Created
June 6, 2016 11:00
-
-
Save ugurengin/4d37ee83e87bc44291f8ae87a00504cd to your computer and use it in GitHub Desktop.
auditd-rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Record Events that Modify the System's Discretionary Access Controls | |
| -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| # audit_account_changes | |
| -w /etc/group -p wa -k audit_account_changes | |
| -w /etc/passwd -p wa -k audit_account_changes | |
| -w /etc/gshadow -p wa -k audit_account_changes | |
| -w /etc/shadow -p wa -k audit_account_changes | |
| -w /etc/security/opasswd -p wa -k audit_account_changes | |
| # audit_network_modifications | |
| -a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_network_modifications | |
| -w /etc/issue -p wa -k audit_network_modifications | |
| -w /etc/issue.net -p wa -k audit_network_modifications | |
| -w /etc/hosts -p wa -k audit_network_modifications | |
| -w /etc/sysconfig/network -p wa -k audit_network_modifications | |
| # Record Events that Modify the System's Mandatory Access Controls | |
| -w /etc/selinux/ -p wa -k MAC-policy | |
| # Record Attempts to Alter Logon and Logout Events | |
| -w /var/log/faillog -p wa -k logins | |
| -w /var/log/lastlog -p wa -k logins | |
| # Record Attempts to Alter Process and Session Initiation Information | |
| -w /var/run/utmp -p wa -k session | |
| -w /var/log/btmp -p wa -k session | |
| -w /var/log/wtmp -p wa -k session | |
| # Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) | |
| -a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access | |
| -a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access | |
| -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access | |
| -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access | |
| # Ensure auditd Collects Information on Exporting to Media (successful) | |
| -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export | |
| # Ensure auditd Collects File Deletion Events by User | |
| -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete | |
| # Ensure auditd Collects Information on Kernel Module Loading and Unloading | |
| -w /sbin/insmod -p x -k modules | |
| -w /sbin/rmmod -p x -k modules | |
| -w /sbin/modprobe -p x -k modules | |
| -a always,exit -F arch=b64 -S init_module -S delete_module -k modules |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment