aurore
/
ansible
15
2
Fork 0
Code Issues 1 Pull Requests 13 Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
new-infra
bird
dns
aruba
radius
on-en-a-litteralement-rien-a-foutre
radvd
keepalived
ifupdown2
master
dhcp
cleanup_no_ldap_for_servers
infra_router
ask_vault_pass
borgfix
auditd
prometheus_apt_pending_and_reboot
move_host_vars
prometheus-ipmi-exporter
fix-portail
crans
apt
remove_old_db_servers
rspamd
wireguard-ovh
pass
nullmailer
logs
mailserver
re2o-master
mail_server
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9053d37a81'
${ noResults }
ansible/roles/auditd/templates/rules.d/audit.rules.j2

62 lines
3.1 KiB
Django/Jinja
Raw Blame History

{{ ansible_managed | comment }}
-D
-b 8192
--backlog_wait_time 60000
-f 1
# Configuration changes
-w /etc/ -p wa -k etc
# Usage of auditd tools
-w /sbin/auditctl -p x -k audit_tools
-w /sbin/auditd -p x -k audit_tools
-w /usr/sbin/augenrules -p x -k audit_tools
# Modules changes
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod -k modules
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k modules
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k modules
-a always,exit -F arch=b32 -S finit_module,init_module,delete_module -F auid!=-1 -k modules
-a always,exit -F arch=b64 -S finit_module,init_module,delete_module -F auid!=-1 -k modules
# Mount
-a always,exit -F arch=b32 -S mount,umount,umount2 -F auid!=-1 -k mount
-a always,exit -F arch=b64 -S mount,umount2 -F auid!=-1 -k mount
# Swap
-a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap
-a always,exit -F arch=b32 -S swapon -S swapoff -F auid!=-1 -k swap
# Ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -k code_injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k code_injection
-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -k data_injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k data_injection
-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -k register_injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k register_injection
-a always,exit -F arch=b32 -S ptrace -k tracing
-a always,exit -F arch=b64 -S ptrace -k tracing
# Unauthorized file accesses
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid!=-1 -k file_access
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid!=-1 -k file_access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid!=-1 -k file_access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid!=-1 -k file_access
# Unauthorized file creations
-a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation
-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation
-a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -k file_creation
-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -k file_creation
# Unauthorized file modifications
-a always,exit -F arch=b32 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EACCES -k file_modification
-a always,exit -F arch=b64 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EACCES -k file_modification
-a always,exit -F arch=b32 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EPERM -k file_modification
-a always,exit -F arch=b64 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EPERM -k file_modification
# Usage of 32 bit syscalls
-a always,exit -F arch=b32 -S all -k 32bit_api
Reference in New Issue View Git Blame Copy Permalink