Skip to content

miniHOWTO – auditd and/with simple rules

October 30, 2013



# cat /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
freq = 20
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
max_log_file = 16
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = sto@******.com
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
tcp_listen_queue = 5
tcp_max_per_addr = 1
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd

#cat /etc/audit/audit.rules |grep .|grep -v ^#
-b 1024
-a exit,never -F arch=b32 -S mount
-a exit,never -F arch=b64 -S mount
-a exit,always -F arch=b32 -S unlink -S rmdir
-a exit,always -F arch=b64 -S unlink -S rmdir
-a exit,always -F arch=b32 -S stime
-a exit,always -F arch=b64 -S setrlimit
-w /etc/group -p wa
-w /etc/passwd -p wa
-w /etc/shadow -p wa
-w /etc/sudoers -p wa
-w /etc/ -p wa -k MODIFY-etc
-w /usr/bin -p x -k EXEC-usr_bin
-w /usr/sbin -p x -k EXEC-usr_sbin
-w /proc/self/environ -p wrxa -k backdoor
-w /tmp -p x -k EXEC-tmp
-a exit,always -F arch=b32 -S open -F loginuid=500
-a exit,always -F arch=b64 -S open -F loginuid=500
-e 2


From → Linux

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: