62 lines
3.1 KiB
Text
62 lines
3.1 KiB
Text
|
{{ ansible_managed | comment }}
|
||
|
|
|
||
|
|
-D
|
||
|
|
|
||
|
|
-b 8192
|
||
|
|
--backlog_wait_time 60000
|
||
|
|
-f 1
|
||
|
|
|
||
|
|
# Configuration changes
|
||
|
|
-w /etc/ -p wa -k etc
|
||
|
|
|
||
|
|
# Usage of auditd tools
|
||
|
|
-w /sbin/auditctl -p x -k audit_tools
|
||
|
|
-w /sbin/auditd -p x -k audit_tools
|
||
|
|
-w /usr/sbin/augenrules -p x -k audit_tools
|
||
|
|
|
||
|
|
# Modules changes
|
||
|
|
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod -k modules
|
||
|
|
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k modules
|
||
|
|
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k modules
|
||
|
|
-a always,exit -F arch=b32 -S finit_module,init_module,delete_module -F auid!=-1 -k modules
|
||
|
|
-a always,exit -F arch=b64 -S finit_module,init_module,delete_module -F auid!=-1 -k modules
|
||
|
|
|
||
|
|
# Mount
|
||
|
|
-a always,exit -F arch=b32 -S mount,umount,umount2 -F auid!=-1 -k mount
|
||
|
|
-a always,exit -F arch=b64 -S mount,umount2 -F auid!=-1 -k mount
|
||
|
|
|
||
|
|
# Swap
|
||
|
|
-a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap
|
||
|
|
-a always,exit -F arch=b32 -S swapon -S swapoff -F auid!=-1 -k swap
|
||
|
|
|
||
|
|
# Ptrace
|
||
|
|
-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -k code_injection
|
||
|
|
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k code_injection
|
||
|
|
-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -k data_injection
|
||
|
|
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k data_injection
|
||
|
|
-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -k register_injection
|
||
|
|
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k register_injection
|
||
|
|
-a always,exit -F arch=b32 -S ptrace -k tracing
|
||
|
|
-a always,exit -F arch=b64 -S ptrace -k tracing
|
||
|
|
|
||
|
|
# Unauthorized file accesses
|
||
|
|
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid!=-1 -k file_access
|
||
|
|
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid!=-1 -k file_access
|
||
|
|
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid!=-1 -k file_access
|
||
|
|
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid!=-1 -k file_access
|
||
|
|
|
||
|
|
# Unauthorized file creations
|
||
|
|
-a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation
|
||
|
|
-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation
|
||
|
|
-a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -k file_creation
|
||
|
|
-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -k file_creation
|
||
|
|
|
||
|
|
# Unauthorized file modifications
|
||
|
|
-a always,exit -F arch=b32 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EACCES -k file_modification
|
||
|
|
-a always,exit -F arch=b64 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EACCES -k file_modification
|
||
|
|
-a always,exit -F arch=b32 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EPERM -k file_modification
|
||
|
|
-a always,exit -F arch=b64 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EPERM -k file_modification
|
||
|
|
|
||
|
|
# Usage of 32 bit syscalls
|
||
|
|
-a always,exit -F arch=b32 -S all -k 32bit_api
|