Scribd
Upload
230 views2 pages

GWL Audit Rules

This document contains the audit rules configuration file for an Linux system. It defines rules for auditing various system events like file access, permissions changes, login/logout events, kernel modifications and more. The rules log information to the audit log files, and use identifiers to classify the type of event, like "failed_access" or "user_access". It also sets buffers to store audit records and makes the configuration immutable.

Uploaded by

Muneeb Hassan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
230 views2 pages

GWL Audit Rules

This document contains the audit rules configuration file for an Linux system. It defines rules for auditing various system events like file access, permissions changes, login/logout events, kernel modifications and more. The rules log information to the audit log files, and use identifiers to classify the type of event, like "failed_access" or "user_access". It also sets buffers to store audit records and makes the configuration immutable.

Uploaded by

Muneeb Hassan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

Sample from IGM on premise host fcosrsapd1

cat /etc/audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all


-D

# Increase the buffers to survive stress events.


# Make this bigger for busy systems
-b 8192

# Feel free to add below this line. See auditctl man page

# Audit log files


-w /var/log/audit -p wa -k clear_audit

# Unsuccessful Access Attempts


-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S
truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k
failed_access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S
truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k
failed_access
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S
truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k
failed_access
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S
truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k
failed_access

# File Deletion
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F
auid>=1000 -F auid!=4294967295 -k file_del
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F
auid>=1000 -F auid!=4294967295 -k file_del

# Access Control Permission Modification


-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!
=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!
=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000
-F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000
-F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S
lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S
lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod

# Commands executed by Root -- too NOISY


#-a entry,always -S all -F uid=0 -k root_exec
#-a exit,always -F arch=b64 -F euid=0 -S execve
#-a exit,always -F arch=b32 -F euid=0 -S execve
# Gain more system access
-w /etc/sudoers -p wa -k sudo_setup
-w /etc/sudoers.d -p wa -k sudo_setup
-w /usr/local/sadmin/.usrcmdlog -p wa -k sudo_setup

# Monitor changes on user/group


-w /etc/group -p wa -k user_access
-w /etc/passwd -p wa -k user_access
-w /etc/gshadow -p wa -k user_access
-w /etc/shadow -p wa -k user_access
-w /etc/security/opasswd -p wa -k user_access

# Login/Logout Events
-w /var/log/faillog -p wa -k clear_logins
-w /var/log/lastlog -p wa -k clear_logins
-w /var/log/tallylog -p wa -k clear_logins

# Sessions Information
-w /var/run/utmp -p wa -k session_log
-w /var/log/btmp -p wa -k session_log
-w /var/log/wtmp -p wa -k session_log

# Monitor changes on local settings


-w /etc/pam.d -p wa -k system_config
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system_config
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system_config
-w /etc/motd -p wa -k system_config
-w /etc/issue -p wa -k system_config
-w /etc/issue.net -p wa -k system_config
-w /etc/hosts -p wa -k system_config
-w /etc/sysconfig/network -p wa -k system_config

# Monitor date and time modification


-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time_change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -k time_change
-a always,exit -F arch=b64 -S clock_settime -k time_change
-a always,exit -F arch=b32 -S clock_settime -k time_change
-w /etc/localtime -p wa -k time_change

# Monitor FS mounts
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k fs_export
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k fs_export

# Monitor kernel module load/unload


-a always,exit -F arch=b64 -S init_module -S delete_module -k kernel_mod
-w /usr/sbin/insmod -p x -k kernel_mod
-w /usr/sbin/rmmod -p x -k kernel_mod
-w /usr/sbin/modprobe -p x -k kernel_mod

# MAC Modification
-w /etc/selinux/ -p wa -k MAC_policy

## Make the configuration immutable


-e 2

You might also like