Guest User

Untitled

a guest
Nov 5th, 2015
22
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # First rule - delete all
  2. -D
  3.  
  4. # Increase the buffers to survive stress events.
  5. # Make this bigger for busy systems
  6. -b 320
  7.  
  8. # Feel free to add below this line. See auditctl man page
  9.  
  10. -w /etc/group -p wa -k identityq
  11. -w /etc/passwd -p wa -k identity
  12. -w /etc/gshadow -p wa -k identity
  13. -w /etc/shadow -p wa -k identity
  14. -w /etc/security/opasswd -p wa -k identity
  15. -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
  16. -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
  17. -w /etc/issue -p wa -k system-locale
  18. -w /etc/issue.net -p wa -k system-locale
  19. -w /etc/hosts -p wa -k system-locale
  20. -w /etc/sysconfig/network -p wa -k system-locale
  21. -w /etc/selinux/ -p wa -k MAC-policy
  22. -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
  23. -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
  24. -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
  25. -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
  26. -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
  27. -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
  28. -w /var/log/faillog -p wa -k logins
  29. -w /var/log/lastlog -p wa -k logins
  30. -w /var/log/tallylog -p wa -k logins
  31. -w /var/run/utmp -p wa -k session
  32. -w /var/log/wtmp -p wa -k session
  33. -w /var/log/btmp -p wa -k session
  34. -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
  35. -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
  36. -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
  37. -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
  38. -a always,exit -F path=/lib64/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  39. -a always,exit -F path=/sbin/mount.nfs -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  40. -a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  41. -a always,exit -F path=/sbin/netreport -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  42. -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  43. -a always,exit -F path=/bin/mount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  44. -a always,exit -F path=/bin/fusermount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  45. -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  46. -a always,exit -F path=/bin/ping6 -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  47. -a always,exit -F path=/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  48. -a always,exit -F path=/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  49. -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  50. -a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  51. -a always,exit -F path=/usr/sbin/lockdev -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  52. -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  53. -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  54. -a always,exit -F path=/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  55. -a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  56. -a always,exit -F path=/usr/libexec/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  57. -a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  58. -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  59. -a always,exit -F path=/usr/local/bin/splash -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  60. -a always,exit -F path=/usr/lib64/nagios/plugins/check_ide_smart -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  61. -a always,exit -F path=/usr/lib64/vte/gnome-pty-helper -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  62. -a always,exit -F path=/usr/bin/Xorg -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  63. -a always,exit -F path=/usr/bin/write -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  64. -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  65. -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  66. -a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  67. -a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  68. -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  69. -a always,exit -F path=/usr/bin/locate -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  70. -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  71. -a always,exit -F path=/usr/bin/at -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  72. -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  73. -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  74. -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  75. -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  76. -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
  77. -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
  78. -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
  79. -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
  80. -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
  81. -w /etc/sudoers -p wa -k scope
  82. -w /var/log/sudo.log -p wa -k actions
  83. -w /sbin/insmod -p x -k modules
  84. -w /sbin/rmmod -p x -k modules
  85. -w /sbin/modprobe -p x -k modules
  86. -a always,exit -F arch=b64 -S init_module -S delete_module -k modules
  87. -a always,exit -F arch=b32 -S init_module -S delete_module -k modules
  88. -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
  89. -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
  90. -a always,exit -F arch=b64 -S clock_settime -k time-change
  91. -a always,exit -F arch=b32 -S clock_settime -k time-change
  92. -w /etc/localtime -p wa -k time-change
  93. ## Monitor usage of commands to change power state
  94. -w /sbin/shutdown -p x -k power
  95. -w /sbin/poweroff -p x -k power
  96. -w /sbin/reboot -p x -k power
  97. -w /sbin/halt -p x -k power
RAW Paste Data