From 5f6476c2d35217555e2a7adc13cb30817e2af427 Mon Sep 17 00:00:00 2001
From: Pierre-Gronau-ndaal
 <72132223+Pierre-Gronau-ndaal@users.noreply.github.com>
Date: Wed, 21 Feb 2024 06:14:36 +0100
Subject: [PATCH] Update audit.rules ssh

---
 audit.rules | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/audit.rules b/audit.rules
index 41b7e22..f0713c4 100644
--- a/audit.rules
+++ b/audit.rules
@@ -237,11 +237,15 @@
 -w /etc/exim4/ -p wa -k mail
 
 ## SSH configuration
--w /etc/ssh/sshd_config -k sshd
--w /etc/ssh/sshd_config.d -k sshd
+-a always,exit -F arch=b32 -F path=/etc/ssh/sshd_config -F perm=wa -F key=sshd
+-a always,exit -F arch=b64 -F path=/etc/ssh/sshd_config -F perm=wa -F key=sshd
+
+-a always,exit -F arch=b32 -F dir=/etc/ssh/sshd_config.d/ -F perm=wa -F key=sshd
+-a always,exit -F arch=b64 -F dir=/etc/ssh/sshd_config.d/ -F perm=wa -F key=sshd
 
 ## root ssh key tampering
--w /root/.ssh -p wa -k rootkey
+-a always,exit -F arch=b32 -F path=/root/.ssh -F perm=wa -F key=rootkey
+-a always,exit -F arch=b64 -F path=/root/.ssh -F perm=wa -F key=rootkey
 
 # Systemd
 -w /bin/systemctl -p x -k systemd