Skip to content

Instantly share code, notes, and snippets.

@leandrosiow

leandrosiow/audit.rules

Created March 18, 2020 18:04
Show Gist options
  • Save leandrosiow/54488d4f8d21405f071ccb5de99453b4 to your computer and use it in GitHub Desktop.
Save leandrosiow/54488d4f8d21405f071ccb5de99453b4 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
audit.rules
# vi /etc/audit/audit.rules
# Referenced from https://www.thegeekdiary.com/audit-rules-for-monitoring-copy-move-delete-and-kill-commands-in-linux/
#
# Audit Copy, Move, Delete & Create file commands
-a exit,always -F arch=b64 -S execve -F path=/bin/cp -k Copy
-a exit,always -F arch=b64 -S execve -F path=/bin/mv -k Move_Rename
-a exit,always -F arch=b64 -S execve -F path=/bin/rm -k Delete
-a exit,always -F arch=b64 -S execve -F path=/bin/vi -k Create_Edit_View_File
# Audit shutdown & Reboot command
-a exit,always -F arch=b64 -S execve -F path=/sbin/reboot -k Reboot
-a exit,always -F arch=b64 -S execve -F path=/sbin/init -k Reboot
-a exit,always -F arch=b64 -S execve -F path=/sbin/poweroff -k Reboot
-a exit,always -F arch=b64 -S execve -F path=/sbin/shutdown -k Reboot
# Audit mount unmount commands
-a exit,always -F arch=b64 -S execve -F path=/bin/mount -k mount_device
-a exit,always -F arch=b64 -S execve -F path=/bin/umount -k unmount_device
# Kill Process
-a exit,always -F arch=b64 -S kill -k Kill_Process
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment