From 5a1b53aad575f665b3a7d67ecb24cb05a71437d8 Mon Sep 17 00:00:00 2001
From: Robert Kaussow <mail@thegeeklab.de>
Date: Sun, 25 Sep 2022 11:14:10 +0000
Subject: [PATCH] commit 5d498096c3b6733e93a342e7bc6b5aa18b07f978 Author:
 Robert Kaussow <mail@thegeeklab.de> Date:   Sun Sep 25 13:08:42 2022 +0200

    chore: update default rules
---
 index.md | 137 ++++++++++++++++++++++++++++---------------------------
 1 file changed, 69 insertions(+), 68 deletions(-)

diff --git a/index.md b/index.md
index adf23bb..a656a3f 100644
--- a/index.md
+++ b/index.md
@@ -46,7 +46,7 @@ auditd_action_mail_acct: root
 #### Default value
 
 ```YAML
-auditd_admin_space_left_action: SUSPEND
+auditd_admin_space_left_action: halt
 ```
 
 ### auditd_buffer_size
@@ -143,89 +143,90 @@ auditd_filter_rules_extra:
 
 ```YAML
 auditd_main_rules_default:
-  - comment: CIS 4.1.4 - Changes to the time
+  - comment: CIS 4.1.3.1 - Changes to system administration scope
     rule:
-      - -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-      - -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-      - -a always,exit -F arch=b64 -S clock_settime -k time-change
-      - -a always,exit -F arch=b32 -S clock_settime -k time-change
+      - -w /etc/sudoers -p wa -k actions
+      - -w /etc/sudoers.d/ -p wa -k actions
+  - comment: CIS 4.1.3.4 - Events that modify date and time information
+    rule:
+      - -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time_change
+      - -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k
+        time_change
       - -w /etc/localtime -p wa -k time-change
-  - comment: CIS 4.1.5 - Changes to user/group information
+  - comment: CIS 4.1.3.5 - Changes to the network environment
+    rule:
+      - -a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
+      - -a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale
+      - -w /etc/issue -p wa -k system-locale
+      - -w /etc/issue.net -p wa -k system-locale
+      - -w /etc/hosts -p wa -k system-locale
+      - -w /etc/sysconfig/network -p wa -k system-locale
+      - -w /etc/sysconfig/network-scripts/ -p wa -k system-locale
+  - comment: CIS 4.1.3.7 - Unsuccessful file access attempts
+    rule:
+      - -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES
+        -F auid>=1000 -F auid!=unset -k access
+      - -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM
+        -F auid>=1000 -F auid!=unset -k access
+      - -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES
+        -F auid>=1000 -F auid!=unset -k access
+      - -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM
+        -F auid>=1000 -F auid!=unset -k access
+  - comment: CIS 4.1.3.8 - Modify user/group information
     rule:
       - -w /etc/group -p wa -k identity
       - -w /etc/passwd -p wa -k identity
       - -w /etc/gshadow -p wa -k identity
       - -w /etc/shadow -p wa -k identity
       - -w /etc/security/opasswd -p wa -k identity
-  - comment: CIS 4.1.6 - Changes to the network environment
+  - comment: CIS 4.1.3.9 - Discretionary access control permission modifications
     rule:
-      - -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
-      - -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
-      - -w /etc/issue -p wa -k system-locale
-      - -w /etc/issue.net -p wa -k system-locale
-      - -w /etc/hosts -p wa -k system-locale
-      - -w /etc/network -p wa -k system-locale
-  - comment: CIS 4.1.7 - Changes to system's Mandatory Access Controls
+      - -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset
+        -F key=perm_mod
+      - -a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F
+        auid!=unset -F key=perm_mod
+      - -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset
+        -F key=perm_mod
+      - -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F
+        auid!=unset -F key=perm_mod
+      - -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
+        -F auid>=1000 -F auid!=unset -F key=perm_mod
+      - -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
+        -F auid>=1000 -F auid!=unset -F key=perm_mod
+  - comment: CIS 4.1.3.10 - Successful file system mounts
     rule:
-      - -w /etc/apparmor/ -p wa -k MAC-policy
-      - -w /etc/apparmor.d/ -p wa -k MAC-policy
-  - comment: CIS 4.1.8 - Log login/logout events
-    rule:
-      - -w /var/log/faillog -p wa -k logins
-      - -w /var/log/lastlog -p wa -k logins
-      - -w /var/log/tallylog -p wa -k logins
-  - comment: CIS 4.1.9 - Log session initiation information
+      - -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
+      - -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
+  - comment: CIS 4.1.3.11 - Session initiation information
     rule:
       - -w /var/run/utmp -p wa -k session
       - -w /var/log/wtmp -p wa -k logins
       - -w /var/log/btmp -p wa -k logins
-  - comment: CIS 4.1.10 - Log Discretionary Access Control modifications
+  - comment: CIS 4.1.3.12 - Login and logout events
     rule:
-      - -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F
-        auid!=4294967295 -k perm_mod
-      - -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F
-        auid!=4294967295 -k perm_mod
-      - -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000
-        -F auid!=4294967295 -k perm_mod
-      - -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000
-        -F auid!=4294967295 -k perm_mod
-      - -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr
-        -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-      - -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr
-        -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-  - comment: CIS 4.1.11 - Log unsuccessful unauthorized file access attempts
+      - -w /var/log/lastlog -p wa -k logins
+      - -w /var/log/tallylog -p wa -k logins
+      - -w /var/run/faillock -p wa -k logins
+  - comment: CIS 4.1.3.13 - File deletion events by users
     rule:
-      - -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
-        -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-      - -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate
-        -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-      - -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
-        -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-      - -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate
-        -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-  - comment: CIS 4.1.13 - Log successful file system mounts
+      - -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000
+        -F auid!=unset -k delete
+      - -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000
+        -F auid!=unset -k delete
+  - comment: CIS 4.1.3.14 - Changes to the Mandatory Access Controls
     rule:
-      - -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-      - -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-  - comment: CIS 4.1.14 - Log file deletion Events by User
+      - -w /etc/selinux/ -p wa -k MAC-policy
+      - -w /usr/share/selinux/ -p wa -k MAC-policy
+  - comment: CIS 4.1.3.19 - Kernel module loading unloading and modification
     rule:
-      - -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F
-        auid>=1000 -F auid!=4294967295 -k delete
-      - -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F
-        auid>=1000 -F auid!=4294967295 -k delete
-  - comment: CIS 4.1.15 - Log changes to sudoers
-    rule:
-      - -w /etc/sudoers -p wa -k scope
-      - -w /etc/sudoers.d/ -p wa -k scope
-  - comment: CIS 4.1.16 - Log sudolog
-    rule:
-      - -w /var/log/sudo.log -p wa -k actions
-  - comment: CIS 4.1.17 - Log kernel module actions
-    rule:
-      - -w /sbin/insmod -p x -k modules
-      - -w /sbin/rmmod -p x -k modules
-      - -w /sbin/modprobe -p x -k modules
-      - -a always,exit -F arch=b64 -S init_module -S delete_module -k modules
+      - -a always,exit -F arch=b64 -S finit_module,create_module,query_module -F auid>=1000
+        -F auid!=unset -k kernel_modules
+      - -a always,exit -F arch=b32 -S finit_module,create_module,query_module -F auid>=1000
+        -F auid!=unset -k kernel_modules
+      - -a always,exit -F arch=b64 -S init_module,delete_module -k kernel_modules
+      - -a always,exit -F arch=b32 -S init_module,delete_module -k kernel_modules
+      - -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset
+        -k kernel_modules
 ```
 
 ### auditd_main_rules_extra
@@ -251,7 +252,7 @@ auditd_max_log_file: 10
 #### Default value
 
 ```YAML
-auditd_max_log_file_action: ROTATE
+auditd_max_log_file_action: rotate
 ```
 
 ### auditd_num_logs
@@ -295,7 +296,7 @@ auditd_refuse_manual_stop: true
 #### Default value
 
 ```YAML
-auditd_space_left_action: SYSLOG
+auditd_space_left_action: email
 ```