less /etc/audit/audit.rules

1. # This file contains the auditctl rules that are loaded
2. # whenever the audit daemon is started via the initscripts.
3. # The rules are simply the parameters that would be passed
4. # to auditctl.
5.  
6. # First rule - delete all
7. -D
8.  
9. # Increase the buffers to survive stress events.
10. # Make this bigger for busy systems
11. -b 8096
12.  
13. # Feel free to add below this line. See auditctl man page
14.  
15. -w /var/spool/atspool
16. -w /etc/at.allow
17. -w /etc/at.deny
18.  
19. #-w /etc/cron.allow -p wa
20. #-w /etc/cron.deny -p wa
21. #-w /etc/cron.d/ -p wa
22. #-w /etc/cron.daily/ -p wa
23. #-w /etc/cron.hourly/ -p wa
24. #-w /etc/cron.monthly/ -p wa
25. #-w /etc/cron.weekly/ -p wa
26. -w /etc/crontab -p wa
27. -w /var/spool/cron/root
28. -w /usr/sbin/sendmail.postfix
29. -w /usr/sbin/sendmail
30.  
31. -w /etc/group -p wa
32. -w /etc/passwd -p wa
33. -w /etc/shadow
34.  
35. -w /etc/login.defs -p wa
36. -w /etc/securetty
37. -w /var/log/faillog
38. -w /var/log/lastlog
39.  
40. -w /etc/hosts -p wa
41. -w /etc/sysconfig/
42.  
43. -w /etc/inittab -p wa
44. -w /etc/init.d/
45. -w /etc/init.d/auditd -p wa
46.  
47. -w /etc/ld.so.conf -p wa
48.  
49. -w /etc/localtime -p wa
50.  
51. -w /etc/sysctl.conf -p wa
52.  
53. -w /etc/modprobe.d/
54. -w /etc/modprobe.conf.local -p wa
55. -w /etc/modprobe.conf -p wa
56.  
57. #-w /etc/pam.d/
58. -w /etc/aliases -p wa
59. #-w /etc/exim/ -p wa
60.  
61. -w /etc/httpd/
62. -w /usr/bin/perl
63.  
64. -w /root -S execve
65.  
66. -w /etc/ssh/sshd_config