 'Collect Login and Logout Events to lastlog': | |
content => '-w /var/log/lastlog -p wa -k logins', | |
order => 19, | |
} | |
auditd::rule { 'Collect Login and Logout Events to tallylog': | |
content => '-w /var/log/tallylog -p wa -k logins', | |
order => 20, | |
} | |
auditd::rule { 'Collect Session Initiation Information for currently logged in users': | |
content => '-w /var/run/utmp -p wa -k session', | |
order => 21, | |
} | |
auditd::rule { 'Collect Session Initiation Information for login, logout, shutdown, and reboot events': | |
content => '-w /var/log/wtmp -p wa -k session', | |
order => 22, | |
} | |
auditd::rule { 'Collect Session Initiation Information for failed login attempts': | |
content => '-w /var/log/btmp -p wa -k session', | |
order => 23, | |
} | |
auditd::rule { 'Collect 64bit Discretionary Access Control Permission Modification Events fchmodat': | |
content => '-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod', | |
order => 24, | |
} | |
auditd::rule { 'Collect 32bit Discretionary Access Control Permission Modification Events fchmodat': | |
content => '-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod', | |
order => 25, | |
} | |
auditd::rule { 'Collect 64bit Discretionary Access Control Permission Modification Events fchownat': | |
content => '-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod', | |
order => 26, | |
} | |
auditd::rule { 'Collect 32bit Discretionary Access Control Permission Modification Events fchownat': | |
content => '-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod', | |
order => 27, | |
} | |
auditd::rule { 'Collect 64bit Discretionary Access Control Permission Modification Events attr': | |
content => '-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod', | |
order => 28, | |
} | |
auditd::rule { 'Collect 32bit Discretionary Access Control Permission Modification Events attr': | |
content => '-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod', | |
order => 29, | |
} | |
auditd::rule { 'Collect 64bit Unsuccessful Unauthorized Access Attempts to Files EACCES': | |
content => '-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access', | |
order => 30, | |
} | |
auditd::rule { 'Collect 32bit Unsuccessful Unauthorized Access Attempts to Files EACCES': | |
content => '-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access', | |
order => 31, | |
} | |
auditd::rule { 'Collect 64bit Unsuccessful Unauthorized Access Attempts to Files EPERM': | |
content => '-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access', | |
order => 32, | |
} | |
auditd::rule { 'Collect 32bit Unsuccessful Unauthorized Access Attempts to Files EPERM': | |
content => '-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access', | |
order => 33, | |
} | |
auditd::rule { 'Collect 64bit Successful File System Mounts': | |
content => '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts', | |
order => 34, | |
} | |
auditd::rule { 'Collect 32bit Successful File System Mounts': | |
content => '-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts', | |
order => 35, | |
} | |
auditd::rule { 'Collect 64bit File Deletion Events by User': | |
content => '-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete', | |
order => 36, | |
} | |
auditd::rule { 'Collect 32bit File Deletion Events by User': | |
content => '-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete', | |
order => 37, | |
} | |
auditd::rule { 'Collect Changes to System Administration Scope': | |
content => '-w /etc/sudoers -p wa -k scope', | |
order => 38, | |
} | |
auditd::rule { 'Collect System Administrator Actions (sudolog)': | |
content => '-w /var/log/sudo.log -p wa -k actions', | |
order => 39, | |
} | |
auditd::rule { 'Collect Kernel Module Loading and Unloading insmod': | |
content => '-w /sbin/insmod -p x -k modules', | |
order => 40, | |
} | |
auditd::rule { 'Collect Kernel Module Loading and Unloading rmmod': | |
content => '-w /sbin/rmmod -p x -k modules', | |
order => 41, | |
} | |
auditd::rule { 'Collect Kernel Module Loading and Unloading modprobe': | |
content => '-w /sbin/modprobe -p x -k modules', | |
order => 42, | |
} | |
auditd::rule { 'Collect 64bit programmatic Kernel Module Loading and Unloading': | |
content => '-a always,exit -F arch=b64 -S init_module -S delete_module -k modules', | |
order => 43, | |
} | |
auditd::rule { 'Make the Audit Configuration Immutable': | |
content => '-e 2', | |
order => 44, | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment