[root@eastgate ~]# cat /etc/audit/auditd.conf # # This file controls the configuration of the audit daemon # log_file = /var/log/audit/audit.log log_format = RAW log_group = root priority_boost = 4 flush = INCREMENTAL freq = 20 num_logs = 4 disp_qos = lossy dispatcher = /sbin/audispd name_format = NONE ##name = mydomain max_log_file = 5 max_log_file_action = ROTATE space_left = 75 space_left_action = SYSLOG action_mail_acct = root admin_space_left = 50 admin_space_left_action = SUSPEND disk_full_action = SUSPEND disk_error_action = SUSPEND ##tcp_listen_port = tcp_listen_queue = 5 tcp_max_per_addr = 1 ##tcp_client_ports = 1024-65535 tcp_client_max_idle = 0 enable_krb5 = no krb5_principal = auditd ##krb5_key_file = /etc/audit/audit.key [root@eastgate ~]# cat /etc/audit/audit.rules # This file contains the auditctl rules that are loaded # whenever the audit daemon is started via the initscripts. # The rules are simply the parameters that would be passed # to auditctl. # First rule - delete all -D # Increase the buffers to survive stress events. # Make this bigger for busy systems -b 8192 -f 1 # Feel free to add below this line. See auditctl man page -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change #-a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change ## Things that affect identity -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity ## Things that could affect system locale -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/sysconfig/network -p wa -k system-locale ## Things that could affect MAC policy -w /etc/selinux/ -p wa -k MAC-policy ## The SysAdmin will configure the auditing system to audit the following events ## for all users and root: ## - Logon (unsuccessful and successful) and logout (successful) ## This is handled by pam, sshd, login, and gdm ## Might also want to watch these files if needing extra information -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins ##- Process and session initiation (unsuccessful and successful) ## ## The session initiation is audited by pam without any rules needed. ## Might also want to watch this file if needing extra information -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session ##- Discretionary access control permission modification (unsuccessful ## and successful use of chown/chmod) -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!= 4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod ##- Unauthorized access attempts to files (unsuccessful) -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate - F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate - F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access ##- Use of privileged commands (unsuccessful and successful) ## use find /bin -type f -perm -04000 2>/dev/null and put all those files in ## a rule like this -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k p rivileged ##- Use of print command (unsuccessful and successful) ##- Export to media (successful) ## You have to mount media before using it. You must disable all automounting ## so that its done manually in order to get the correct user requesting the ## export -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export ##- System startup and shutdown (unsuccessful and successful) ##- Files and programs deleted by the user (successful and unsuccessful) -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>= 500 -F auid!=4294967295 -k delete -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>= 500 -F auid!=4294967295 -k delete ##- All system administration actions ##- All security personnel actions ## ## Look for pam_tty_audit and add it to your login entry point's pam configs. ## If that is not found, use sudo which should be patched to record its ## commands to the audit system. Do not allow unrestricted root shells or ## sudo cannot record the action. -w /etc/sudoers -p wa -k actions ## Optional - could indicate someone trying to do something bad or ## just debugging #-a entry,always -F arch=b32 -S ptrace -k tracing #-a entry,always -F arch=b64 -S ptrace -k tracing ## Optional - could be an attempt to bypass audit or simply legacy program #-a always,exit -F arch=b32 -S personality -k bypass #-a always,exit -F arch=b64 -S personality -k bypass ## Put your own watches after this point # -w /your-file -p rwxa -k mykey ## Make the configuration immutable - reboot is required to change audit rules -e 2