Permalink
Cannot retrieve contributors at this time
Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign up
Fetching contributors…
Cannot retrieve contributors at this time
| # This file contains the auditctl rules that are loaded | |
| # whenever the audit daemon is started via the initscripts. | |
| # The rules are simply the parameters that would be passed | |
| # to auditctl. | |
| # First rule - delete all | |
| -D | |
| # Increase the buffers to survive stress events. | |
| # Make this bigger for busy systems | |
| -b 320 | |
| # Feel free to add below this line. See auditctl man page | |
| # CIS Benchmark Adjustments | |
| # CIS 5.2.4 | |
| -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change | |
| -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change | |
| -a always,exit -F arch=b64 -S clock_settime -k time-change | |
| -a always,exit -F arch=b32 -S clock_settime -k time-change | |
| -w /etc/localtime -p wa -k time-change | |
| # CIS 5.2.5 | |
| -w /etc/group -p wa -k identity | |
| -w /etc/passwd -p wa -k identity | |
| -w /etc/gshadow -p wa -k identity | |
| -w /etc/shadow -p wa -k identity | |
| -w /etc/security/opasswd -p wa -k identity | |
| # CIS 5.2.6 | |
| -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale | |
| -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale | |
| -w /etc/issue -p wa -k system-locale | |
| -w /etc/issue.net -p wa -k system-locale | |
| -w /etc/hosts -p wa -k system-locale | |
| -w /etc/sysconfig/network -p wa -k system-locale | |
| # CIS 5.2.7 | |
| -w /etc/selinux/ -p wa -k MAC-policy | |
| # CIS 5.2.8 | |
| -w /var/log/faillog -p wa -k logins | |
| -w /var/log/lastlog -p wa -k logins | |
| -w /var/log/tallylog -p wa -k logins | |
| # CIS 5.2.9 | |
| -w /var/run/utmp -p wa -k session | |
| -w /var/log/wtmp -p wa -k session | |
| -w /var/log/btmp -p wa -k session | |
| # CIS 5.2.10 | |
| -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| # CIS 5.2.11 | |
| -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access | |
| -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access | |
| -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access | |
| -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access | |
| # CIS 5.2.13 | |
| -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts | |
| -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts | |
| # CIS 5.2.14 | |
| -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete | |
| -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete | |
| # CIS 5.2.15 | |
| -w /etc/sudoers -p wa -k scope | |
| # CIS 5.2.16 | |
| -w /var/log/sudo.log -p wa -k actions | |
| # CIS 5.2.17 | |
| -w /sbin/insmod -p x -k modules | |
| -w /sbin/rmmod -p x -k modules | |
| -w /sbin/modprobe -p x -k modules | |
| -a always,exit -F arch=b64 -S init_module -S delete_module -k modules | |
| -a always,exit -F arch=b32 -S init_module -S delete_module -k modules | |
| # CIS 5.2.12 | |
| -e 2 | |
| # CCE-26457-2 | |
| # Ensure auditd Collects Information on the Use of Privileged Commands | |
| -a always,exit -F path=/bin/ping6 -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged | |
| -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged | |
| -a always,exit -F path=/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged | |
| -a always,exit -F path=/bin/mount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged | |
| -a always,exit -F path=/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged | |
| -a always,exit -F path=/sbin/mount.nfs -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged | |
| -a always,exit -F path=/sbin/netreport -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged | |
| -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged | |
| -a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged |