Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [root@eastgate ~]# cat /etc/audit/auditd.conf
- #
- # This file controls the configuration of the audit daemon
- #
- log_file = /var/log/audit/audit.log
- log_format = RAW
- log_group = root
- priority_boost = 4
- flush = INCREMENTAL
- freq = 20
- num_logs = 4
- disp_qos = lossy
- dispatcher = /sbin/audispd
- name_format = NONE
- ##name = mydomain
- max_log_file = 5
- max_log_file_action = ROTATE
- space_left = 75
- space_left_action = SYSLOG
- action_mail_acct = root
- admin_space_left = 50
- admin_space_left_action = SUSPEND
- disk_full_action = SUSPEND
- disk_error_action = SUSPEND
- ##tcp_listen_port =
- tcp_listen_queue = 5
- tcp_max_per_addr = 1
- ##tcp_client_ports = 1024-65535
- tcp_client_max_idle = 0
- enable_krb5 = no
- krb5_principal = auditd
- ##krb5_key_file = /etc/audit/audit.key
- [root@eastgate ~]# cat /etc/audit/audit.rules
- # This file contains the auditctl rules that are loaded
- # whenever the audit daemon is started via the initscripts.
- # The rules are simply the parameters that would be passed
- # to auditctl.
- # First rule - delete all
- -D
- # Increase the buffers to survive stress events.
- # Make this bigger for busy systems
- -b 8192
- -f 1
- # Feel free to add below this line. See auditctl man page
- -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
- #-a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change
- ## Things that affect identity
- -w /etc/group -p wa -k identity
- -w /etc/passwd -p wa -k identity
- -w /etc/gshadow -p wa -k identity
- -w /etc/shadow -p wa -k identity
- -w /etc/security/opasswd -p wa -k identity
- ## Things that could affect system locale
- -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
- -w /etc/issue -p wa -k system-locale
- -w /etc/issue.net -p wa -k system-locale
- -w /etc/hosts -p wa -k system-locale
- -w /etc/sysconfig/network -p wa -k system-locale
- ## Things that could affect MAC policy
- -w /etc/selinux/ -p wa -k MAC-policy
- ## The SysAdmin will configure the auditing system to audit the following events
- ## for all users and root:
- ## - Logon (unsuccessful and successful) and logout (successful)
- ## This is handled by pam, sshd, login, and gdm
- ## Might also want to watch these files if needing extra information
- -w /var/log/faillog -p wa -k logins
- -w /var/log/lastlog -p wa -k logins
- ##- Process and session initiation (unsuccessful and successful)
- ##
- ## The session initiation is audited by pam without any rules needed.
- ## Might also want to watch this file if needing extra information
- -w /var/run/utmp -p wa -k session
- -w /var/log/btmp -p wa -k session
- -w /var/log/wtmp -p wa -k session
- ##- Discretionary access control permission modification (unsuccessful
- ## and successful use of chown/chmod)
- -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!= 4294967295 -k perm_mod
- -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
- -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
- ##- Unauthorized access attempts to files (unsuccessful)
- -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate - F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
- -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate - F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
- ##- Use of privileged commands (unsuccessful and successful)
- ## use find /bin -type f -perm -04000 2>/dev/null and put all those files in
- ## a rule like this
- -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k p rivileged
- ##- Use of print command (unsuccessful and successful)
- ##- Export to media (successful)
- ## You have to mount media before using it. You must disable all automounting
- ## so that its done manually in order to get the correct user requesting the
- ## export
- -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
- -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
- ##- System startup and shutdown (unsuccessful and successful)
- ##- Files and programs deleted by the user (successful and unsuccessful)
- -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>= 500 -F auid!=4294967295 -k delete
- -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>= 500 -F auid!=4294967295 -k delete
- ##- All system administration actions
- ##- All security personnel actions
- ##
- ## Look for pam_tty_audit and add it to your login entry point's pam configs.
- ## If that is not found, use sudo which should be patched to record its
- ## commands to the audit system. Do not allow unrestricted root shells or
- ## sudo cannot record the action.
- -w /etc/sudoers -p wa -k actions
- ## Optional - could indicate someone trying to do something bad or
- ## just debugging
- #-a entry,always -F arch=b32 -S ptrace -k tracing
- #-a entry,always -F arch=b64 -S ptrace -k tracing
- ## Optional - could be an attempt to bypass audit or simply legacy program
- #-a always,exit -F arch=b32 -S personality -k bypass
- #-a always,exit -F arch=b64 -S personality -k bypass
- ## Put your own watches after this point
- # -w /your-file -p rwxa -k mykey
- ## Make the configuration immutable - reboot is required to change audit rules
- -e 2
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement