# CIS Benchmark - System Audit Rules
# Implements CIS Debian Benchmark Section 4.1.2-4.1.17

# Delete all existing rules
-D

# Set buffer size
-b 8192

# Set failure mode
-f 1

# ============================================================================
# Monitor System Calls (CIS 4.1.10-4.1.17)
# ============================================================================

# Monitor for use of administration commands (CIS 4.1.10)
-a always,exit -F arch=b64 -S execve -C euid!=uid -F auid>=1000 -F auid!=4294967295 -k admin_cmd
-a always,exit -F arch=b32 -S execve -C euid!=uid -F auid>=1000 -F auid!=4294967295 -k admin_cmd

# Monitor for unauthorized access attempts to files (CIS 4.1.11)
-a always,exit -F arch=b64 -S open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access

# Monitor for use of privileged commands (CIS 4.1.12)
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged_cmd
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged_cmd
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged_cmd
-a always,exit -F path=/usr/sbin/useradd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged_cmd
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged_cmd

# Monitor for changes to system network configuration (CIS 4.1.13)
-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
-a always,exit -F arch=b64 -S /etc/issue -k system-locale
-a always,exit -F path=/etc/hosts -F perm=wa -k system-locale
-a always,exit -F path=/etc/network/ -F perm=wa -k system-locale

# Monitor for changes to user/group information (CIS 4.1.14)
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity

# Monitor for changes to sudoers files (CIS 4.1.15)
-w /etc/sudoers -p wa -k identity
-w /etc/sudoers.d/ -p wa -k identity

# Monitor for changes to system scheduling (CIS 4.1.16)
-w /etc/crontab -p wa -k cron
-w /etc/cron.hourly/ -p wa -k cron
-w /etc/cron.daily/ -p wa -k cron
-w /etc/cron.weekly/ -p wa -k cron
-w /etc/cron.monthly/ -p wa -k cron
-w /var/spool/cron/ -p wa -k cron
-w /etc/cron.d/ -p wa -k cron

# Monitor for changes to time settings (CIS 4.1.17)
-w /etc/localtime -p wa -k time-change
-w /etc/timezone -p wa -k time-change

# ============================================================================
# Monitor for File Deletion by User
# ============================================================================

-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -k delete

# ============================================================================
# Monitor for kernel module loading
# ============================================================================

-a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=4294967295 -k modules
-a always,exit -F arch=b32 -S init_module -F auid>=1000 -F auid!=4294967295 -k modules

# ============================================================================
# Monitor for changes to login configuration
# ============================================================================

-w /etc/login.defs -p wa -k logins
-w /etc/securetty -p wa -k logins
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins

# ============================================================================
# Monitor for system initialization
# ============================================================================

-w /etc/inittab -p wa -k init
-w /etc/init.d/ -p wa -k init
-w /etc/init/ -p wa -k init
-w /etc/systemd/ -p wa -k init

# ============================================================================
# Monitor for mandatory access control (MAC) events
# ============================================================================

-w /etc/apparmor/ -p wa -k MAC-policy
-w /etc/apparmor.d/ -p wa -k MAC-policy

# ============================================================================
# Audit Log Configuration
# ============================================================================

# Prevent auditd from being killed
-a never,exit -F arch=b64 -S kill -F auid>=1000 -F auid!=4294967295 -k auditd
-a never,exit -F arch=b32 -S kill -F auid>=1000 -F auid!=4294967295 -k auditd

# Monitor for changes to audit configuration
-w /etc/audit/ -p wa -k audit_config
-w /etc/libaudit.conf -p wa -k audit_config
-w /etc/audisp/ -p wa -k audit_config