132 lines
7.0 KiB
YAML
132 lines
7.0 KiB
YAML
---
|
|
# @var auditd_exclude_rule_stages:description: >
|
|
# There is a set of pre-defined rule stages you can exclude if needed. Availabe stages:
|
|
# 10-start.rules, 11-self-audit.rules, 12-filter.rules, 30-main.rules, 50-optional.rules, 90-finalize
|
|
# @var auditd_exclude_rule_stages:example: $ ["10-start.rules", "90-finalize"]
|
|
auditd_exclude_rule_stages: []
|
|
|
|
# @var auditd_refuse_manual_stop:description: >
|
|
# This option prevents auditd from performing change/restart actions at runtime and requires a reboot instead.
|
|
# For security reasons, this option should only be disabled for testing purposes.
|
|
auditd_refuse_manual_stop: True
|
|
auditd_reboot_on_change: False
|
|
|
|
# @var auditd_config_immutable:description: >
|
|
# The auditd daemon is configured to use the augenrules program to read audit rules during
|
|
# daemon startup (the default), use this option to make the auditd configuration immutable.
|
|
auditd_config_immutable: False
|
|
|
|
auditd_buffer_size: 8192
|
|
# @var auditd_failure_mode:description: >
|
|
# Possible values: 0 (silent) | 1 (printk, print a failure message) | 2 (panic, halt the system)
|
|
auditd_failure_mode: 1
|
|
|
|
# @var auditd_max_log_file:description: Maximum size of a single logfile (MB)
|
|
auditd_max_log_file: 10
|
|
# @var auditd_num_logs:description: Number of logs to keep
|
|
auditd_num_logs: 5
|
|
|
|
auditd_space_left_action: email
|
|
auditd_action_mail_acct: root
|
|
auditd_admin_space_left_action: halt
|
|
auditd_max_log_file_action: rotate
|
|
|
|
auditd_filter_rules_default:
|
|
- comment: Ignore current working directory records
|
|
rule: "-a always,exclude -F msgtype=CWD"
|
|
- comment: Ignore EOE records (End Of Event, not needed)
|
|
rule: "-a always,exclude -F msgtype=EOE"
|
|
- comment: Cron jobs fill the logs with stuff we normally don't want
|
|
rule:
|
|
- "-a never,user -F subj_type=crond_t"
|
|
- "-a exit,never -F subj_type=crond_t"
|
|
- comment: This is not very interesting and wastes a lot of space if the server is public facing
|
|
rule: "-a always,exclude -F msgtype=CRYPTO_KEY_USER"
|
|
- comment: High Volume Event Filter
|
|
rule:
|
|
- "-a exit,never -F arch=b32 -F dir=/dev/shm -k sharedmemaccess"
|
|
- "-a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess"
|
|
- "-a exit,never -F arch=b32 -F dir=/var/lock/lvm -k locklvm"
|
|
- "-a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm"
|
|
|
|
# @var auditd_filter_rules_extra:example: >
|
|
# auditd_filter_rules_extra:
|
|
# - comment: Ignore current working directory records # defaults to not set
|
|
# rule: '-a always,exclude -F msgtype=CWD' # can be list or string
|
|
# state: present # defaults to present
|
|
auditd_filter_rules_extra: []
|
|
|
|
auditd_main_rules_default:
|
|
- comment: CIS 4.1.3.1 - Changes to system administration scope
|
|
rule:
|
|
- "-w /etc/sudoers -p wa -k actions"
|
|
- "-w /etc/sudoers.d/ -p wa -k actions"
|
|
- comment: CIS 4.1.3.4 - Events that modify date and time information
|
|
rule:
|
|
- "-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time_change"
|
|
- "-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k time_change"
|
|
- "-w /etc/localtime -p wa -k time-change"
|
|
- comment: CIS 4.1.3.5 - Changes to the network environment
|
|
rule:
|
|
- "-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale"
|
|
- "-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale"
|
|
- "-w /etc/issue -p wa -k system-locale"
|
|
- "-w /etc/issue.net -p wa -k system-locale"
|
|
- "-w /etc/hosts -p wa -k system-locale"
|
|
- "-w /etc/sysconfig/network -p wa -k system-locale"
|
|
- "-w /etc/sysconfig/network-scripts/ -p wa -k system-locale"
|
|
- comment: CIS 4.1.3.7 - Unsuccessful file access attempts
|
|
rule:
|
|
- "-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access"
|
|
- "-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access"
|
|
- "-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access"
|
|
- "-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access"
|
|
- comment: CIS 4.1.3.8 - Modify user/group information
|
|
rule:
|
|
- "-w /etc/group -p wa -k identity"
|
|
- "-w /etc/passwd -p wa -k identity"
|
|
- "-w /etc/gshadow -p wa -k identity"
|
|
- "-w /etc/shadow -p wa -k identity"
|
|
- "-w /etc/security/opasswd -p wa -k identity"
|
|
- comment: CIS 4.1.3.9 - Discretionary access control permission modifications
|
|
rule:
|
|
- "-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod"
|
|
- "-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod"
|
|
- "-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod"
|
|
- "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod"
|
|
- "-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod"
|
|
- "-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod"
|
|
- comment: CIS 4.1.3.10 - Successful file system mounts
|
|
rule:
|
|
- "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts"
|
|
- "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts"
|
|
- comment: CIS 4.1.3.11 - Session initiation information
|
|
rule:
|
|
- "-w /var/run/utmp -p wa -k session"
|
|
- "-w /var/log/wtmp -p wa -k logins"
|
|
- "-w /var/log/btmp -p wa -k logins"
|
|
- comment: CIS 4.1.3.12 - Login and logout events
|
|
rule:
|
|
- "-w /var/log/lastlog -p wa -k logins"
|
|
- "-w /var/log/tallylog -p wa -k logins"
|
|
- "-w /var/run/faillock -p wa -k logins"
|
|
- comment: CIS 4.1.3.13 - File deletion events by users
|
|
rule:
|
|
- "-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete"
|
|
- "-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete"
|
|
- comment: CIS 4.1.3.14 - Changes to the Mandatory Access Controls
|
|
rule:
|
|
- "-w /etc/selinux/ -p wa -k MAC-policy"
|
|
- "-w /usr/share/selinux/ -p wa -k MAC-policy"
|
|
- comment: CIS 4.1.3.19 - Kernel module loading unloading and modification
|
|
rule:
|
|
- "-a always,exit -F arch=b64 -S finit_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel_modules"
|
|
- "-a always,exit -F arch=b32 -S finit_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel_modules"
|
|
- "-a always,exit -F arch=b64 -S init_module,delete_module -k kernel_modules"
|
|
- "-a always,exit -F arch=b32 -S init_module,delete_module -k kernel_modules"
|
|
- "-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules"
|
|
auditd_main_rules_extra: []
|
|
|
|
auditd_optional_rules_default: []
|
|
auditd_optional_rules_extra: []
|