KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b98a20cae82d8b4af567ffbbb61be9199f195985
football/config/cis-audit.rules
Charles N Wyble 1339705f9d progress snapshot
2026-01-21 08:33:09 -05:00

121 lines
5.2 KiB
Plaintext
Raw Blame History

# CIS Debian 13 Benchmark - Comprehensive Audit Rules
# Implements CIS recommendations for comprehensive system auditing
# Delete all existing rules
-D
# Increase buffer size for audit daemon
-b 8192
# Monitor kernel module loading and unloading
-w /usr/bin/kmod -p x -k modules
-w /usr/bin/insmod -p x -k modules
-w /usr/bin/rmmod -p x -k modules
-w /usr/bin/modprobe -p x -k modules
-w /etc/modules -p wa -k modules
-w /etc/modprobe.d -p wa -k modules
# Monitor file system mounts and unmounts
-a always,exit -F arch=b64 -S mount,umount2 -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount,umount2 -F auid>=1000 -F auid!=4294967295 -k mounts
# Monitor changes to system time
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F auid>=1000 -F auid!=4294967295 -k time
-a always,exit -F arch=b32 -S adjtimex,settimeofday,time -F auid>=1000 -F auid!=4294967295 -k time
-a always,exit -F arch=b64 -S clock_settime -F a0=0 -F auid>=1000 -F auid!=4294967295 -k time
-a always,exit -F arch=b32 -S clock_settime -F a0=0 -F auid>=1000 -F auid!=4294967295 -k time
# Monitor user and group administration
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k identity
-w /etc/sudoers.d -p wa -k identity
# Monitor network configuration
-w /etc/hosts -p wa -k network
-w /etc/hostname -p wa -k network
-w /etc/network/ -p wa -k network
-w /etc/resolv.conf -p wa -k network
# Monitor crontab and scheduled jobs
-w /etc/crontab -p wa -k cron
-w /etc/cron.d -p wa -k cron
-w /etc/cron.daily -p wa -k cron
-w /etc/cron.hourly -p wa -k cron
-w /etc/cron.monthly -p wa -k cron
-w /etc/cron.weekly -p wa -k cron
-w /etc/cron.allow -p wa -k cron
-w /etc/cron.deny -p wa -k cron
-w /var/spool/cron -p wa -k cron
# Monitor login, logout, and authentication events
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock -p wa -k logins
# Monitor privileged commands
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/gpg-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
# Monitor security related files
-w /etc/apparmor -p wa -k apparmor
-w /etc/apparmor.d -p wa -k apparmor
-w /etc/security -p wa -k security
-w /etc/security/limits.d -p wa -k security
-w /etc/security/pam.d -p wa -k security
# Monitor system calls that create files
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
# Monitor failed file access
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
# Monitor execve system calls
-a always,exit -F arch=b64 -S execve -F auid>=1000 -F auid!=4294967295 -k exec
-a always,exit -F arch=b32 -S execve -F auid>=1000 -F auid!=4294967295 -k exec
# Monitor chmod, chown, and chmod system calls
-a always,exit -F arch=b64 -S chmod,chown,fchmod,fchmodat,fchown,fchownat,fremovexattr,lchown,setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod,chown,fchmod,fchmodat,fchown,fchownat,fremovexattr,lchown,setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
# Monitor unlink, unlinkat, rename, and renameat system calls
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -k delete
# Monitor file and directory creation
-a always,exit -F arch=b64 -S mkdir,mkdirat,mknod,mknodat -F auid>=1000 -F auid!=4294967295 -k create
-a always,exit -F arch=b32 -S mkdir,mkdirat,mknod,mknodat -F auid>=1000 -F auid!=4294967295 -k create
# Monitor process execution and ID changes
-a always,exit -F arch=b64 -S setuid,setgid,setreuid,setregid -F auid>=1000 -F auid!=4294967295 -k setuid
-a always,exit -F arch=b32 -S setuid,setgid,setreuid,setregid -F auid>=1000 -F auid!=4294967295 -k setuid
# Monitor kernel module loading
-w /proc/sys/kernel/modules_disabled -p wa -k modules
# Monitor IPv6 configuration
-w /etc/sysconfig/network -p wa -k network
-w /etc/sysconfig/network-scripts -p wa -k network
# Monitor init and systemd
-w /etc/inittab -p wa -k init
-w /etc/init.d -p wa -k init
-w /etc/init -p wa -k init
-w /etc/systemd -p wa -k init
-w /usr/lib/systemd -p wa -k init
# Monitor audit logs
-w /var/log/audit/ -p wa -k audit_logs
-w /var/log/audit.log -p wa -k audit_logs
# Ensure audit rules are loaded on boot
-e 2
Reference in New Issue View Git Blame Copy Permalink