forked from gdestuynder/audisp-json
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
067f28e
commit 73840da
Showing
1 changed file
with
126 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,126 @@ | ||
| # Delete all rules | ||
| -D | ||
| # Maximum amount of kernel buffers | ||
| -b 16384 | ||
| # Ignore loading errors, in case file path do not exist | ||
| -i | ||
| # Rate limit to 1000 msg/sec | ||
| -r 1000 | ||
|
|
||
| # Syscall bypass | ||
| -a always,exit -F arch=b64 -S personality -k bypass | ||
| -a always,exit -F arch=b32 -S personality -k bypass | ||
|
|
||
| # Whitelist command spam out of execve (optional) | ||
| #-A exit,never -F dir=/usr/lib/nagios/plugins -F perm=x | ||
| #-A exit,never -F dir=/usr/lib64/nagios/plugins -F perm=x | ||
| #-A exit,never -F path=/opt/compaq/utils/usb-device.sh -F perm=x | ||
| #-A exit,never -F path=/opt/hp/hp-snmp-agents/utils/usb-device.sh -F perm=x | ||
| #-A exit,never -F path=/bin/ls -F perm=x | ||
| #-A exit,never -F path=/bin/sh -F perm=x | ||
| #-A exit,never -F path=/bin/grep -F perm=x | ||
| #-A exit,never -F path=/bin/egrep -F perm=x | ||
| #-A exit,never -F path=/bin/less -F perm=x | ||
| #-A exit,never -F path=/usr/bin/lesspipe.sh -F perm=x | ||
| #-A exit,never -F path=/usr/bin/tail -F perm=x | ||
| #-A exit,never -F path=/sbin/consoletype -F perm=x | ||
| #-A exit,never -F path=/bin/stty -F perm=x | ||
| #-A exit,never -F path=/usr/bin/tty -F perm=x | ||
| #-A exit,never -F path=/bin/tput -F perm=x | ||
| #-A exit,never -F path=/usr/bin/file -F perm=x | ||
| #-A exit,never -F path=/usr/bin/w -F perm=x | ||
| #-A exit,never -F path=/bin/netstat -F perm=x | ||
| #-A exit,never -F path=/bin/uname -F perm=x | ||
| #-A exit,never -F path=/bin/basename -F perm=x | ||
| #-A exit,never -F path=/usr/bin/which -F perm=x | ||
| #-A exit,never -F path=/bin/netstat -F perm=x | ||
| #-A exit,never -F path=/usr/bin/netstat -F perm=x | ||
| #-A exit,never -F path=/bin/hostname -F perm=x | ||
| #-A exit,never -F path=/usr/bin/wc -F perm=x | ||
| #-A exit,never -F path=/usr/bin/gmetric -F perm=x | ||
| #-A exit,never -F path=/sbin/ethtool -F perm=x | ||
| #-A exit,never -F path=/usr/bin/sed -F perm=x | ||
| #-A exit,never -F path=/bin/sed -F perm=x | ||
| #-A exit,never -F path=/bin/ping -F perm=x | ||
| #-A exit,never -F path=/sbin/lsmod -F perm=x | ||
| #-A exit,never -F path=/bin/sleep -F perm=x | ||
| #-A exit,never -F path=/bin/cut -F perm=x | ||
| #-A exit,never -F path=/bin/touch -F perm=x | ||
| #-A exit,never -F path=/bin/env -F perm=x | ||
|
|
||
| # execve/processes audit | ||
| -a exit,always -F arch=b64 -S execve -k exec | ||
| -a exit,always -F arch=b32 -S execve -k exec | ||
|
|
||
| # Record changes to audit config | ||
| -w /etc/audit/ -p wa -k audit | ||
| -w /etc/audisp/ -p wa -k audit | ||
| -w /etc/sysconfig/auditd -p wa -k audit | ||
| -w /etc/libaudit.conf -p wa -k audit | ||
|
|
||
| # Record changes to logger config | ||
| -w /etc/rsyslog.conf -p wa -k syslog | ||
| -w /etc/rsyslog-ng/ -p wa -k syslog | ||
| -w /etc/syslog.conf -p wa -k syslog | ||
| -w /etc/syslog-ng.conf -p wa -k syslog | ||
| -w /etc/syslog-ng/ -p wa -k syslog | ||
| -w /data/hekad/hekad.toml -p wa -k heka | ||
| -w /etc/hekad/hekad.toml -p wa -k heka | ||
| -w /etc/fluent/ -p wa -k fluentd | ||
|
|
||
| # Record changes to cron config | ||
| -w /etc/cron.allow -p wa -k cron | ||
| -w /etc/cron.deny -p wa -k cron | ||
| -w /etc/cron.d/ -p wa -k cron | ||
| -w /etc/cron.daily/ -p wa -k cron | ||
| -w /etc/cron.hourly/ -p wa -k cron | ||
| -w /etc/cron.monthly/ -p wa -k cron | ||
| -w /etc/cron.weekly/ -p wa -k cron | ||
| -w /etc/crontab -p wa -k cron | ||
| -w /var/spool/cron/root -p wa -k cron | ||
|
|
||
| # Record changes to init systems config | ||
| -w /etc/rc.d/init.d/ -p wa -k init | ||
| -w /sbin/init -p wa -k init | ||
| -w /etc/inittab -p wa -k init | ||
| -w /etc/systemd -p wa -k init | ||
|
|
||
| # Record changes to access control config | ||
| -w /etc/pam.d -p wa -k pam | ||
| -w /etc/security -p wa -k pam | ||
| -w /lib/security -p wa -k pam | ||
| -w /etc/sudoers -p wa -k user | ||
|
|
||
| # Record changes to OpenSSH daemon config | ||
| -w /etc/sshd -p wa -k sshd | ||
|
|
||
| # Record changes to user/passwords | ||
| -w /etc/group -p wa -k user | ||
| -w /etc/passwd -p wa -k user | ||
| -w /etc/gshadow -p wa -k user | ||
| -w /etc/shadow -p wa -k user | ||
| -w /etc/security/opasswd -p wa -k user | ||
|
|
||
| # Change clock | ||
| -a always,exit -F arch=b32 -S adjtimex -S settimeofday -k time-change | ||
| -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change | ||
| -w /etc/localtime -p wa -k time-change | ||
|
|
||
| # Linux kernel module loading | ||
| -a exit,always -F arch=b64 -S init_module -k module | ||
| -a exit,always -F arch=b32 -S init_module -k module | ||
|
|
||
| # kexec syscall (re-exec kernel) | ||
| -a exit,always -F arch=b64 -S kexec_load -k kexec | ||
| -a exit,always -F arch=b32 -S kexec_load -k kexec | ||
|
|
||
| # Record changes to system binaries | ||
| -w /usr/bin -p wa -k binaries | ||
| -w /bin -p wa -k binaries | ||
| -w /usr/sbin -p wa -k binaries | ||
| -w /sbin -p wa -k binaries | ||
| -w /usr/local/bin -p wa -k binaries | ||
| -w /usr/local/sbin -p wa -k binaries | ||
|
|
||
| # Enable auditd auditing | ||
| -e 1 |