Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Linux audit-rules

These are a set of rules for a Linux system with the audit package installed. These rules are compliant with the Center for Internet Security (CIS) Red Hat 6 Benchmark. These rules will give sufficient coverage to improve the security monitoring of a system

  • Login to see the comments

  • Be the first to like this

Linux audit-rules

  1. 1. ### First rule - delete all -D ### Enable auditing -e 1 ### Set failure mode -f 1 ### Increase the buffers to survive stress events. # Make this bigger for busy systems -b 8192 ### Set rate -r 0 ### Record Events That Modify Date and Time Information -a always,exit -F arch=b64 -S adjtimex -S settimeofday -F auid!=-1 -k time-change -k ids-sys-low -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -F auid!=-1 -k time-change -k ids-sys-low # -a always,exit -F arch=b64 -S clock_settime -k time-change -k ids-sys-low -a always,exit -F arch=b32 -S clock_settime -k time-change -k ids-sys-low # -w /etc/localtime -p wa -k time-change -k ids-file-info ### Record Events That Modify User/Group Information -w /etc/group -p wa -k identity -k ids-file-info -w /etc/gshadow -p wa -k identity -k ids-file-info -w /etc/passwd -p wa -k identity -k ids-file-info -w /etc/security/opasswd -p wa -k identity -k ids-file-info -w /etc/shadow -p wa -k identity -k ids-file-info ### Record Events That Modify the System’s Network Environment -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale -k ids-sys-low -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale -k ids-sys-low # -w /etc/hosts -p wa -k system-locale -k ids-file-info
  2. 2. -w /etc/issue -p wa -k system-locale -k ids-file-info -w /etc/issue.net -p wa -k system-locale -k ids-file-info -w /etc/sysconfig/network -p wa -k system-locale -k ids-file-info ### Record Events That Modify the System’s Mandatory Access Controls -w /etc/selinux/ -p wa -k MAC-policy -k ids-sys-low -k ids-file-info ### Collect Login and Logout Events -w /var/log/btmp -p wa -k session -k ids-file-info -w /var/log/faillog -p wa -k logins -k ids-file-info -w /var/log/lastlog -p wa -k logins -k ids-file-info -w /var/log/tallylog -p wa -k logins -k ids-file-info ### Collect Session Initiation Information -w /var/log/wtmp -p wa -k session -k ids-file-info -w /var/run/utmp -p wa -k session -k ids-file-info ### Collect Discretionary Access Control Permission Modification Events -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F exit=-EACCES -F auid>=500 -F auid!=-1 -k perm_mod -k ids-sys-low -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F exit=-EACCES -F auid>=500 -F auid!=-1 -k perm_mod -k ids-sys-low # -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F exit=-EPERM -F auid>=500 -F auid!=-1 -k perm_mod -k ids-sys-low -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F exit=-EPERM -F auid>=500 -F auid!=-1 -k perm_mod -k ids-sys-low # -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F exit=-EACCES -F auid>=500 -F auid!=-1 -k perm_mod -k ids-sys-low -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F exit=-EACCES -F auid>=500 -F auid!=-1 -k perm_mod -k ids-sys-low # -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F exit=-EPERM -F auid>=500 -F auid!=-1 -k perm_mod -k ids-sys-low -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F exit=-EPERM -F auid>=500 -F auid!=-1 -k perm_mod -k ids-sys-low # -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F exit=-EACCES -F auid>=500 -F auid!=-1 -k perm_mod -k ids-sys-low -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F exit=-EACCES -F auid>=500 -F auid!=-1 -k perm_mod -k ids-sys-low # -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F exit=-EPERM -F auid>=500 -F auid!=-1 -k perm_mod -k ids-sys-low
  3. 3. -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F exit=-EPERM -F auid>=500 -F auid!=-1 -k perm_mod -k ids-sys-low ### Collect Unsuccessful Unauthorized Access Attempts to Files -a always,exit -F arch=b64 -S creat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=-1 -k access -k access -k ids-sys-hi -a always,exit -F arch=b32 -S creat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=-1 -k access -k access -k ids-sys-hi # -a always,exit -F arch=b64 -S creat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=-1 -k access -k access -k ids-sys-hi -a always,exit -F arch=b32 -S creat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=-1 -k access -k access -k ids-sys-hi ### Collect Use of Privileged Commands -w /usr/sbin/useradd -p x -k privileged -k ids-exec-info -w /usr/sbin/userdel -p x -k privileged -k ids-exec-info -w /usr/sbin/usermod -p x -k privileged -k ids-exec-info # -w /usr/sbin/groupadd -p x -k privileged -k ids-exec-info -w /usr/sbin/groupdel -p x -k privileged -k ids-exec-info -w /usr/sbin/groupmod -p x -k privileged -k ids-exec-info # Collect Successful File System Mounts -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=-1 -k mounts -k ids-sys-low -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=-1 -k mounts -k ids-sys-low ### Collect File Deletion Events by User -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F exit=-EACCES -F auid>=500 -F auid!=-1 -k delete -k ids-sys-med -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F exit=-EACCES -F auid>=500 -F auid!=-1 -k delete -k ids-sys-med # -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F exit=-EPERM -F auid>=500 -F auid!=-1 -k delete -k ids-sys-med -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F exit=-EPERM -F auid>=500 -F auid!=-1 -k delete -k ids-sys-med ### Collect Changes to System Administration Scope (sudoers) -w /etc/sudoers -p wa -k scope -k ids-file-med ### Collect System Administrator Actions # -w /var/log/sudo.log -p -wa -k actions -k ids-file-info ### Collect Kernel Module Loading and Unloading
  4. 4. -a always,exit -F arch=b64 -S init_module -S delete_module -F auid>=500 -F auid!=-1 -k modules -k ids-sys-info -a always,exit -F arch=b32 -S init_module -S delete_module -F auid>=500 -F auid!=-1 -k modules -k ids-sys-info

×