-
-
Save ranvijayj/c4581039719c452c3328dd43facf95c0 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sudo cat /etc/audit/audit.rules | |
| # This file contains the auditctl rules that are loaded | |
| # whenever the audit daemon is started via the initscripts. | |
| # The rules are simply the parameters that would be passed | |
| # to auditctl. | |
| # First rule - delete all | |
| -D | |
| # Increase the buffers to survive stress events. | |
| # Buffer Size | |
| ## Feel free to increase this if the machine panic's | |
| -b 8192 | |
| # Failure Mode | |
| ## Possible values: 0 (silent), 1 (printk, print a failure message), 2 (panic, halt the system) | |
| -f 1 | |
| # Ignore errors | |
| ## e.g. caused by users or files not found in the local environment | |
| -i | |
| # Self Auditing --------------------------------------------------------------- | |
| ## Audit the audit logs | |
| ### Successful and unsuccessful attempts to read information from the audit records | |
| -w /var/log/audit/ -k auditlog | |
| ## Auditd configuration | |
| ### Modifications to audit configuration that occur while the audit collection functions are operating | |
| -w /etc/audit/ -p wa -k auditconfig | |
| -w /etc/libaudit.conf -p wa -k auditconfig | |
| -w /etc/audisp/ -p wa -k audispconfig | |
| ## Monitor for use of audit management tools | |
| -w /sbin/auditctl -p x -k audittools | |
| -w /sbin/auditd -p x -k audittools | |
| # Filters --------------------------------------------------------------------- | |
| ### We put these early because audit is a first match wins system. | |
| ## Ignore SELinux AVC records | |
| -a always,exclude -F msgtype=AVC | |
| ## Ignore current working directory records | |
| -a always,exclude -F msgtype=CWD | |
| ## Ignore EOE records (End Of Event, not needed) | |
| -a always,exclude -F msgtype=EOE | |
| ## Cron jobs fill the logs with stuff we normally don't want (works with SELinux) | |
| -a never,user -F subj_type=crond_t | |
| -a exit,never -F subj_type=crond_t | |
| ## This is not very interesting and wastes a lot of space if the server is public facing | |
| -a always,exclude -F msgtype=CRYPTO_KEY_USER | |
| # Rules ----------------------------------------------------------------------- | |
| ## Kernel parameters | |
| -w /etc/sysctl.conf -p wa -k sysctl | |
| ## Cron configuration & scheduled jobs | |
| -w /etc/cron.d/ -p wa -k cron | |
| -w /etc/crontab -p wa -k cron | |
| -w /var/spool/cron/crontabs/ -k cron | |
| ## User, group, password databases | |
| -w /etc/group -p wa -k etcgroup | |
| -w /etc/passwd -p wa -k etcpasswd | |
| -w /etc/gshadow -k etcgroup | |
| -w /etc/shadow -k etcpasswd | |
| -w /etc/security/opasswd -k opasswd | |
| ## Sudoers file changes | |
| -w /etc/sudoers -p wa -k actions | |
| ## Passwd file changes | |
| -w /usr/bin/passwd -p x -k passwd_modification | |
| ## System startup scripts | |
| -w /etc/inittab -p wa -k init | |
| -w /etc/init.d/ -p wa -k init | |
| -w /etc/init/ -p wa -k init | |
| ## SSH configuration | |
| -w /etc/ssh/sshd_config -k sshd | |
| # Systemd | |
| -w /bin/systemctl -p x -k systemd | |
| -w /etc/systemd/ -p wa -k systemd | |
| # DPKG / APT-GET (Debian/Ubuntu) | |
| -w /usr/bin/dpkg -p x -k software_mgmt | |
| -w /usr/bin/apt-add-repository -p x -k software_mgmt | |
| -w /usr/bin/apt-get -p x -k software_mgmt | |
| -w /usr/bin/aptitude -p x -k software_mgmt | |
| ## File Deletion Events by User | |
| -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete | |
| -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment