SHARE
TWEET

Untitled

a guest Nov 5th, 2015 7 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # First rule - delete all
  2. -D
  3.  
  4. # Increase the buffers to survive stress events.
  5. # Make this bigger for busy systems
  6. -b 320
  7.  
  8. # Feel free to add below this line. See auditctl man page
  9.  
  10. -w /etc/group -p wa -k identityq
  11. -w /etc/passwd -p wa -k identity
  12. -w /etc/gshadow -p wa -k identity
  13. -w /etc/shadow -p wa -k identity
  14. -w /etc/security/opasswd -p wa -k identity
  15. -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
  16. -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
  17. -w /etc/issue -p wa -k system-locale
  18. -w /etc/issue.net -p wa -k system-locale
  19. -w /etc/hosts -p wa -k system-locale
  20. -w /etc/sysconfig/network -p wa -k system-locale
  21. -w /etc/selinux/ -p wa -k MAC-policy
  22. -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
  23. -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
  24. -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
  25. -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
  26. -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
  27. -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
  28. -w /var/log/faillog -p wa -k logins
  29. -w /var/log/lastlog -p wa -k logins
  30. -w /var/log/tallylog -p wa -k logins
  31. -w /var/run/utmp -p wa -k session
  32. -w /var/log/wtmp -p wa -k session
  33. -w /var/log/btmp -p wa -k session
  34. -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
  35. -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
  36. -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
  37. -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
  38. -a always,exit -F path=/lib64/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  39. -a always,exit -F path=/sbin/mount.nfs -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  40. -a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  41. -a always,exit -F path=/sbin/netreport -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  42. -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  43. -a always,exit -F path=/bin/mount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  44. -a always,exit -F path=/bin/fusermount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  45. -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  46. -a always,exit -F path=/bin/ping6 -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  47. -a always,exit -F path=/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  48. -a always,exit -F path=/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  49. -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  50. -a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  51. -a always,exit -F path=/usr/sbin/lockdev -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  52. -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  53. -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  54. -a always,exit -F path=/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  55. -a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  56. -a always,exit -F path=/usr/libexec/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  57. -a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  58. -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  59. -a always,exit -F path=/usr/local/bin/splash -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  60. -a always,exit -F path=/usr/lib64/nagios/plugins/check_ide_smart -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  61. -a always,exit -F path=/usr/lib64/vte/gnome-pty-helper -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  62. -a always,exit -F path=/usr/bin/Xorg -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  63. -a always,exit -F path=/usr/bin/write -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  64. -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  65. -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  66. -a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  67. -a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  68. -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  69. -a always,exit -F path=/usr/bin/locate -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  70. -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  71. -a always,exit -F path=/usr/bin/at -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  72. -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  73. -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  74. -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  75. -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  76. -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  77. -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
  78. -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
  79. -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
  80. -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
  81. -w /etc/sudoers -p wa -k scope
  82. -w /var/log/sudo.log -p wa -k actions
  83. -w /sbin/insmod -p x -k modules
  84. -w /sbin/rmmod -p x -k modules
  85. -w /sbin/modprobe -p x -k modules
  86. -a always,exit -F arch=b64 -S init_module -S delete_module -k modules
  87. -a always,exit -F arch=b32 -S init_module -S delete_module -k modules
  88. -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
  89. -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
  90. -a always,exit -F arch=b64 -S clock_settime -k time-change
  91. -a always,exit -F arch=b32 -S clock_settime -k time-change
  92. -w /etc/localtime -p wa -k time-change
  93. ## Monitor usage of commands to change power state
  94. -w /sbin/shutdown -p x -k power
  95. -w /sbin/poweroff -p x -k power
  96. -w /sbin/reboot -p x -k power
  97. -w /sbin/halt -p x -k power
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top