2022-06-02 21:47:36 +00:00
|
|
|
# Ignore CWD logs
|
|
|
|
-a exclude,always -F msgtype=CWD
|
|
|
|
|
2023-08-14 07:34:58 +00:00
|
|
|
-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change
|
|
|
|
-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change
|
2024-04-08 18:57:14 +00:00
|
|
|
-a always,exit -F arch=b32 -S stime -F key=audit_time_rule
|
2022-06-02 21:47:36 +00:00
|
|
|
-w /etc/localtime -p wa -k time-change
|
|
|
|
|
|
|
|
## Records when events occur that modify user and group passwords and ID's
|
|
|
|
{% for y in audit_identity_list %}
|
|
|
|
-w {{ y }} -p wa -k identity
|
|
|
|
{% endfor %}
|
|
|
|
|
|
|
|
## Records changes to network environment files or system calls
|
2023-08-14 07:34:58 +00:00
|
|
|
-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
|
|
|
|
-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale
|
2022-06-02 21:47:36 +00:00
|
|
|
-w /etc/issue -p wa -k system-locale
|
|
|
|
-w /etc/issue.net -p wa -k system-locale
|
|
|
|
-w /etc/hosts -p wa -k system-locale
|
|
|
|
-w /etc/hostname -p wa -k system-locale
|
|
|
|
-w /etc/sysconfig/network -p wa -k system-locale
|
|
|
|
-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale
|
|
|
|
|
|
|
|
## Monitors SELinux Mandatory Access Controls
|
|
|
|
-w /etc/selinux/ -p wa -k MAC-policy
|
|
|
|
-w /usr/share/selinux/ -p wa -k MAC-policy
|
|
|
|
|
|
|
|
## Monitors login/logout/failed login events
|
|
|
|
# To be fair, these are normally logged in /var/log/secure
|
|
|
|
{% for y in audit_logins %}
|
|
|
|
-w {{ y }} -p wa -k logins
|
|
|
|
{% endfor %}
|
|
|
|
|
|
|
|
## Monitor session initiation events
|
|
|
|
## This will track file changes within sessions
|
|
|
|
{% for y in audit_session %}
|
|
|
|
-w {{ y }} -p wa -k session
|
|
|
|
{% endfor %}
|
|
|
|
|
|
|
|
## Monitor changes for files for UID's above {{ audit_auid }}
|
|
|
|
# You can take this out if you are on a non-PCI system
|
2023-08-14 07:34:58 +00:00
|
|
|
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
|
|
|
|
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
|
|
|
|
-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
|
|
|
|
-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
|
|
|
|
-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
|
|
|
|
-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
|
|
|
|
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
|
2023-08-14 07:40:04 +00:00
|
|
|
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
|
|
|
|
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
|
|
|
|
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
|
2022-06-02 21:47:36 +00:00
|
|
|
|
|
|
|
## Monitors mounting events for users
|
|
|
|
# You can probably take these out
|
|
|
|
-a always,exit -F arch=b64 -S mount -F auid>={{ audit_auid }} -F auid!=4294967295 -k mounts
|
|
|
|
-a always,exit -F arch=b32 -S mount -F auid>={{ audit_auid }} -F auid!=4294967295 -k mounts
|
|
|
|
## Collect file deletion events by a user
|
|
|
|
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>={{ audit_auid }} -F auid!=4294967295 -k delete
|
|
|
|
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>={{ audit_auid }} -F auid!=4294967295 -k delete
|
|
|
|
## Collect changes to System Administration Scope
|
|
|
|
# Note: This only records /etc/sudoers and doesn't watch /etc/sudoers.d
|
|
|
|
-w /etc/sudoers -p wa -k scope
|
|
|
|
-w /etc/sudoers.d -p wa -k scope
|
|
|
|
## Collect System Administrator Actions (sudolog)
|
|
|
|
-w /var/log/sudo.log -p wa -k actions
|
|
|
|
## Collect Kernel Module Loading and Unloading
|
2023-08-14 07:07:25 +00:00
|
|
|
# These are covered by the following two lines
|
|
|
|
#-w /sbin/kmod -p x -k modules
|
|
|
|
#-w /sbin/insmod -p x -k modules
|
|
|
|
#-w /sbin/rmmod -p x -k modules
|
|
|
|
#-w /sbin/modprobe -p x -k modules
|
|
|
|
-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -k modules
|
|
|
|
-a always,exit -F arch=b32 -S init_module,finit_module,delete_module,create_module,query_module -k modules
|
2022-06-02 21:47:36 +00:00
|
|
|
|
|
|
|
{% for y in audit_suid_list %}
|
|
|
|
-a always,exit -F path={{ y }} -F perm=x -F auid>={{ audit_auid }} -F auid!=4294967295 -k privileged
|
|
|
|
{% endfor %}
|
|
|
|
|
2023-08-14 07:07:25 +00:00
|
|
|
# Monitor specific calls
|
|
|
|
-a always,exit -S all -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng
|
|
|
|
-a always,exit -S all -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng
|
|
|
|
-a always,exit -S all -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng
|
|
|
|
-a always,exit -S all -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=usermod
|
|
|
|
|
2022-06-02 21:47:36 +00:00
|
|
|
# Is someone messing with our audit logs?
|
|
|
|
-w /var/log/audit/ -k audit-logs
|
|
|
|
|
|
|
|
-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=4294967295 -F key=audit-logs
|
|
|
|
-a always,exit -F path=/usr/sbin/ausearch -F perm=x -F key=audit-logs
|
|
|
|
-a always,exit -F path=/usr/sbin/aureport -F perm=x -F key=audit-logs
|
|
|
|
-a always,exit -F path=/usr/sbin/aulast -F perm=x -F key=audit-logs
|
|
|
|
-a always,exit -F path=/usr/sbin/aulastlogin -F perm=x -F key=audit-logs
|
|
|
|
-a always,exit -F path=/usr/sbin/auvirt -F perm=x -F key=audit-logs
|
|
|
|
|
|
|
|
# Privilege elevation
|
|
|
|
-a always,exit -F arch=b64 -S setuid -Fa0=0 -F exe={{ bin_su }} -F key=privileged
|
|
|
|
-a always,exit -F arch=b32 -S setuid -Fa0=0 -F exe={{ bin_su }} -F key=privileged
|
|
|
|
-a always,exit -F arch=b64 -S setresuid -F a0=0 -F exe={{ bin_sudo }} -F key=privileged
|
|
|
|
-a always,exit -F arch=b32 -S setresuid -F a0=0 -F exe={{ bin_sudo }} -F key=privileged
|
|
|
|
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=privileged
|
|
|
|
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=privileged
|
|
|
|
|
|
|
|
-e 2
|