This week only. Pastebin PRO Accounts Christmas Special! Don't miss out!Want more features on Pastebin? Sign Up, it's FREE!
Guest

Untitled

By: a guest on Apr 7th, 2013  |  syntax: None  |  size: 6.11 KB  |  views: 32  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. [root@eastgate ~]# cat /etc/audit/auditd.conf
  2. #
  3. # This file controls the configuration of the audit daemon
  4. #
  5.  
  6. log_file = /var/log/audit/audit.log
  7. log_format = RAW
  8. log_group = root
  9. priority_boost = 4
  10. flush = INCREMENTAL
  11. freq = 20
  12. num_logs = 4
  13. disp_qos = lossy
  14. dispatcher = /sbin/audispd
  15. name_format = NONE
  16. ##name = mydomain
  17. max_log_file = 5
  18. max_log_file_action = ROTATE
  19. space_left = 75
  20. space_left_action = SYSLOG
  21. action_mail_acct = root
  22. admin_space_left = 50
  23. admin_space_left_action = SUSPEND
  24. disk_full_action = SUSPEND
  25. disk_error_action = SUSPEND
  26. ##tcp_listen_port =
  27. tcp_listen_queue = 5
  28. tcp_max_per_addr = 1
  29. ##tcp_client_ports = 1024-65535
  30. tcp_client_max_idle = 0
  31. enable_krb5 = no
  32. krb5_principal = auditd
  33. ##krb5_key_file = /etc/audit/audit.key
  34. [root@eastgate ~]# cat /etc/audit/audit.rules
  35. # This file contains the auditctl rules that are loaded
  36. # whenever the audit daemon is started via the initscripts.
  37. # The rules are simply the parameters that would be passed
  38. # to auditctl.
  39.  
  40. # First rule - delete all
  41. -D
  42.  
  43. # Increase the buffers to survive stress events.
  44. # Make this bigger for busy systems
  45. -b 8192
  46.  
  47. -f 1
  48.  
  49. # Feel free to add below this line. See auditctl man page
  50. -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
  51. #-a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p                                                                                         wa -k time-change
  52.  
  53. ## Things that affect identity
  54.  
  55. -w /etc/group -p wa -k identity
  56. -w /etc/passwd -p wa -k identity
  57. -w /etc/gshadow -p wa -k identity
  58. -w /etc/shadow -p wa -k identity
  59. -w /etc/security/opasswd -p wa -k identity
  60.  
  61. ## Things that could affect system locale
  62.  
  63. -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
  64. -w /etc/issue -p wa -k system-locale
  65. -w /etc/issue.net -p wa -k system-locale
  66. -w /etc/hosts -p wa -k system-locale
  67. -w /etc/sysconfig/network -p wa -k system-locale
  68.  
  69. ## Things that could affect MAC policy
  70.  
  71. -w /etc/selinux/ -p wa -k MAC-policy
  72.  
  73. ## The SysAdmin will configure the auditing system to audit the following events
  74. ## for all users and root:
  75. ## - Logon (unsuccessful and successful) and logout (successful)
  76. ##   This is handled by pam, sshd, login, and gdm
  77. ##   Might also want to watch these files if needing extra information
  78.     -w /var/log/faillog -p wa -k logins
  79.     -w /var/log/lastlog -p wa -k logins
  80. ##- Process and session initiation (unsuccessful and successful)
  81. ##
  82. ## The session initiation is audited by pam without any rules needed.
  83. ## Might also want to watch this file if needing extra information
  84. -w /var/run/utmp -p wa -k session
  85. -w /var/log/btmp -p wa -k session
  86. -w /var/log/wtmp -p wa -k session
  87. ##- Discretionary access control permission modification (unsuccessful
  88. ## and successful use of chown/chmod)
  89. -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=                                                                                        4294967295 -k perm_mod
  90. -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500                                                                                         -F auid!=4294967295 -k perm_mod
  91. -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr                                                                                         -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
  92.  
  93. ##- Unauthorized access attempts to files (unsuccessful)
  94.  
  95. -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -                                                                                        F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
  96. -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -                                                                                        F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
  97.  
  98. ##- Use of privileged commands (unsuccessful and successful)
  99. ##  use find /bin -type f -perm -04000 2>/dev/null and put all those files in
  100. ## a rule like this
  101. -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k p                                                                                        rivileged
  102. ##- Use of print command (unsuccessful and successful)
  103. ##- Export to media (successful)
  104. ## You have to mount media before using it. You must disable all automounting
  105. ## so that its done manually in order to get the correct user requesting the
  106. ## export
  107. -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
  108. -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
  109. ##- System startup and shutdown (unsuccessful and successful)
  110. ##- Files and programs deleted by the user (successful and unsuccessful)
  111. -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=                                                                                        500 -F auid!=4294967295 -k delete
  112. -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=                                                                                        500 -F auid!=4294967295 -k delete
  113. ##- All system administration actions
  114. ##- All security personnel actions
  115. ##
  116. ## Look for pam_tty_audit and add it to your login entry point's pam configs.
  117. ## If that is not found, use sudo which should be patched to record its
  118. ## commands to the audit system. Do not allow unrestricted root shells or
  119. ## sudo cannot record the action.
  120. -w /etc/sudoers -p wa -k actions
  121. ## Optional - could indicate someone trying to do something bad or
  122. ## just debugging
  123. #-a entry,always -F arch=b32 -S ptrace -k tracing
  124. #-a entry,always -F arch=b64 -S ptrace -k tracing
  125. ## Optional - could be an attempt to bypass audit or simply legacy program
  126. #-a always,exit -F arch=b32 -S personality -k bypass
  127. #-a always,exit -F arch=b64 -S personality -k bypass
  128. ## Put your own watches after this point
  129. # -w /your-file -p rwxa -k mykey
  130. ## Make the configuration immutable - reboot is required to change audit rules
  131. -e 2
clone this paste RAW Paste Data