# Linux Audit Daemon - Best Practice Configuration # /etc/audit/audit.rules # # Compiled by Florian Roth # # Created : 2017/12/05 # Modified : 2017/12/13 # # Based on rules published here: # Gov.uk auditd rules # https://github.com/gds-operations/puppet-auditd/pull/1 # CentOS 7 hardening # https://highon.coffee/blog/security-harden-centos-7/#auditd---audit-daemon # Linux audit repo # https://github.com/linux-audit/audit-userspace/tree/master/rules # Auditd high performance linux auditing # https://linux-audit.com/tuning-auditd-high-performance-linux-auditing/ # # Further rules # For PCI DSS compliance see: # https://github.com/linux-audit/audit-userspace/blob/master/rules/30-pci-dss-v31.rules # For NISPOM compliance see: # https://github.com/linux-audit/audit-userspace/blob/master/rules/30-nispom.rules # # Remove any existing rules -D # Buffer Size ## Feel free to increase this if the machine panic's -b 8192 # Failure Mode ## Possible values: 0 (silent), 1 (printk, print a failure message), 2 (panic, halt the system) -f 1 # Ignore errors ## e.g. caused by users or files not found in the local environment -i # Self Auditing --------------------------------------------------------------- # Audit the audit logs ## Successful and unsuccessful attempts to read information from the audit records -w /var/log/audit/ -k auditlog # Auditd configuration ## Modifications to audit configuration that occur while the audit collection functions are operating -w /etc/audit/ -p wa -k auditconfig -w /etc/libaudit.conf -p wa -k auditconfig -w /etc/audisp/ -p wa -k audispconfig # Monitor for use of audit management tools -w /sbin/auditctl -p x -k audittools -w /sbin/auditd -p x -k audittools # Filters --------------------------------------------------------------------- # This is for don't audit rules. We put these early because audit # is a first match wins system. # Ignore SELinux AVC records -a always,exclude -F msgtype=AVC # Ignore current working directory records -a always,exclude -F msgtype=CWD # Ignore EOE records (End Of Event, not needed) -a always,exclude -F msgtype=EOE # Cron jobs fill the logs with stuff we normally don't want (works with SELinux) -a never,user -F subj_type=crond_t -a exit,never -F subj_type=crond_t # This prevents chrony from overwhelming the logs #-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t # This is not very interesting and wastes a lot of space if the server is public facing -a always,exclude -F msgtype=CRYPTO_KEY_USER # VMWare tools -a exit,never -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2 -a exit,never -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2 # More information on how to filter events # https://access.redhat.com/solutions/2482221 # Rules ----------------------------------------------------------------------- # Kernel parameters -w /etc/sysctl.conf -p wa -k sysctl # Kernel module loading and unloading -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -k modules # Modprobe configuration -w /etc/modprobe.conf -p wa -k modprobe # Special files -a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles -a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles # Mount operations -a exit,always -F arch=b32 -S mount -S umount -S umount2 -k mount -a exit,always -F arch=b64 -S mount -S umount2 -k mount # Time -a exit,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -k time -a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time ## Local time zone -w /etc/localtime -p wa -k localtime # Stunnel -w /usr/sbin/stunnel -p x -k stunnel # Cron configuration & scheduled jobs -w /etc/cron.allow -p wa -k cron -w /etc/cron.deny -p wa -k cron -w /etc/cron.d/ -p wa -k cron -w /etc/cron.daily/ -p wa -k cron -w /etc/cron.hourly/ -p wa -k cron -w /etc/cron.monthly/ -p wa -k cron -w /etc/cron.weekly/ -p wa -k cron -w /etc/crontab -p wa -k cron -w /var/spool/cron/crontabs/ -k cron # User, group, password databases -w /etc/group -p wa -k etcgroup -w /etc/passwd -p wa -k etcpasswd -w /etc/gshadow -k etcgroup -w /etc/shadow -k etcpasswd -w /etc/security/opasswd -k opasswd # Sudoers file changes -w /etc/sudoers -p wa -k actions # Passwd -w /usr/bin/passwd -p x -k passwd_modification # Tools to change group identifiers -w /usr/sbin/groupadd -p x -k group_modification -w /usr/sbin/groupmod -p x -k group_modification -w /usr/sbin/addgroup -p x -k group_modification -w /usr/sbin/useradd -p x -k user_modification -w /usr/sbin/usermod -p x -k user_modification -w /usr/sbin/adduser -p x -k user_modification # Login configuration and information -w /etc/login.defs -p wa -k login -w /etc/securetty -p wa -k login -w /var/log/faillog -p wa -k login -w /var/log/lastlog -p wa -k login -w /var/log/tallylog -p wa -k login # Network Environment ## Changes to hostname -a always,exit -F arch=b32 -S sethostname -S setdomainname -k network_modifications -a always,exit -F arch=b64 -S sethostname -S setdomainname -k network_modifications ## Changes to other files -w /etc/hosts -p wa -k network_modifications -w /etc/sysconfig/network -p wa -k network_modifications -w /etc/network/ -p wa -k network -a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -k network_modifications -w /etc/sysconfig/network -p wa -k network_modifications ## Changes to issue -w /etc/issue -p wa -k etcissue -w /etc/issue.net -p wa -k etcissue # System startup scripts -w /etc/inittab -p wa -k init -w /etc/init.d/ -p wa -k init -w /etc/init/ -p wa -k init # Library search paths -w /etc/ld.so.conf -p wa -k libpath # Pam configuration -w /etc/pam.d/ -p wa -k pam -w /etc/security/limits.conf -p wa -k pam -w /etc/security/pam_env.conf -p wa -k pam -w /etc/security/namespace.conf -p wa -k pam -w /etc/security/namespace.init -p wa -k pam # GDS specific secrets -w /etc/puppet/ssl -p wa -k puppet_ssl # Postfix configuration -w /etc/aliases -p wa -k mail -w /etc/postfix/ -p wa -k mail # SSH configuration -w /etc/ssh/sshd_config -k sshd # SELinux events that modify the system's Mandatory Access Controls (MAC) -w /etc/selinux/ -p wa -k mac_policy # Critical elements access failures -a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileacess -a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileacess -a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileacess -a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileacess -a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileacess -a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileacess -a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileacess -a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileacess # Process ID change (switching accounts) applications -w /bin/su -p x -k priv_esc -w /usr/bin/sudo -p x -k priv_esc -w /etc/sudoers -p rw -k priv_esc # Power state -w /sbin/shutdown -p x -k power -w /sbin/poweroff -p x -k power -w /sbin/reboot -p x -k power -w /sbin/halt -p x -k power # Session initiation information -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session # Discretionary Access Control (DAC) modifications -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod # Special Rules --------------------------------------------------------------- # 32bit API Exploitation ## If you are on a 64 bit platform, everything _should_ be running ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls ## because this might be a sign of someone exploiting a hole in the 32 ## bit API. -a always,exit -F arch=b32 -S all -k 32bit_api # Injection ## These rules watch for code injection by the ptrace facility. ## This could indicate someone trying to do something bad or just debugging #-a always,exit -F arch=b32 -S ptrace -k tracing -a always,exit -F arch=b64 -S ptrace -k tracing -a always,exit -F arch=b32 -S ptrace -F a0=0x4 -k code_injection -a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k code_injection -a always,exit -F arch=b32 -S ptrace -F a0=0x5 -k data_injection -a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k data_injection -a always,exit -F arch=b32 -S ptrace -F a0=0x6 -k register_injection -a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k register_injection # Privilege Abuse ## The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir. -a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -k power_abuse # High volume events ---------------------------------------------------------- # Root command executions -a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd -a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd # File Deletion Events by User -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete # File Access ## Unauthorized Access (unsuccessful) -a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k file_access -a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k file_access -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k file_access -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k file_access ## Unsuccessful Creation -a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation -a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation -a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -k file_creation -a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -k file_creation ## Unsuccessful Modification -a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k file_modification -a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k file_modification -a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k file_modification -a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k file_modification # Make the configuration immutable -------------------------------------------- #-e 2