[root@eastgate ~]# cat /etc/audit/auditd.conf## This file controls the confi

1. [root@eastgate ~]# cat /etc/audit/auditd.conf
2. #
3. # This file controls the configuration of the audit daemon
4. #
5.  
6. log_file = /var/log/audit/audit.log
7. log_format = RAW
8. log_group = root
9. priority_boost = 4
10. flush = INCREMENTAL
11. freq = 20
12. num_logs = 4
13. disp_qos = lossy
14. dispatcher = /sbin/audispd
15. name_format = NONE
16. ##name = mydomain
17. max_log_file = 5
18. max_log_file_action = ROTATE
19. space_left = 75
20. space_left_action = SYSLOG
21. action_mail_acct = root
22. admin_space_left = 50
23. admin_space_left_action = SUSPEND
24. disk_full_action = SUSPEND
25. disk_error_action = SUSPEND
26. ##tcp_listen_port =
27. tcp_listen_queue = 5
28. tcp_max_per_addr = 1
29. ##tcp_client_ports = 1024-65535
30. tcp_client_max_idle = 0
31. enable_krb5 = no
32. krb5_principal = auditd
33. ##krb5_key_file = /etc/audit/audit.key
34. [root@eastgate ~]# cat /etc/audit/audit.rules
35. # This file contains the auditctl rules that are loaded
36. # whenever the audit daemon is started via the initscripts.
37. # The rules are simply the parameters that would be passed
38. # to auditctl.
39.  
40. # First rule - delete all
41. -D
42.  
43. # Increase the buffers to survive stress events.
44. # Make this bigger for busy systems
45. -b 8192
46.  
47. -f 1
48.  
49. # Feel free to add below this line. See auditctl man page
50. -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
51. #-a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change
52.  
53. ## Things that affect identity
54.  
55. -w /etc/group -p wa -k identity
56. -w /etc/passwd -p wa -k identity
57. -w /etc/gshadow -p wa -k identity
58. -w /etc/shadow -p wa -k identity
59. -w /etc/security/opasswd -p wa -k identity
60.  
61. ## Things that could affect system locale
62.  
63. -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
64. -w /etc/issue -p wa -k system-locale
65. -w /etc/issue.net -p wa -k system-locale
66. -w /etc/hosts -p wa -k system-locale
67. -w /etc/sysconfig/network -p wa -k system-locale
68.  
69. ## Things that could affect MAC policy
70.  
71. -w /etc/selinux/ -p wa -k MAC-policy
72.  
73. ## The SysAdmin will configure the auditing system to audit the following events
74. ## for all users and root:
75. ## - Logon (unsuccessful and successful) and logout (successful)
76. ## This is handled by pam, sshd, login, and gdm
77. ## Might also want to watch these files if needing extra information
78. -w /var/log/faillog -p wa -k logins
79. -w /var/log/lastlog -p wa -k logins
80. ##- Process and session initiation (unsuccessful and successful)
81. ##
82. ## The session initiation is audited by pam without any rules needed.
83. ## Might also want to watch this file if needing extra information
84. -w /var/run/utmp -p wa -k session
85. -w /var/log/btmp -p wa -k session
86. -w /var/log/wtmp -p wa -k session
87. ##- Discretionary access control permission modification (unsuccessful
88. ## and successful use of chown/chmod)
89. -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!= 4294967295 -k perm_mod
90. -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
91. -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
92.  
93. ##- Unauthorized access attempts to files (unsuccessful)
94.  
95. -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate - F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
96. -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate - F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
97.  
98. ##- Use of privileged commands (unsuccessful and successful)
99. ## use find /bin -type f -perm -04000 2>/dev/null and put all those files in
100. ## a rule like this
101. -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k p rivileged
102. ##- Use of print command (unsuccessful and successful)
103. ##- Export to media (successful)
104. ## You have to mount media before using it. You must disable all automounting
105. ## so that its done manually in order to get the correct user requesting the
106. ## export
107. -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
108. -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
109. ##- System startup and shutdown (unsuccessful and successful)
110. ##- Files and programs deleted by the user (successful and unsuccessful)
111. -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>= 500 -F auid!=4294967295 -k delete
112. -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>= 500 -F auid!=4294967295 -k delete
113. ##- All system administration actions
114. ##- All security personnel actions
115. ##
116. ## Look for pam_tty_audit and add it to your login entry point's pam configs.
117. ## If that is not found, use sudo which should be patched to record its
118. ## commands to the audit system. Do not allow unrestricted root shells or
119. ## sudo cannot record the action.
120. -w /etc/sudoers -p wa -k actions
121. ## Optional - could indicate someone trying to do something bad or
122. ## just debugging
123. #-a entry,always -F arch=b32 -S ptrace -k tracing
124. #-a entry,always -F arch=b64 -S ptrace -k tracing
125. ## Optional - could be an attempt to bypass audit or simply legacy program
126. #-a always,exit -F arch=b32 -S personality -k bypass
127. #-a always,exit -F arch=b64 -S personality -k bypass
128. ## Put your own watches after this point
129. # -w /your-file -p rwxa -k mykey
130. ## Make the configuration immutable - reboot is required to change audit rules
131. -e 2