V8.13.272.2025.10.22
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -40,13 +40,16 @@ cat << EOF >| /etc/audit/rules.d/10-base-config.rules
|
||||
-D
|
||||
|
||||
## Increase the buffers to survive stress events.
|
||||
## Make this bigger for busy systems
|
||||
-b 8192
|
||||
## Make this bigger for busy systems.
|
||||
-b 16384
|
||||
|
||||
## This determine how long to wait in burst of events
|
||||
--backlog_wait_time 60000
|
||||
## Rate Limit. Cap kernel->userspace message rate (0 = unlimited).
|
||||
-r 200
|
||||
|
||||
## Set failure mode to syslog
|
||||
## This determine how long to wait in burst of events. How long to wait in bursts (µs).
|
||||
--backlog_wait_time 1024
|
||||
|
||||
## Set failure mode to syslog.
|
||||
-f 1
|
||||
EOF
|
||||
|
||||
@@ -92,6 +95,17 @@ cat << EOF >| /etc/audit/rules.d/22-ignore-chrony.rules
|
||||
-a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=_chrony
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/25-ciss-exec.rules
|
||||
cat << EOF >| /etc/audit/rules.d/25-ciss-exec.rules
|
||||
## Focus on privileged exec, not every user command
|
||||
-a always,exit -F arch=b64 -S execve -F euid=0 -k exec_root
|
||||
-a always,exit -F arch=b32 -S execve -F euid=0 -k exec_root
|
||||
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/sudo -k exec_sudo
|
||||
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/sudo -k exec_sudo
|
||||
-a always,exit -F arch=b64 -S execve -C uid!=euid -k exec_suid_sgid
|
||||
-a always,exit -F arch=b32 -S execve -C uid!=euid -k exec_suid_sgid
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
|
||||
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
|
||||
## Unsuccessful file creation (open with O_CREAT)
|
||||
@@ -109,17 +123,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
|
||||
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
|
||||
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
|
||||
## Successful file creation (open with O_CREAT)
|
||||
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
||||
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
||||
-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
||||
-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
||||
-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
||||
-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
|
||||
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
|
||||
## Unsuccessful file modifications (open for write or truncate)
|
||||
@@ -137,17 +140,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
|
||||
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
|
||||
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
|
||||
## Successful file modifications (open for write or truncate)
|
||||
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
||||
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
||||
-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
||||
-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
||||
-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
||||
-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
|
||||
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
|
||||
## Unsuccessful file access (any other opens) This has to go last.
|
||||
@@ -157,14 +149,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
|
||||
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
|
||||
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
|
||||
## Successful file access (any other opens) This has to go last.
|
||||
## These next two are likely to result in a whole lot of events
|
||||
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
|
||||
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
|
||||
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
|
||||
## Unsuccessful file delete
|
||||
@@ -174,13 +158,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
|
||||
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
|
||||
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
|
||||
## Successful file delete
|
||||
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
|
||||
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
|
||||
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
|
||||
## Unsuccessful permission change
|
||||
@@ -190,13 +167,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
|
||||
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
|
||||
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
|
||||
## Successful permission change
|
||||
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
|
||||
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
|
||||
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
|
||||
## Unsuccessful ownership change
|
||||
@@ -206,13 +176,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
|
||||
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
|
||||
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
|
||||
## Successful ownership change
|
||||
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
|
||||
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/30-ospp-v42.rules
|
||||
cat << EOF >| /etc/audit/rules.d/30-ospp-v42.rules
|
||||
## The purpose of these rules is to meet the requirements for Operating
|
||||
|
||||
Reference in New Issue
Block a user