Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- auditbeat.modules:
- - module: auditd
- metricsets: [kernel]
- kernel.audit_rules: |
- # Define audit rules here.
- # Create file watches (-w) or syscall audits (-a or -A). For example:
- #-w /etc/passwd -p wa -k identity
- #-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
- ## Kernel Related Events
- -w /etc/sysctl.conf -p wa -k sysctl
- -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod -k T1215_Kernel_Modules_and_Extensions
- -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k T1215_Kernel_Modules_and_Extensions
- -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k T1215_Kernel_Modules_and_Extensions
- -a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k T1215_Kernel_Modules_and_Extensions
- -a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k T1215_Kernel_Modules_and_Extensions
- -w /etc/modprobe.conf -p wa -k T1215_Kernel_Modules_and_Extensions
- - module: audit
- metricsets: [file]
- file.paths:
- - /bin
- - /usr/bin
- - /sbin
- - /usr/sbin
- - /etc
Add Comment
Please, Sign In to add comment