Created
August 16, 2017 19:24
-
-
Save znsstudio/48cf5919b08d487cbd0064b6b9586399 to your computer and use it in GitHub Desktop.
auditd rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## gov.uk auditd rules, amended for hmrc | |
| ## Remove any existing rules | |
| -D | |
| ## Buffer Size | |
| ## Feel free to increase this if the machine panic's | |
| -b 8192 | |
| ## Failure Mode | |
| ## Possible values are 0 (silent), 1 (printk, print a failure message), | |
| ## and 2 (panic, halt the system). | |
| -f 1 | |
| ## Audit the audit logs. | |
| ## successful and unsuccessful attempts to read information from the | |
| ## audit records; all modifications to the audit trail | |
| -w /var/log/audit/ -k auditlog | |
| ## Auditd configuration | |
| ## modifications to audit configuration that occur while the audit | |
| ## collection functions are operating. | |
| -w /etc/audit/ -p wa -k auditconfig | |
| -w /etc/libaudit.conf -p wa -k auditconfig | |
| -w /etc/audisp/ -p wa -k audispconfig | |
| ## Monitor for use of audit management tools | |
| -w /sbin/auditctl -p x -k audittools | |
| -w /sbin/auditd -p x -k audittools | |
| ## special files | |
| -a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles | |
| -a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles | |
| ## Mount operations | |
| -a exit,always -F arch=b32 -S mount -S umount -S umount2 -k mount | |
| -a exit,always -F arch=b64 -S mount -S umount2 -k mount | |
| ## changes to the time | |
| ## | |
| -a exit,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -k time | |
| -a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time | |
| ## Use stunnel | |
| -w /usr/sbin/stunnel -p x -k stunnel | |
| ## cron configuration & scheduled jobs | |
| -w /etc/cron.allow -p wa -k cron | |
| -w /etc/cron.deny -p wa -k cron | |
| -w /etc/cron.d/ -p wa -k cron | |
| -w /etc/cron.daily/ -p wa -k cron | |
| -w /etc/cron.hourly/ -p wa -k cron | |
| -w /etc/cron.monthly/ -p wa -k cron | |
| -w /etc/cron.weekly/ -p wa -k cron | |
| -w /etc/crontab -p wa -k cron | |
| -w /var/spool/cron/crontabs/ -k cron | |
| ## user, group, password databases | |
| -w /etc/group -p wa -k etcgroup | |
| -w /etc/passwd -p wa -k etcpasswd | |
| -w /etc/gshadow -k etcgroup | |
| -w /etc/shadow -k etcpasswd | |
| -w /etc/security/opasswd -k opasswd | |
| ## monitor usage of passwd | |
| -w /usr/bin/passwd -p x -k passwd_modification | |
| #Monitor for use of tools to change group identifiers | |
| -w /usr/sbin/groupadd -p x -k group_modification | |
| -w /usr/sbin/groupmod -p x -k group_modification | |
| -w /usr/sbin/addgroup -p x -k group_modification | |
| -w /usr/sbin/useradd -p x -k user_modification | |
| -w /usr/sbin/usermod -p x -k user_modification | |
| -w /usr/sbin/adduser -p x -k user_modification | |
| ## login configuration and information | |
| -w /etc/login.defs -p wa -k login | |
| -w /etc/securetty -p wa -k login | |
| -w /var/log/faillog -p wa -k login | |
| -w /var/log/lastlog -p wa -k login | |
| -w /var/log/tallylog -p wa -k login | |
| ## network configuration | |
| -w /etc/hosts -p wa -k hosts | |
| -w /etc/network/ -p wa -k network | |
| ## system startup scripts | |
| -w /etc/inittab -p wa -k init | |
| -w /etc/init.d/ -p wa -k init | |
| -w /etc/init/ -p wa -k init | |
| ## library search paths | |
| -w /etc/ld.so.conf -p wa -k libpath | |
| ## local time zone | |
| -w /etc/localtime -p wa -k localtime | |
| ## kernel parameters | |
| -w /etc/sysctl.conf -p wa -k sysctl | |
| ## modprobe configuration | |
| -w /etc/modprobe.conf -p wa -k modprobe | |
| ## pam configuration | |
| -w /etc/pam.d/ -p wa -k pam | |
| -w /etc/security/limits.conf -p wa -k pam | |
| -w /etc/security/pam_env.conf -p wa -k pam | |
| -w /etc/security/namespace.conf -p wa -k pam | |
| -w /etc/security/namespace.init -p wa -k pam | |
| ## GDS specific secrets | |
| -w /etc/puppet/ssl -p wa -k puppet_ssl | |
| ## postfix configuration | |
| -w /etc/aliases -p wa -k mail | |
| -w /etc/postfix/ -p wa -k mail | |
| ## ssh configuration | |
| -w /etc/ssh/sshd_config -k sshd | |
| ## changes to hostname | |
| -a exit,always -F arch=b32 -S sethostname -k hostname | |
| -a exit,always -F arch=b64 -S sethostname -k hostname | |
| ## changes to issue | |
| -w /etc/issue -p wa -k etcissue | |
| -w /etc/issue.net -p wa -k etcissue | |
| ## this was to noisy currently. | |
| # log all commands executed by an effective id of 0 aka root. | |
| -a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd | |
| -a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd | |
| ## Capture all failures to access on critical elements | |
| -a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileacess | |
| -a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileacess | |
| -a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileacess | |
| -a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileacess | |
| -a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileacess | |
| -a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileacess | |
| -a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileacess | |
| -a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileacess | |
| ## Monitor for use of process ID change (switching accounts) applications | |
| -w /bin/su -p x -k priv_esc | |
| -w /usr/bin/sudo -p x -k priv_esc | |
| -w /etc/sudoers -p rw -k priv_esc | |
| ## Monitor usage of commands to change power state | |
| -w /sbin/shutdown -p x -k power | |
| -w /sbin/poweroff -p x -k power | |
| -w /sbin/reboot -p x -k power | |
| -w /sbin/halt -p x -k power | |
| ## Make the configuration immutable | |
| #-e 2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment