# This file contains the auditctl rules that are loaded # whenever the audit daemon is started via the initscripts. # The rules are simply the parameters that would be passed # to auditctl. # # First rule - delete all -D # Increase the buffers to survive stress events. # Make this bigger for busy systems -b 320 # Feel free to add below this line. See auditctl man page # Record Events That Modify Date and Time Information {% if ansible_architecture == "x86_64" %} -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change {% endif %} -a always,exit -F arch=b32 -S clock_settime -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -w /etc/localtime -p wa -k time-change # Record Events That Modify User/Group Information -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity # Record Events That Modify the System's Network Environment {% if ansible_architecture == "x86_64" %} -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale {% endif %} -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network/interfaces -p wa -k system-locale # Collect Login and Logout Events -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins # Collect Session Initiation Information -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session # Collect Discretionary Access Control Permission Modification Events {% if ansible_architecture == "x86_64" %} -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod {% endif %} -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod # Collect Unsuccessful Unauthorized Access Attempts to Files {% if ansible_architecture == "x86_64" %} -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access {% endif %} -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access # Collect Use of Privileged Commands {% if privileged_programs is defined and privileged_programs.stdout_lines|length > 0 %} {{ privileged_programs.stdout }} {% endif %} # Collect Successful File System Mounts {% if ansible_architecture == "x86_64" %} -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts {% endif %} -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts # Collect File Deletion Events by User {% if ansible_architecture == "x86_64" %} -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete {% endif %} -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete # Collect Changes to System Administration Scope -w /etc/sudoers -p wa -k scope # Collect System Administrator Actions (sudolog) -w /var/log/sudo.log -p wa -k actions # Collect Kernel Module Loading and Unloading {% if ansible_architecture == "x86_64" %} -a always,exit -F arch=b64 -S init_module -S delete_module -k modules {% endif %} -a always,exit -F arch=b32 -S init_module -S delete_module -k modules -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -e 2