# CIS Debian 13 Benchmark - Comprehensive Audit Rules
# Implements CIS recommendations for comprehensive system auditing

# Delete all existing rules
-D

# Increase buffer size for audit daemon
-b 8192

# Monitor kernel module loading and unloading
-w /usr/bin/kmod -p x -k modules
-w /usr/bin/insmod -p x -k modules
-w /usr/bin/rmmod -p x -k modules
-w /usr/bin/modprobe -p x -k modules
-w /etc/modules -p wa -k modules
-w /etc/modprobe.d -p wa -k modules

# Monitor file system mounts and unmounts
-a always,exit -F arch=b64 -S mount,umount2 -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount,umount2 -F auid>=1000 -F auid!=4294967295 -k mounts

# Monitor changes to system time
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F auid>=1000 -F auid!=4294967295 -k time
-a always,exit -F arch=b32 -S adjtimex,settimeofday,time -F auid>=1000 -F auid!=4294967295 -k time
-a always,exit -F arch=b64 -S clock_settime -F a0=0 -F auid>=1000 -F auid!=4294967295 -k time
-a always,exit -F arch=b32 -S clock_settime -F a0=0 -F auid>=1000 -F auid!=4294967295 -k time

# Monitor user and group administration
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k identity
-w /etc/sudoers.d -p wa -k identity

# Monitor network configuration
-w /etc/hosts -p wa -k network
-w /etc/hostname -p wa -k network
-w /etc/network/ -p wa -k network
-w /etc/resolv.conf -p wa -k network

# Monitor crontab and scheduled jobs
-w /etc/crontab -p wa -k cron
-w /etc/cron.d -p wa -k cron
-w /etc/cron.daily -p wa -k cron
-w /etc/cron.hourly -p wa -k cron
-w /etc/cron.monthly -p wa -k cron
-w /etc/cron.weekly -p wa -k cron
-w /etc/cron.allow -p wa -k cron
-w /etc/cron.deny -p wa -k cron
-w /var/spool/cron -p wa -k cron

# Monitor login, logout, and authentication events
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock -p wa -k logins

# Monitor privileged commands
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/gpg-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

# Monitor security related files
-w /etc/apparmor -p wa -k apparmor
-w /etc/apparmor.d -p wa -k apparmor
-w /etc/security -p wa -k security
-w /etc/security/limits.d -p wa -k security
-w /etc/security/pam.d -p wa -k security

# Monitor system calls that create files
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access

# Monitor failed file access
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access

# Monitor execve system calls
-a always,exit -F arch=b64 -S execve -F auid>=1000 -F auid!=4294967295 -k exec
-a always,exit -F arch=b32 -S execve -F auid>=1000 -F auid!=4294967295 -k exec

# Monitor chmod, chown, and chmod system calls
-a always,exit -F arch=b64 -S chmod,chown,fchmod,fchmodat,fchown,fchownat,fremovexattr,lchown,setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod,chown,fchmod,fchmodat,fchown,fchownat,fremovexattr,lchown,setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod

# Monitor unlink, unlinkat, rename, and renameat system calls
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -k delete

# Monitor file and directory creation
-a always,exit -F arch=b64 -S mkdir,mkdirat,mknod,mknodat -F auid>=1000 -F auid!=4294967295 -k create
-a always,exit -F arch=b32 -S mkdir,mkdirat,mknod,mknodat -F auid>=1000 -F auid!=4294967295 -k create

# Monitor process execution and ID changes
-a always,exit -F arch=b64 -S setuid,setgid,setreuid,setregid -F auid>=1000 -F auid!=4294967295 -k setuid
-a always,exit -F arch=b32 -S setuid,setgid,setreuid,setregid -F auid>=1000 -F auid!=4294967295 -k setuid

# Monitor kernel module loading
-w /proc/sys/kernel/modules_disabled -p wa -k modules

# Monitor IPv6 configuration
-w /etc/sysconfig/network -p wa -k network
-w /etc/sysconfig/network-scripts -p wa -k network

# Monitor init and systemd
-w /etc/inittab -p wa -k init
-w /etc/init.d -p wa -k init
-w /etc/init -p wa -k init
-w /etc/systemd -p wa -k init
-w /usr/lib/systemd -p wa -k init

# Monitor audit logs
-w /var/log/audit/ -p wa -k audit_logs
-w /var/log/audit.log -p wa -k audit_logs

# Ensure audit rules are loaded on boot
-e 2