Neo23x0/audit.rules

I want to monitor /etc/hosts file for modification (attribute , as well as write/execute).
I am using following rule
-w /etc/hosts -p wxa -k files
But for each modify event ausearch is given three records, can we we surpass it to single audit event.

I have used Discretionary Access Control (DAC) modifications, file access rules in centos 7 but I am getting the error.
-F missing operation for auid
Can you please help me on this.

I am trying to use the rules in Oracle Enterprise Linux 6.4 - 64 bit, kernel=2.6.39-400.17.1.el6uek.x86_64 with audit.x86_64 (2.4.5-6.el6) and audit-libs.x86_64 (2.4.5-6.el6). I get the below errors:

Unknown user: chrony
-F unknown field: uid
There was an error in line 85 of /etc/audit/audit.rules
Error sending add rule data request (Rule exists)
There was an error in line 190 of /etc/audit/audit.rules
Error sending add rule data request (Invalid argument)
There was an error in line 325 of /etc/audit/audit.rules

I commented the line #85 - as I do not chrony installed and #190 - is duplicate of #187.

I am unsure of #325. Please guide me.

I suggest the following changes to cover modern distributions:

_# Software Management ---------------------------------------------------------

# RPM/DNF (Redhat/CentOS/Fedora)
-w /usr/bin/rpm -p x -k software_mgmt
-w /usr/bin/yum -p x -k software_mgmt
-w /usr/bin/dnf -p x -k software_mgmt

# YAST/Zypper/RPM (SuSE)
-w /sbin/yast -p x -k yast
-w /sbin/yast2 -p x -k yast
-w /bin/rpm -p x -k software_mgmt
-w /usr/bin/zypper -k software_mgmt

# DPKG/APT (Debian/Ubuntu)
-w /usr/bin/dpkg -p x -k software_mgmt
-w /usr/bin/apt-add-repository -p x -k software_mgmt
-w /usr/bin/apt-get -p x -k software_mgmt
-w /usr/bin/aptitude -p x -k software_mgmt
-w /usr/bin/apt -p x -k software_mgmt_

Hello,

I ran into an issue with auditd after implementing a some of the rules listed here. When I try to install docker yum fails at installing container-selinux-2.74-1 and the system become unresponsive. If I remove the audit rules and go to the defaults the problem goes away. Also if I keep the rules and disable selinux the yum install will work. I looked through the logs and cannot find anything regarding the root cause. I also commented some rules out to determine if it was a specific rule causing the issue but nothing worked. Do you have any advice?

Thanks

As a word of warning:

If you run a high traffic application on x86_64 OS that is not 64bit the 32bit API rule will absolutely bring the server to its knees.

This line can be dangerous

32bit API Exploitation

If you are on a 64 bit platform, everything should be running

in 64 bit mode. This rule will detect any use of the 32 bit syscalls

because this might be a sign of someone exploiting a hole in the 32

bit API.

-a always,exit -F arch=b32 -S all -k 32bit_api

Other than this line which I have now commented out, these rules are amazing.

Thanks!

Thanks a lot!!

Is there any way to monitor an indirect writing, like echo "/path/to/script.py" >> /home/test/.bash_profile , cause -w /home/test/.bash_profile -p wa is not working in that case and monitoring -S open produce a lot of falsepositives. The alternate way I found most flexible is to use AIDE instead.

Please add -w /etc/modprobe.d/ -p wa -k modprobe

Really like this, thank you!

Muy bueno, muchas gracias :D desde CL

El vito también da las gracias

@gcallpa better use the new one https://github.com/Neo23x0/auditd