-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathaudit.rules
executable file
·115 lines (98 loc) · 6.25 KB
/
audit.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
# #### -- ## Auditd Rules ## -- #####
##| --------------------------------------------------------------------------------
##| NETWORK: network related system calls to gather socket data from
##| inbound and outbound traffic.
##| start mod5
##| bind: EACCES The address is protected, and the user is not the superuser.
##| EACCES Search permission is denied on a component of the path prefix. (AF_UNIX)
##| EFAULT addr points outside the user’s accessible address space.
##| connect: EACCES, EPERM The user tried to connect to a broadcast address without having the
##| socket broadcast flag enabled or the connection request failed because of a local firewall rule.
##| accept: EPERM Firewall rules forbid connection.
##|
##| --------------------------------------------------------------------------------
-a always,exit -F arch=b64 -S bind -S connect -S accept -S accept4 -S listen -S socketpair -S socket -F exit=-EACCES -k SYS_NET_ERR
-a always,exit -F arch=b64 -S bind -S connect -S accept -S accept4 -S listen -S socketpair -S socket -F exit=-EPERM -k SYS_NET_ERR
-a always,exit -F arch=b64 -S bind -S connect -S accept -S accept4 -S listen -S socketpair -S socket -k SYS_NET
##| --------------------------------------------------------------------------------
##| MISC OS:
##|
##| init_module - Initialize a loadable module entry
##| -EPERM The user must have administrator module modification capabilities.
##| delete_module - Delete a loadable module
##| -EPERM The user must have administrator module modification capabilities.
##| pivot_root - change the root file system
##| -EPERM The calling process does not have the CAP_SYS_ADMIN capability.
##| mount: -EACCES A component of a path was not searchable;
##| mknod: -EPERM mode requested creation of something other than a regular file, FIFO (named pipe), or Unix domain socket
##|
##| --------------------------------------------------------------------------------
-a always,exit -F arch=b64 -S init_module -S delete_module -S mount -S pivot_root -S chroot -S mknod -F exit=-EPERM -k SYS_OS_ERR
#-a always,exit -F arch=b64 -S init_module -S delete_module -S mount -S pivot_root -S chroot -S mknod -F exit=-EACCESS -k SYS_OS_ERR
-a always,exit -F arch=b64 -S init_module -S delete_module -S mount -S pivot_root -S chroot -S mknod -k SYS_OS
##| --------------------------------------------------------------------------------
##| FILES: - Changes in ownership and permissions.
##|
##| mknodat - create a special or ordinary file relative to a directory file descriptor
##| linkat - create a file link relative to directory file descriptors
##|
##| --------------------------------------------------------------------------------
-a always,exit -F arch=b64 -S creat -S mkdir -S mknod -S link -S symlink -S mknodat -S linkat -S symlinkat -F exit=-EACCES -k SYS_FILE_CREATE_ERR
-a always,exit -F arch=b64 -S mkdir -S mkdirat -S link -S symlink -F exit=-EPERM -k SYS_FILE_CREATE_ERR
##| unsuccessful modifications
-a always,exit -F arch=b64 -S rename -S renameat -S truncate -F exit=-EACCES -k SYS_FILE_MOD_ERR
-a always,exit -F arch=b64 -S rename -S renameat -S truncate -F exit=-EPERM -k SYS_FILE_MOD_ERR
##| all chmods/chown, successful or otherwise
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F exit=-EACCES -k SYS_FILE_PERM_ERR
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F exit=-EPERM -k SYS_FILE_PERM_ERR
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -F exit=-EACCES -k SYS_FILE_PERM_ERR
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -F exit=-EPERM -k SYS_FILE_PERM_ERR
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -k SYS_FILE_PERM
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -k SYS_FILE_PERM
##| very special hello for the extended attribute set
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k SYS_FILE_XPERM
##| unsuccessful deletion
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -F exit=-EACCES -k SYS_FILE_DELETE_ERR
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -F exit=-EPERM -k SYS_FILE_DELETE_ERR
##| unsuccessful open
-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -k SYS_FILE_OPEN_ERR
-a always,exit -F arch=b64 -S open -S openat -F exit=-EPERM -k SYS_FILE_OPEN_ERR
##| --------------------------------------------------------------------------------
##| EXECUTE: anything that gets executed should get logged
##| --------------------------------------------------------------------------------
-a always,exit -F arch=b64 -S execve -k SYS_EXEC
##| suid invocation
-a always,exit -F arch=b64 -S setuid -S setgid -S setreuid -S setregid -F exit=EPERM -k SYS_SUID_ERR
-a always,exit -F arch=b64 -S setuid -S setgid -S setreuid -S setregid -k SYS_SUID
##| --------------------------------------------------------------------------------
##| TIME:
##| --------------------------------------------------------------------------------
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F exit=-EPERM -k SYS_TIME_ERR
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k SYS_TIME
##| --------------------------------------------------------------------------------
##| FILE SYSTEM MODS:
##| --------------------------------------------------------------------------------
##| pam configuration
-w /etc/pam.d/ -p wa -k CFG_PAM
-w /etc/security/access.conf -p wa -k CFG_PAM
-w /etc/security/limits.conf -p wa -k CFG_PAM
-w /etc/security/pam_env.conf -p wa -k CFG_PAM
-w /etc/security/namespace.conf -p wa -k CFG_PAM
-w /etc/security/namespace.d/ -p wa -k CFG_PAM
-w /etc/security/namespace.init -p wa -k CFG_PAM
-w /etc/security/sepermit.conf -p wa -k CFG_PAM
-w /etc/security/time.conf -p wa -k CFG_PAM
##| system type directory (s)
-w /etc -p w -k SYS_FILE
-w /usr/bin -p w -k SYS_FILE
-w /usr/sbin -p w -k SYS_FILE
-w /lib -p w -k SYS_FILE
-w /opt -p w -k SYS_FILE
##| track auditd mods
##| Set a watch on an audit configuration file.
##| Log all write and attribute change attempts to this file.
-w /etc/audit/auditd.conf -p wa -k SYS_AUDITD
-w /etc/audit/audit.rules -p wa -k SYS_AUDITD
-w /etc/libaudit.conf -p wa -k SYS_AUDITD
-w /etc/sysconfig/auditd -p wa -k SYS_AUDITD
# #### -- ## End Auditd Rules ## -- #####