-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathauditd.rules
69 lines (57 loc) · 2.81 KB
/
auditd.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# available keys: ps, critical, high, medium, low
# ps: process creation, fork, and network access. For forensic use.
# critical: needs urgent attention, needs to be monitored at all times
# high: highly suspicious behavior, should be regularly monitored
# medium: suspicious behavior, look at this when time allows
# low: important events that do not need to be monitored but important enough to log for later investigation in case of compromise
# Delete any preexisting rules before starting to define new ones.
-D
# Set the number of buffers to take the audit messages. Depending on the level of audit logging on your system, increase or decrease this figure.
-b 8192
# Set the failure flag to use when the kernel needs to handle critical errors. Possible values are 0 (silent), 1 (printk, print a failure message), and 2 (panic, halt the system).
-f 2
# watch forks and network activity under key ps
-a always,exit -F arch=b64 -S execve -S vfork -S fork -S clone -S exit -S exit_group -S connect -S bind -S sendto -k ps
-a always,exit -F arch=b32 -S execve -S vfork -S fork -S clone -S exit -S exit_group -S socketcall -k ps
# Enable an audit context for any linking operation, such as symlink, link, unlink, or rename.
-a always,exit -F arch=b64 -S unlink -S rename -S link -S symlink -k high
-a always,exit -F arch=b32 -S unlink -S rename -S link -S symlink -k high
# Enable an audit context for any operation related to extended file system attributes.
-a always,exit -F arch=b64 -S setxattr -k high
-a always,exit -F arch=b64 -S lsetxattr -k high
-a always,exit -F arch=b64 -S fsetxattr -k high
-a always,exit -F arch=b64 -S removexattr -k high
-a always,exit -F arch=b64 -S lremovexattr -k high
-a always,exit -F arch=b64 -S fremovexattr -k high
# Same for 32bit
-a always,exit -F arch=b32 -S setxattr -k high
-a always,exit -F arch=b32 -S lsetxattr -k high
-a always,exit -F arch=b32 -S fsetxattr -k high
-a always,exit -F arch=b32 -S removexattr -k high
-a always,exit -F arch=b32 -S lremovexattr -k high
-a always,exit -F arch=b32 -S fremovexattr -k high
# Enable an audit context for the mknod system call, which creates special (device) files.
-a always,exit -F arch=b64 -S mknod -k high
# More high impact watches
-w /etc/passwd -p wa -k critical
-w /etc/shadow -k critical
-w /etc/group -p wa -k critical
-w /etc/sudoers -k low
-w /etc/sudoers.d/ -k low
-w /etc/sudoers -p wa -k critical
-w /etc/sudoers.d/ -p wa -k critical
# More medium impact watches
-w /bin/ -p wa -k medium
-w /boot/ -p wa -k medium
-w /etc/ -p wa -k medium
-w /lib/ -p wa -k medium
-w /opt/ -p wa -k medium
-w /root/ -p wa -k medium
-w /sbin/ -p wa -k medium
-w /srv/ -p wa -k medium
-w /usr/ -p wa -k medium
# no executables in /tmp/
-w /tmp/ -p x -k high
# Adjust those lines to the system at hand!
# make sure not to include dirs for cache files
-w /var/www/ -p wa -k medium