-
-
Save Neo23x0/9fe88c0c5979e017a389b90fd19ddfee to your computer and use it in GitHub Desktop.
# IMPORTANT! | |
# This gist has been transformed into a github repo | |
# You can find the most recent version there: | |
# https://github.com/Neo23x0/auditd | |
# ___ ___ __ __ | |
# / | __ ______/ (_) /_____/ / | |
# / /| |/ / / / __ / / __/ __ / | |
# / ___ / /_/ / /_/ / / /_/ /_/ / | |
# /_/ |_\__,_/\__,_/_/\__/\__,_/ | |
# | |
# Linux Audit Daemon - Best Practice Configuration | |
# /etc/audit/audit.rules | |
# | |
# Compiled by Florian Roth | |
# | |
# Created : 2017/12/05 | |
# Modified : 2018/08/05 | |
# | |
# Based on rules published here: | |
# Gov.uk auditd rules | |
# https://github.com/gds-operations/puppet-auditd/pull/1 | |
# CentOS 7 hardening | |
# https://highon.coffee/blog/security-harden-centos-7/#auditd---audit-daemon | |
# Linux audit repo | |
# https://github.com/linux-audit/audit-userspace/tree/master/rules | |
# Auditd high performance linux auditing | |
# https://linux-audit.com/tuning-auditd-high-performance-linux-auditing/ | |
# | |
# Further rules | |
# For PCI DSS compliance see: | |
# https://github.com/linux-audit/audit-userspace/blob/master/rules/30-pci-dss-v31.rules | |
# For NISPOM compliance see: | |
# https://github.com/linux-audit/audit-userspace/blob/master/rules/30-nispom.rules | |
# Remove any existing rules | |
-D | |
# Buffer Size | |
## Feel free to increase this if the machine panic's | |
-b 8192 | |
# Failure Mode | |
## Possible values: 0 (silent), 1 (printk, print a failure message), 2 (panic, halt the system) | |
-f 1 | |
# Ignore errors | |
## e.g. caused by users or files not found in the local environment | |
-i | |
# Self Auditing --------------------------------------------------------------- | |
## Audit the audit logs | |
### Successful and unsuccessful attempts to read information from the audit records | |
-w /var/log/audit/ -k auditlog | |
## Auditd configuration | |
### Modifications to audit configuration that occur while the audit collection functions are operating | |
-w /etc/audit/ -p wa -k auditconfig | |
-w /etc/libaudit.conf -p wa -k auditconfig | |
-w /etc/audisp/ -p wa -k audispconfig | |
## Monitor for use of audit management tools | |
-w /sbin/auditctl -p x -k audittools | |
-w /sbin/auditd -p x -k audittools | |
# Filters --------------------------------------------------------------------- | |
### We put these early because audit is a first match wins system. | |
## Ignore SELinux AVC records | |
-a always,exclude -F msgtype=AVC | |
## Ignore current working directory records | |
-a always,exclude -F msgtype=CWD | |
## Ignore EOE records (End Of Event, not needed) | |
-a always,exclude -F msgtype=EOE | |
## Cron jobs fill the logs with stuff we normally don't want (works with SELinux) | |
-a never,user -F subj_type=crond_t | |
-a exit,never -F subj_type=crond_t | |
## This prevents chrony from overwhelming the logs | |
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t | |
## This is not very interesting and wastes a lot of space if the server is public facing | |
-a always,exclude -F msgtype=CRYPTO_KEY_USER | |
## VMWare tools | |
-a exit,never -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2 | |
-a exit,never -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2 | |
### High Volume Event Filter (especially on Linux Workstations) | |
-a exit,never -F arch=b32 -F dir=/dev/shm -k sharedmemaccess | |
-a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess | |
-a exit,never -F arch=b32 -F dir=/var/lock/lvm -k locklvm | |
-a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm | |
## More information on how to filter events | |
### https://access.redhat.com/solutions/2482221 | |
# Rules ----------------------------------------------------------------------- | |
## Kernel parameters | |
-w /etc/sysctl.conf -p wa -k sysctl | |
## Kernel module loading and unloading | |
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod -k modules | |
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k modules | |
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k modules | |
-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules | |
-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules | |
## Modprobe configuration | |
-w /etc/modprobe.conf -p wa -k modprobe | |
## KExec usage (all actions) | |
-a always,exit -F arch=b64 -S kexec_load -k KEXEC | |
-a always,exit -F arch=b32 -S sys_kexec_load -k KEXEC | |
## Special files | |
-a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles | |
-a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles | |
## Mount operations (only attributable) | |
-a always,exit -F arch=b64 -S mount -S umount2 -F auid!=-1 -k mount | |
-a always,exit -F arch=b32 -S mount -S umount -S umount2 -F auid!=-1 -k mount | |
# Change swap (only attributable) | |
-a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap | |
-a always,exit -F arch=b32 -S swapon -S swapoff -F auid!=-1 -k swap | |
## Time | |
-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -k time | |
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time | |
### Local time zone | |
-w /etc/localtime -p wa -k localtime | |
## Stunnel | |
-w /usr/sbin/stunnel -p x -k stunnel | |
## Cron configuration & scheduled jobs | |
-w /etc/cron.allow -p wa -k cron | |
-w /etc/cron.deny -p wa -k cron | |
-w /etc/cron.d/ -p wa -k cron | |
-w /etc/cron.daily/ -p wa -k cron | |
-w /etc/cron.hourly/ -p wa -k cron | |
-w /etc/cron.monthly/ -p wa -k cron | |
-w /etc/cron.weekly/ -p wa -k cron | |
-w /etc/crontab -p wa -k cron | |
-w /var/spool/cron/crontabs/ -k cron | |
## User, group, password databases | |
-w /etc/group -p wa -k etcgroup | |
-w /etc/passwd -p wa -k etcpasswd | |
-w /etc/gshadow -k etcgroup | |
-w /etc/shadow -k etcpasswd | |
-w /etc/security/opasswd -k opasswd | |
## Sudoers file changes | |
-w /etc/sudoers -p wa -k actions | |
## Passwd | |
-w /usr/bin/passwd -p x -k passwd_modification | |
## Tools to change group identifiers | |
-w /usr/sbin/groupadd -p x -k group_modification | |
-w /usr/sbin/groupmod -p x -k group_modification | |
-w /usr/sbin/addgroup -p x -k group_modification | |
-w /usr/sbin/useradd -p x -k user_modification | |
-w /usr/sbin/usermod -p x -k user_modification | |
-w /usr/sbin/adduser -p x -k user_modification | |
## Login configuration and information | |
-w /etc/login.defs -p wa -k login | |
-w /etc/securetty -p wa -k login | |
-w /var/log/faillog -p wa -k login | |
-w /var/log/lastlog -p wa -k login | |
-w /var/log/tallylog -p wa -k login | |
## Network Environment | |
### Changes to hostname | |
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k network_modifications | |
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k network_modifications | |
### Changes to other files | |
-w /etc/hosts -p wa -k network_modifications | |
-w /etc/sysconfig/network -p wa -k network_modifications | |
-w /etc/network/ -p wa -k network | |
-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -k network_modifications | |
-w /etc/sysconfig/network -p wa -k network_modifications | |
### Changes to issue | |
-w /etc/issue -p wa -k etcissue | |
-w /etc/issue.net -p wa -k etcissue | |
## System startup scripts | |
-w /etc/inittab -p wa -k init | |
-w /etc/init.d/ -p wa -k init | |
-w /etc/init/ -p wa -k init | |
## Library search paths | |
-w /etc/ld.so.conf -p wa -k libpath | |
## Pam configuration | |
-w /etc/pam.d/ -p wa -k pam | |
-w /etc/security/limits.conf -p wa -k pam | |
-w /etc/security/pam_env.conf -p wa -k pam | |
-w /etc/security/namespace.conf -p wa -k pam | |
-w /etc/security/namespace.init -p wa -k pam | |
## Postfix configuration | |
-w /etc/aliases -p wa -k mail | |
-w /etc/postfix/ -p wa -k mail | |
## SSH configuration | |
-w /etc/ssh/sshd_config -k sshd | |
# Systemd | |
-w /bin/systemctl -p x -k systemd | |
-w /etc/systemd/ -p wa -k systemd | |
## SELinux events that modify the system's Mandatory Access Controls (MAC) | |
-w /etc/selinux/ -p wa -k mac_policy | |
## Critical elements access failures | |
-a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileaccess | |
-a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileaccess | |
-a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileaccess | |
-a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileaccess | |
-a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileaccess | |
-a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileaccess | |
-a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileaccess | |
-a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileaccess | |
## Process ID change (switching accounts) applications | |
-w /bin/su -p x -k priv_esc | |
-w /usr/bin/sudo -p x -k priv_esc | |
-w /etc/sudoers -p rw -k priv_esc | |
## Power state | |
-w /sbin/shutdown -p x -k power | |
-w /sbin/poweroff -p x -k power | |
-w /sbin/reboot -p x -k power | |
-w /sbin/halt -p x -k power | |
## Session initiation information | |
-w /var/run/utmp -p wa -k session | |
-w /var/log/btmp -p wa -k session | |
-w /var/log/wtmp -p wa -k session | |
## Discretionary Access Control (DAC) modifications | |
-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
# Special Rules --------------------------------------------------------------- | |
## 32bit API Exploitation | |
### If you are on a 64 bit platform, everything _should_ be running | |
### in 64 bit mode. This rule will detect any use of the 32 bit syscalls | |
### because this might be a sign of someone exploiting a hole in the 32 | |
### bit API. | |
-a always,exit -F arch=b32 -S all -k 32bit_api | |
## Reconnaissance | |
-w /usr/bin/whoami -p x -k recon | |
-w /etc/issue -p r -k recon | |
-w /etc/hostname -p r -k recon | |
## Suspicious activity | |
-w /usr/bin/wget -p x -k susp_activity | |
-w /usr/bin/curl -p x -k susp_activity | |
-w /usr/bin/base64 -p x -k susp_activity | |
-w /bin/nc -p x -k susp_activity | |
-w /bin/netcat -p x -k susp_activity | |
-w /usr/bin/ncat -p x -k susp_activity | |
-w /usr/bin/ssh -p x -k susp_activity | |
-w /usr/bin/socat -p x -k susp_activity | |
-w /usr/bin/wireshark -p x -k susp_activity | |
-w /usr/bin/rawshark -p x -k susp_activity | |
-w /usr/bin/rdesktop -p x -k sbin_susp | |
## Sbin suspicious activity | |
-w /sbin/iptables -p x -k sbin_susp | |
-w /sbin/ifconfig -p x -k sbin_susp | |
-w /usr/sbin/tcpdump -p x -k sbin_susp | |
-w /usr/sbin/traceroute -p x -k sbin_susp | |
## Injection | |
### These rules watch for code injection by the ptrace facility. | |
### This could indicate someone trying to do something bad or just debugging | |
-a always,exit -F arch=b32 -S ptrace -k tracing | |
-a always,exit -F arch=b64 -S ptrace -k tracing | |
-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -k code_injection | |
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k code_injection | |
-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -k data_injection | |
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k data_injection | |
-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -k register_injection | |
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k register_injection | |
## Privilege Abuse | |
### The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir. | |
-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -k power_abuse | |
# Software Management --------------------------------------------------------- | |
# RPM (Redhat/CentOS) | |
-w /usr/bin/rpm -p x -k software_mgmt | |
-w /usr/bin/yum -p x -k software_mgmt | |
# YAST/Zypper/RPM (SuSE) | |
-w /sbin/yast -p x -k yast | |
-w /sbin/yast2 -p x -k yast | |
-w /bin/rpm -p x -k software_mgmt | |
-w /usr/bin/zypper -k software_mgmt | |
# DPKG / APT-GET (Debian/Ubuntu) | |
-w /usr/bin/dpkg -p x -k software_mgmt | |
-w /usr/bin/apt-add-repository -p x -k software_mgmt | |
-w /usr/bin/apt-get -p x -k software_mgmt | |
-w /usr/bin/aptitude -p x -k software_mgmt | |
# Special Software ------------------------------------------------------------ | |
## GDS specific secrets | |
-w /etc/puppet/ssl -p wa -k puppet_ssl | |
## IBM Bigfix BESClient | |
-a exit,always -F arch=b64 -S open -F dir=/opt/BESClient -F success=0 -k soft_besclient | |
-w /var/opt/BESClient/ -p wa -k soft_besclient | |
## CHEF https://www.chef.io/chef/ | |
-w /etc/chef -p wa -k soft_chef | |
# High volume events ---------------------------------------------------------- | |
## Remove them if the cause to much volumen in your einvironment | |
## Root command executions | |
-a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd | |
-a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd | |
## File Deletion Events by User | |
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete | |
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete | |
## File Access | |
### Unauthorized Access (unsuccessful) | |
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k file_access | |
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k file_access | |
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k file_access | |
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k file_access | |
### Unsuccessful Creation | |
-a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation | |
-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation | |
-a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -k file_creation | |
-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -k file_creation | |
### Unsuccessful Modification | |
-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k file_modification | |
-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k file_modification | |
-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k file_modification | |
-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k file_modification | |
# Make the configuration immutable -------------------------------------------- | |
##-e 2 |
I have used Discretionary Access Control (DAC) modifications, file access rules in centos 7 but I am getting the error.
-F missing operation for auid
Can you please help me on this.
I am trying to use the rules in Oracle Enterprise Linux 6.4 - 64 bit, kernel=2.6.39-400.17.1.el6uek.x86_64 with audit.x86_64 (2.4.5-6.el6) and audit-libs.x86_64 (2.4.5-6.el6). I get the below errors:
Unknown user: chrony
-F unknown field: uid
There was an error in line 85 of /etc/audit/audit.rules
Error sending add rule data request (Rule exists)
There was an error in line 190 of /etc/audit/audit.rules
Error sending add rule data request (Invalid argument)
There was an error in line 325 of /etc/audit/audit.rules
I commented the line #85 - as I do not chrony installed and #190 - is duplicate of #187.
I am unsure of #325. Please guide me.
I suggest the following changes to cover modern distributions:
_# Software Management ---------------------------------------------------------
# RPM/DNF (Redhat/CentOS/Fedora)
-w /usr/bin/rpm -p x -k software_mgmt
-w /usr/bin/yum -p x -k software_mgmt
-w /usr/bin/dnf -p x -k software_mgmt
# YAST/Zypper/RPM (SuSE)
-w /sbin/yast -p x -k yast
-w /sbin/yast2 -p x -k yast
-w /bin/rpm -p x -k software_mgmt
-w /usr/bin/zypper -k software_mgmt
# DPKG/APT (Debian/Ubuntu)
-w /usr/bin/dpkg -p x -k software_mgmt
-w /usr/bin/apt-add-repository -p x -k software_mgmt
-w /usr/bin/apt-get -p x -k software_mgmt
-w /usr/bin/aptitude -p x -k software_mgmt
-w /usr/bin/apt -p x -k software_mgmt_
Hello,
I ran into an issue with auditd after implementing a some of the rules listed here. When I try to install docker yum fails at installing container-selinux-2.74-1 and the system become unresponsive. If I remove the audit rules and go to the defaults the problem goes away. Also if I keep the rules and disable selinux the yum install will work. I looked through the logs and cannot find anything regarding the root cause. I also commented some rules out to determine if it was a specific rule causing the issue but nothing worked. Do you have any advice?
Thanks
As a word of warning:
If you run a high traffic application on x86_64 OS that is not 64bit the 32bit API rule will absolutely bring the server to its knees.
This line can be dangerous
32bit API Exploitation
If you are on a 64 bit platform, everything should be running
in 64 bit mode. This rule will detect any use of the 32 bit syscalls
because this might be a sign of someone exploiting a hole in the 32
bit API.
-a always,exit -F arch=b32 -S all -k 32bit_api
Other than this line which I have now commented out, these rules are amazing.
Thanks!
Thanks a lot!!
Is there any way to monitor an indirect writing, like echo "/path/to/script.py" >> /home/test/.bash_profile , cause -w /home/test/.bash_profile -p wa is not working in that case and monitoring -S open produce a lot of falsepositives. The alternate way I found most flexible is to use AIDE instead.
Please add -w /etc/modprobe.d/ -p wa -k modprobe
Really like this, thank you!
Muy bueno, muchas gracias :D desde CL
El vito también da las gracias
@gcallpa better use the new one https://github.com/Neo23x0/auditd
I want to monitor /etc/hosts file for modification (attribute , as well as write/execute).
I am using following rule
-w /etc/hosts -p wxa -k files
But for each modify event ausearch is given three records, can we we surpass it to single audit event.