Downloaded 29 times
Uploaded byGary Smith
Linux audit-rules
The document outlines auditing rules for system events, including settings to record modifications to time, user/group information, network settings, and access control modifications. It specifies parameters for logging file access attempts, privileged command usage, filesystem mounts, deletions, and changes to system administration settings. Overall, the rules are designed to enhance monitoring and security within the system.
![ict_presentation_final_final_final[1].pptx](https://cdn.slidesharecdn.com/ss_thumbnails/ictpresentationfinalfinalfinal1-251230145259-2b4839bd-thumbnail.jpg?width=640&height=640&fit=bounds)
Linux audit-rules
- 1. ### First rule- delete all -D ### Enable auditing -e 1 ### Set failure mode -f 1 ### Increase the buffers to survive stress events. # Make this bigger for busy systems -b 8192 ### Set rate -r 0 ### Record Events That Modify Date and Time Information -a always,exit -F arch=b64 -S adjtimex -S settimeofday -F auid!=-1 -k time-change -k ids-sys-low -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -F auid!=-1 -k time-change -k ids-sys-low # -a always,exit -F arch=b64 -S clock_settime -k time-change -k ids-sys-low -a always,exit -F arch=b32 -S clock_settime -k time-change -k ids-sys-low # -w /etc/localtime -p wa -k time-change -k ids-file-info ### Record Events That Modify User/Group Information -w /etc/group -p wa -k identity -k ids-file-info -w /etc/gshadow -p wa -k identity -k ids-file-info -w /etc/passwd -p wa -k identity -k ids-file-info -w /etc/security/opasswd -p wa -k identity -k ids-file-info -w /etc/shadow -p wa -k identity -k ids-file-info ### Record Events That Modify the System’s Network Environment -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale -k ids-sys-low -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale -k ids-sys-low # -w /etc/hosts -p wa -k system-locale -k ids-file-info
- 2. -w /etc/issue -pwa -k system-locale -k ids-file-info -w /etc/issue.net -p wa -k system-locale -k ids-file-info -w /etc/sysconfig/network -p wa -k system-locale -k ids-file-info ### Record Events That Modify the System’s Mandatory Access Controls -w /etc/selinux/ -p wa -k MAC-policy -k ids-sys-low -k ids-file-info ### Collect Login and Logout Events -w /var/log/btmp -p wa -k session -k ids-file-info -w /var/log/faillog -p wa -k logins -k ids-file-info -w /var/log/lastlog -p wa -k logins -k ids-file-info -w /var/log/tallylog -p wa -k logins -k ids-file-info ### Collect Session Initiation Information -w /var/log/wtmp -p wa -k session -k ids-file-info -w /var/run/utmp -p wa -k session -k ids-file-info ### Collect Discretionary Access Control Permission Modification Events -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F exit=-EACCES -F auid>=500 -F auid!=-1 -k perm_mod -k ids-sys-low -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F exit=-EACCES -F auid>=500 -F auid!=-1 -k perm_mod -k ids-sys-low # -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F exit=-EPERM -F auid>=500 -F auid!=-1 -k perm_mod -k ids-sys-low -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F exit=-EPERM -F auid>=500 -F auid!=-1 -k perm_mod -k ids-sys-low # -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F exit=-EACCES -F auid>=500 -F auid!=-1 -k perm_mod -k ids-sys-low -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F exit=-EACCES -F auid>=500 -F auid!=-1 -k perm_mod -k ids-sys-low # -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F exit=-EPERM -F auid>=500 -F auid!=-1 -k perm_mod -k ids-sys-low -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F exit=-EPERM -F auid>=500 -F auid!=-1 -k perm_mod -k ids-sys-low # -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F exit=-EACCES -F auid>=500 -F auid!=-1 -k perm_mod -k ids-sys-low -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F exit=-EACCES -F auid>=500 -F auid!=-1 -k perm_mod -k ids-sys-low # -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F exit=-EPERM -F auid>=500 -F auid!=-1 -k perm_mod -k ids-sys-low
- 3. -a always,exit -Farch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F exit=-EPERM -F auid>=500 -F auid!=-1 -k perm_mod -k ids-sys-low ### Collect Unsuccessful Unauthorized Access Attempts to Files -a always,exit -F arch=b64 -S creat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=-1 -k access -k access -k ids-sys-hi -a always,exit -F arch=b32 -S creat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=-1 -k access -k access -k ids-sys-hi # -a always,exit -F arch=b64 -S creat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=-1 -k access -k access -k ids-sys-hi -a always,exit -F arch=b32 -S creat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=-1 -k access -k access -k ids-sys-hi ### Collect Use of Privileged Commands -w /usr/sbin/useradd -p x -k privileged -k ids-exec-info -w /usr/sbin/userdel -p x -k privileged -k ids-exec-info -w /usr/sbin/usermod -p x -k privileged -k ids-exec-info # -w /usr/sbin/groupadd -p x -k privileged -k ids-exec-info -w /usr/sbin/groupdel -p x -k privileged -k ids-exec-info -w /usr/sbin/groupmod -p x -k privileged -k ids-exec-info # Collect Successful File System Mounts -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=-1 -k mounts -k ids-sys-low -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=-1 -k mounts -k ids-sys-low ### Collect File Deletion Events by User -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F exit=-EACCES -F auid>=500 -F auid!=-1 -k delete -k ids-sys-med -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F exit=-EACCES -F auid>=500 -F auid!=-1 -k delete -k ids-sys-med # -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F exit=-EPERM -F auid>=500 -F auid!=-1 -k delete -k ids-sys-med -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F exit=-EPERM -F auid>=500 -F auid!=-1 -k delete -k ids-sys-med ### Collect Changes to System Administration Scope (sudoers) -w /etc/sudoers -p wa -k scope -k ids-file-med ### Collect System Administrator Actions # -w /var/log/sudo.log -p -wa -k actions -k ids-file-info ### Collect Kernel Module Loading and Unloading
- 4. -a always,exit -Farch=b64 -S init_module -S delete_module -F auid>=500 -F auid!=-1 -k modules -k ids-sys-info -a always,exit -F arch=b32 -S init_module -S delete_module -F auid>=500 -F auid!=-1 -k modules -k ids-sys-info