Archives
/
algo
mirror of https://github.com/trailofbits/algo
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
fix/14704
dependabot/pip/ansible-9.4.0
master
dependabot/github_actions/actions/setup-python-5.1.0
dependabot/pip/jinja2-approx-eq-3.1.3
v1.1
v1.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ff66be9ba8'
${ noResults }
algo/roles/logging/templates/audit.rules.j2

102 lines
4.4 KiB
Plaintext
Raw Normal View History Unescape Escape

Roles and Google cloud
8 years ago
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
#
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
# Feel free to add below this line. See auditctl man page
# Record Events That Modify Date and Time Information
{% if ansible_architecture == "x86_64" %}
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
{% endif %}
-a always,exit -F arch=b32 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-w /etc/localtime -p wa -k time-change
# Record Events That Modify User/Group Information
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
# Record Events That Modify the System's Network Environment
{% if ansible_architecture == "x86_64" %}
-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
{% endif %}
-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network/interfaces -p wa -k system-locale
# Collect Login and Logout Events
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
# Collect Session Initiation Information
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
# Collect Discretionary Access Control Permission Modification Events
{% if ansible_architecture == "x86_64" %}
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
{% endif %}
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
# Collect Unsuccessful Unauthorized Access Attempts to Files
{% if ansible_architecture == "x86_64" %}
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
{% endif %}
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
# Collect Use of Privileged Commands
{% if privileged_programs is defined and privileged_programs.stdout_lines|length > 0 %}
{{ privileged_programs.stdout }}
{% endif %}
# Collect Successful File System Mounts
{% if ansible_architecture == "x86_64" %}
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
{% endif %}
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
# Collect File Deletion Events by User
{% if ansible_architecture == "x86_64" %}
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
{% endif %}
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
# Collect Changes to System Administration Scope
-w /etc/sudoers -p wa -k scope
# Collect System Administrator Actions (sudolog)
-w /var/log/sudo.log -p wa -k actions
# Collect Kernel Module Loading and Unloading
{% if ansible_architecture == "x86_64" %}
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
{% endif %}
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-e 2