Instantly share code, notes, and snippets.

Embed
What would you like to do?
Linux Auditd Best Practice Configuration
# IMPORTANT!
# This gist has been transformed into a github repo
# You can find the most recent version there:
# https://github.com/Neo23x0/auditd
# ___ ___ __ __
# / | __ ______/ (_) /_____/ /
# / /| |/ / / / __ / / __/ __ /
# / ___ / /_/ / /_/ / / /_/ /_/ /
# /_/ |_\__,_/\__,_/_/\__/\__,_/
#
# Linux Audit Daemon - Best Practice Configuration
# /etc/audit/audit.rules
#
# Compiled by Florian Roth
#
# Created : 2017/12/05
# Modified : 2018/08/05
#
# Based on rules published here:
# Gov.uk auditd rules
# https://github.com/gds-operations/puppet-auditd/pull/1
# CentOS 7 hardening
# https://highon.coffee/blog/security-harden-centos-7/#auditd---audit-daemon
# Linux audit repo
# https://github.com/linux-audit/audit-userspace/tree/master/rules
# Auditd high performance linux auditing
# https://linux-audit.com/tuning-auditd-high-performance-linux-auditing/
#
# Further rules
# For PCI DSS compliance see:
# https://github.com/linux-audit/audit-userspace/blob/master/rules/30-pci-dss-v31.rules
# For NISPOM compliance see:
# https://github.com/linux-audit/audit-userspace/blob/master/rules/30-nispom.rules
# Remove any existing rules
-D
# Buffer Size
## Feel free to increase this if the machine panic's
-b 8192
# Failure Mode
## Possible values: 0 (silent), 1 (printk, print a failure message), 2 (panic, halt the system)
-f 1
# Ignore errors
## e.g. caused by users or files not found in the local environment
-i
# Self Auditing ---------------------------------------------------------------
## Audit the audit logs
### Successful and unsuccessful attempts to read information from the audit records
-w /var/log/audit/ -k auditlog
## Auditd configuration
### Modifications to audit configuration that occur while the audit collection functions are operating
-w /etc/audit/ -p wa -k auditconfig
-w /etc/libaudit.conf -p wa -k auditconfig
-w /etc/audisp/ -p wa -k audispconfig
## Monitor for use of audit management tools
-w /sbin/auditctl -p x -k audittools
-w /sbin/auditd -p x -k audittools
# Filters ---------------------------------------------------------------------
### We put these early because audit is a first match wins system.
## Ignore SELinux AVC records
-a always,exclude -F msgtype=AVC
## Ignore current working directory records
-a always,exclude -F msgtype=CWD
## Ignore EOE records (End Of Event, not needed)
-a always,exclude -F msgtype=EOE
## Cron jobs fill the logs with stuff we normally don't want (works with SELinux)
-a never,user -F subj_type=crond_t
-a exit,never -F subj_type=crond_t
## This prevents chrony from overwhelming the logs
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
## This is not very interesting and wastes a lot of space if the server is public facing
-a always,exclude -F msgtype=CRYPTO_KEY_USER
## VMWare tools
-a exit,never -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2
-a exit,never -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2
### High Volume Event Filter (especially on Linux Workstations)
-a exit,never -F arch=b32 -F dir=/dev/shm -k sharedmemaccess
-a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess
-a exit,never -F arch=b32 -F dir=/var/lock/lvm -k locklvm
-a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm
## More information on how to filter events
### https://access.redhat.com/solutions/2482221
# Rules -----------------------------------------------------------------------
## Kernel parameters
-w /etc/sysctl.conf -p wa -k sysctl
## Kernel module loading and unloading
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod -k modules
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k modules
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k modules
-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules
-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules
## Modprobe configuration
-w /etc/modprobe.conf -p wa -k modprobe
## KExec usage (all actions)
-a always,exit -F arch=b64 -S kexec_load -k KEXEC
-a always,exit -F arch=b32 -S sys_kexec_load -k KEXEC
## Special files
-a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles
-a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles
## Mount operations (only attributable)
-a always,exit -F arch=b64 -S mount -S umount2 -F auid!=-1 -k mount
-a always,exit -F arch=b32 -S mount -S umount -S umount2 -F auid!=-1 -k mount
# Change swap (only attributable)
-a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap
-a always,exit -F arch=b32 -S swapon -S swapoff -F auid!=-1 -k swap
## Time
-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -k time
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time
### Local time zone
-w /etc/localtime -p wa -k localtime
## Stunnel
-w /usr/sbin/stunnel -p x -k stunnel
## Cron configuration & scheduled jobs
-w /etc/cron.allow -p wa -k cron
-w /etc/cron.deny -p wa -k cron
-w /etc/cron.d/ -p wa -k cron
-w /etc/cron.daily/ -p wa -k cron
-w /etc/cron.hourly/ -p wa -k cron
-w /etc/cron.monthly/ -p wa -k cron
-w /etc/cron.weekly/ -p wa -k cron
-w /etc/crontab -p wa -k cron
-w /var/spool/cron/crontabs/ -k cron
## User, group, password databases
-w /etc/group -p wa -k etcgroup
-w /etc/passwd -p wa -k etcpasswd
-w /etc/gshadow -k etcgroup
-w /etc/shadow -k etcpasswd
-w /etc/security/opasswd -k opasswd
## Sudoers file changes
-w /etc/sudoers -p wa -k actions
## Passwd
-w /usr/bin/passwd -p x -k passwd_modification
## Tools to change group identifiers
-w /usr/sbin/groupadd -p x -k group_modification
-w /usr/sbin/groupmod -p x -k group_modification
-w /usr/sbin/addgroup -p x -k group_modification
-w /usr/sbin/useradd -p x -k user_modification
-w /usr/sbin/usermod -p x -k user_modification
-w /usr/sbin/adduser -p x -k user_modification
## Login configuration and information
-w /etc/login.defs -p wa -k login
-w /etc/securetty -p wa -k login
-w /var/log/faillog -p wa -k login
-w /var/log/lastlog -p wa -k login
-w /var/log/tallylog -p wa -k login
## Network Environment
### Changes to hostname
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k network_modifications
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k network_modifications
### Changes to other files
-w /etc/hosts -p wa -k network_modifications
-w /etc/sysconfig/network -p wa -k network_modifications
-w /etc/network/ -p wa -k network
-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -k network_modifications
-w /etc/sysconfig/network -p wa -k network_modifications
### Changes to issue
-w /etc/issue -p wa -k etcissue
-w /etc/issue.net -p wa -k etcissue
## System startup scripts
-w /etc/inittab -p wa -k init
-w /etc/init.d/ -p wa -k init
-w /etc/init/ -p wa -k init
## Library search paths
-w /etc/ld.so.conf -p wa -k libpath
## Pam configuration
-w /etc/pam.d/ -p wa -k pam
-w /etc/security/limits.conf -p wa -k pam
-w /etc/security/pam_env.conf -p wa -k pam
-w /etc/security/namespace.conf -p wa -k pam
-w /etc/security/namespace.init -p wa -k pam
## Postfix configuration
-w /etc/aliases -p wa -k mail
-w /etc/postfix/ -p wa -k mail
## SSH configuration
-w /etc/ssh/sshd_config -k sshd
# Systemd
-w /bin/systemctl -p x -k systemd
-w /etc/systemd/ -p wa -k systemd
## SELinux events that modify the system's Mandatory Access Controls (MAC)
-w /etc/selinux/ -p wa -k mac_policy
## Critical elements access failures
-a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileaccess
-a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileaccess
-a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileaccess
-a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileaccess
-a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileaccess
-a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileaccess
-a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileaccess
-a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileaccess
## Process ID change (switching accounts) applications
-w /bin/su -p x -k priv_esc
-w /usr/bin/sudo -p x -k priv_esc
-w /etc/sudoers -p rw -k priv_esc
## Power state
-w /sbin/shutdown -p x -k power
-w /sbin/poweroff -p x -k power
-w /sbin/reboot -p x -k power
-w /sbin/halt -p x -k power
## Session initiation information
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
## Discretionary Access Control (DAC) modifications
-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
# Special Rules ---------------------------------------------------------------
## 32bit API Exploitation
### If you are on a 64 bit platform, everything _should_ be running
### in 64 bit mode. This rule will detect any use of the 32 bit syscalls
### because this might be a sign of someone exploiting a hole in the 32
### bit API.
-a always,exit -F arch=b32 -S all -k 32bit_api
## Reconnaissance
-w /usr/bin/whoami -p x -k recon
-w /etc/issue -p r -k recon
-w /etc/hostname -p r -k recon
## Suspicious activity
-w /usr/bin/wget -p x -k susp_activity
-w /usr/bin/curl -p x -k susp_activity
-w /usr/bin/base64 -p x -k susp_activity
-w /bin/nc -p x -k susp_activity
-w /bin/netcat -p x -k susp_activity
-w /usr/bin/ncat -p x -k susp_activity
-w /usr/bin/ssh -p x -k susp_activity
-w /usr/bin/socat -p x -k susp_activity
-w /usr/bin/wireshark -p x -k susp_activity
-w /usr/bin/rawshark -p x -k susp_activity
-w /usr/bin/rdesktop -p x -k sbin_susp
## Sbin suspicious activity
-w /sbin/iptables -p x -k sbin_susp
-w /sbin/ifconfig -p x -k sbin_susp
-w /usr/sbin/tcpdump -p x -k sbin_susp
-w /usr/sbin/traceroute -p x -k sbin_susp
## Injection
### These rules watch for code injection by the ptrace facility.
### This could indicate someone trying to do something bad or just debugging
-a always,exit -F arch=b32 -S ptrace -k tracing
-a always,exit -F arch=b64 -S ptrace -k tracing
-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -k code_injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k code_injection
-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -k data_injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k data_injection
-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -k register_injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k register_injection
## Privilege Abuse
### The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir.
-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -k power_abuse
# Software Management ---------------------------------------------------------
# RPM (Redhat/CentOS)
-w /usr/bin/rpm -p x -k software_mgmt
-w /usr/bin/yum -p x -k software_mgmt
# YAST/Zypper/RPM (SuSE)
-w /sbin/yast -p x -k yast
-w /sbin/yast2 -p x -k yast
-w /bin/rpm -p x -k software_mgmt
-w /usr/bin/zypper -k software_mgmt
# DPKG / APT-GET (Debian/Ubuntu)
-w /usr/bin/dpkg -p x -k software_mgmt
-w /usr/bin/apt-add-repository -p x -k software_mgmt
-w /usr/bin/apt-get -p x -k software_mgmt
-w /usr/bin/aptitude -p x -k software_mgmt
# Special Software ------------------------------------------------------------
## GDS specific secrets
-w /etc/puppet/ssl -p wa -k puppet_ssl
## IBM Bigfix BESClient
-a exit,always -F arch=b64 -S open -F dir=/opt/BESClient -F success=0 -k soft_besclient
-w /var/opt/BESClient/ -p wa -k soft_besclient
## CHEF https://www.chef.io/chef/
-w /etc/chef -p wa -k soft_chef
# High volume events ----------------------------------------------------------
## Remove them if the cause to much volumen in your einvironment
## Root command executions
-a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd
-a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd
## File Deletion Events by User
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
## File Access
### Unauthorized Access (unsuccessful)
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k file_access
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k file_access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k file_access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k file_access
### Unsuccessful Creation
-a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation
-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation
-a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -k file_creation
-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -k file_creation
### Unsuccessful Modification
-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k file_modification
-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k file_modification
-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k file_modification
-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k file_modification
# Make the configuration immutable --------------------------------------------
##-e 2
@matthew-williams

This comment has been minimized.

Show comment
Hide comment
@matthew-williams

matthew-williams Feb 22, 2018

Thank you a ton! this config has helped explain auditd rules alot.

matthew-williams commented Feb 22, 2018

Thank you a ton! this config has helped explain auditd rules alot.

@samihd

This comment has been minimized.

Show comment
Hide comment
@samihd

samihd Mar 19, 2018

Thank you a lot!!

samihd commented Mar 19, 2018

Thank you a lot!!

@gyrospectre

This comment has been minimized.

Show comment
Hide comment
@gyrospectre

gyrospectre Mar 28, 2018

Suggest the "tracing" rules need to be below the injection ones - first match means the current order will hide the others...

gyrospectre commented Mar 28, 2018

Suggest the "tracing" rules need to be below the injection ones - first match means the current order will hide the others...

@barkobamma

This comment has been minimized.

Show comment
Hide comment
@barkobamma

barkobamma Apr 9, 2018

This is great, I also like to add in a cmd history for every non system user (for servers):

-a always,entry -S execve -F auid>=500 -F auid!=4294967295 -k cmd_history

And it can be helpful debugging tool to add ulimit violations such as file descriptor limit exceeded:

-a always,exit -S open -F exit=-EMFILE -k "ulimit_exceeded"

barkobamma commented Apr 9, 2018

This is great, I also like to add in a cmd history for every non system user (for servers):

-a always,entry -S execve -F auid>=500 -F auid!=4294967295 -k cmd_history

And it can be helpful debugging tool to add ulimit violations such as file descriptor limit exceeded:

-a always,exit -S open -F exit=-EMFILE -k "ulimit_exceeded"

@itsecforu

This comment has been minimized.

Show comment
Hide comment
@itsecforu

itsecforu Apr 24, 2018

hey ! Can u help me plz?

1.In section "High volume events " do I need to use both types of rules for 32 and 64 bit systems as in section "32bit API Exploitation" ?

Remove them if the cause to much volumen in your einvironment

Does it mens, that it will makes large logfile.

Thx!

itsecforu commented Apr 24, 2018

hey ! Can u help me plz?

1.In section "High volume events " do I need to use both types of rules for 32 and 64 bit systems as in section "32bit API Exploitation" ?

Remove them if the cause to much volumen in your einvironment

Does it mens, that it will makes large logfile.

Thx!

@itsecforu

This comment has been minimized.

Show comment
Hide comment
@itsecforu

itsecforu commented Apr 27, 2018

no ideas?

@barkobamma

This comment has been minimized.

Show comment
Hide comment
@barkobamma

barkobamma Apr 27, 2018

For your first question about why both 32 and 64 architectures have rules its due to the possibility that the architectures have 2 different syscall numbers for the same syscall label. There is more info on that here: (https://www.systutorials.com/docs/linux/man/7-audit.rules/) . The relevant section is:

"Next in the rule would normally be the -S option. This field can either be the syscall name or number. For readability, the name is almost always used. You may give more than one syscall in a rule by specifying another -S option. When sent into the kernel, all syscall fields are put into a mask so that one compare can determine if the syscall is of interest. So, adding multiple syscalls in one rule is very efficient. When you specify a syscall name, auditctl will look up the name and get its syscall number. This leads to some problems on bi-arch machines. The 32 and 64 bit syscall numbers sometimes, but not always, line up. So, to solve this problem, you would generally need to break the rule into 2 with one specifying -F arch=b32 and the other specifying -F arch=b64. This needs to go in front of the -S option so that auditctl looks at the right lookup table when returning the number."

The answer to your second question is the High Volume events audit rules have the potential to cause a large number of events to be written to your audit log. For instance if someone was to run a find | xargs rm in a directory with thousands of files, you would get audit messages for every file. This can mean you end up with more log entries than you can handle which may impact the performance of your machine, or if you have configured auditd to halt on overflow it could lead to the machine crashing to prevent missing an audit message (a common way for attackers to cover their tracks is to overwhelm audit logs with noise so the messages related to their attack have a higher likelihood of being dropped out of the audit buffer).

barkobamma commented Apr 27, 2018

For your first question about why both 32 and 64 architectures have rules its due to the possibility that the architectures have 2 different syscall numbers for the same syscall label. There is more info on that here: (https://www.systutorials.com/docs/linux/man/7-audit.rules/) . The relevant section is:

"Next in the rule would normally be the -S option. This field can either be the syscall name or number. For readability, the name is almost always used. You may give more than one syscall in a rule by specifying another -S option. When sent into the kernel, all syscall fields are put into a mask so that one compare can determine if the syscall is of interest. So, adding multiple syscalls in one rule is very efficient. When you specify a syscall name, auditctl will look up the name and get its syscall number. This leads to some problems on bi-arch machines. The 32 and 64 bit syscall numbers sometimes, but not always, line up. So, to solve this problem, you would generally need to break the rule into 2 with one specifying -F arch=b32 and the other specifying -F arch=b64. This needs to go in front of the -S option so that auditctl looks at the right lookup table when returning the number."

The answer to your second question is the High Volume events audit rules have the potential to cause a large number of events to be written to your audit log. For instance if someone was to run a find | xargs rm in a directory with thousands of files, you would get audit messages for every file. This can mean you end up with more log entries than you can handle which may impact the performance of your machine, or if you have configured auditd to halt on overflow it could lead to the machine crashing to prevent missing an audit message (a common way for attackers to cover their tracks is to overwhelm audit logs with noise so the messages related to their attack have a higher likelihood of being dropped out of the audit buffer).

@itsecforu

This comment has been minimized.

Show comment
Hide comment
@itsecforu

itsecforu May 4, 2018

Thanks u a lot!

itsecforu commented May 4, 2018

Thanks u a lot!

@twisted87

This comment has been minimized.

Show comment
Hide comment
@twisted87

twisted87 Jun 4, 2018

Really useful, thanks!
I wonder why you inserted puppet, chef but not ansible.. I think it would be useful.

twisted87 commented Jun 4, 2018

Really useful, thanks!
I wonder why you inserted puppet, chef but not ansible.. I think it would be useful.

@zyamada

This comment has been minimized.

Show comment
Hide comment
@zyamada

zyamada Jun 4, 2018

Hi,

I noticed that the rule -w /etc/sysconfig/network -p wa -k network_modifications is contained twice in this gist. Both on lines 182 and 185.

zyamada commented Jun 4, 2018

Hi,

I noticed that the rule -w /etc/sysconfig/network -p wa -k network_modifications is contained twice in this gist. Both on lines 182 and 185.

@FlorianHeigl

This comment has been minimized.

Show comment
Hide comment
@FlorianHeigl

FlorianHeigl Jul 19, 2018

I forgot to write text. Anyway:
I wanted to say the list for SUSE is incomplete, it is RPM-based and the upper layer uility is 'zypper', but the path to rpm differs.
The below should match.

# Software Management ---------------------------------------------------------

# RPM (Redhat/CentOS)
-w /usr/bin/rpm -p x -k software_mgmt
-w /usr/bin/yum -p x -k software_mgmt

# YAST/Zypper/RPM (SuSE)
-w /sbin/yast -p x -k yast
-w /sbin/yast2 -p x -k yast
-w /bin/rpm -p x -k software_mgmt
-w /usr/bin/zypper -k software_mgmt

# DPKG / APT-GET (Debian/Ubuntu)
-w /usr/bin/dpkg -p x -k software_mgmt
-w /usr/bin/apt-add-repository -p x -k software_mgmt
-w /usr/bin/apt-get -p x -k software_mgmt
-w /usr/bin/aptitude -p x -k software_mgmt

FlorianHeigl commented Jul 19, 2018

I forgot to write text. Anyway:
I wanted to say the list for SUSE is incomplete, it is RPM-based and the upper layer uility is 'zypper', but the path to rpm differs.
The below should match.

# Software Management ---------------------------------------------------------

# RPM (Redhat/CentOS)
-w /usr/bin/rpm -p x -k software_mgmt
-w /usr/bin/yum -p x -k software_mgmt

# YAST/Zypper/RPM (SuSE)
-w /sbin/yast -p x -k yast
-w /sbin/yast2 -p x -k yast
-w /bin/rpm -p x -k software_mgmt
-w /usr/bin/zypper -k software_mgmt

# DPKG / APT-GET (Debian/Ubuntu)
-w /usr/bin/dpkg -p x -k software_mgmt
-w /usr/bin/apt-add-repository -p x -k software_mgmt
-w /usr/bin/apt-get -p x -k software_mgmt
-w /usr/bin/aptitude -p x -k software_mgmt

@Neo23x0

This comment has been minimized.

Show comment
Hide comment
@Neo23x0

Neo23x0 Aug 5, 2018

Thanks, I've added the missing lines

Owner

Neo23x0 commented Aug 5, 2018

Thanks, I've added the missing lines

@surajbora007

This comment has been minimized.

Show comment
Hide comment
@surajbora007

surajbora007 Aug 26, 2018

I want to monitor /etc/hosts file for modification (attribute , as well as write/execute).
I am using following rule
-w /etc/hosts -p wxa -k files
But for each modify event ausearch is given three records, can we we surpass it to single audit event.

surajbora007 commented Aug 26, 2018

I want to monitor /etc/hosts file for modification (attribute , as well as write/execute).
I am using following rule
-w /etc/hosts -p wxa -k files
But for each modify event ausearch is given three records, can we we surpass it to single audit event.

@kkavin

This comment has been minimized.

Show comment
Hide comment
@kkavin

kkavin Oct 8, 2018

I have used Discretionary Access Control (DAC) modifications, file access rules in centos 7 but I am getting the error.
-F missing operation for auid
Can you please help me on this.

kkavin commented Oct 8, 2018

I have used Discretionary Access Control (DAC) modifications, file access rules in centos 7 but I am getting the error.
-F missing operation for auid
Can you please help me on this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment