Minor correction to audit rules
This commit is contained in:
parent
51a5a5a5b7
commit
632571b0bb
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# Choices of components ────────────────────────────────────────────────────────────
|
||||
# NOTE: verified with `reqirements/accepted_variables.yml`, so keep them as top-level
|
||||
# NOTE: verified with `requirements/accepted_variables.yml`, so keep them as top-level
|
||||
|
||||
snapshot_tool: btrbk
|
||||
|
||||
|
|
|
@ -36,11 +36,11 @@
|
|||
-a always,exit -F arch=b64 -F path=/usr/sbin/augenrules -F perm=x -F key=audittools
|
||||
|
||||
## Access to all audit trails
|
||||
-a always,exit -F path=/usr/sbin/ausearch -F perm=x -F key=auditlog_local_access
|
||||
-a always,exit -F path=/usr/sbin/aureport -F perm=x -F key=auditlog_local_access
|
||||
-a always,exit -F path=/usr/bin/aulast -F perm=x -F key=auditlog_local_access
|
||||
-a always,exit -F path=/usr/bin/aulastlog -F perm=x -F key=auditlog_local_access
|
||||
-a always,exit -F path=/usr/bin/auvirt -F perm=x -F key=auditlog_local_access
|
||||
-a always,exit -F arch=b64 -F path=/usr/sbin/ausearch -F perm=x -F key=auditlog_local_access
|
||||
-a always,exit -F arch=b64 -F path=/usr/sbin/aureport -F perm=x -F key=auditlog_local_access
|
||||
-a always,exit -F arch=b64 -F path=/usr/bin/aulast -F perm=x -F key=auditlog_local_access
|
||||
-a always,exit -F arch=b64 -F path=/usr/bin/aulastlog -F perm=x -F key=auditlog_local_access
|
||||
-a always,exit -F arch=b64 -F path=/usr/bin/auvirt -F perm=x -F key=auditlog_local_access
|
||||
|
||||
# Filters ---------------------------------------------------------------------
|
||||
|
||||
|
@ -59,8 +59,7 @@
|
|||
{% endif %}
|
||||
|
||||
## High Volume Event Filter (especially on Linux Workstations)
|
||||
-a never,exit -F arch=b64 -F dir=/dev/shm -F key=sharedmemaccess
|
||||
-a never,exit -F arch=b64 -F dir=/var/lock/lvm -F key=locklvm
|
||||
-a never,exit -F arch=b64 -F dir=/dev/shm/ -F key=sharedmemaccess
|
||||
|
||||
# Rules -----------------------------------------------------------------------
|
||||
|
||||
|
@ -96,14 +95,18 @@
|
|||
-a always,exit -F arch=b64 -F path=/etc/localtime -F perm=wa -F key=localtime
|
||||
|
||||
## Cron configuration & scheduled jobs
|
||||
-a always,exit -F arch=b64 -F dir=/etc/crontabs/ -F perm=wa -F key=cron
|
||||
-a always,exit -F arch=b64 -F dir=/var/spool/cron/ -F perm=wa -F key=cron
|
||||
-a always,exit -F arch=b64 -F dir=/etc/periodic/ -F perm=wa -F key=cron
|
||||
{% if crond_provider == 'cronie' %}
|
||||
-a always,exit -F arch=b64 -F dir=/etc/cron.d/ -F perm=wa -F key=cron
|
||||
-a always,exit -F arch=b64 -F path=/etc/cron.allow -F perm=wa -F key=cron
|
||||
-a always,exit -F arch=b64 -F path=/etc/cron.deny -F perm=wa -F key=cron
|
||||
{% endif %}
|
||||
{% if crond_provider == 'fcron' %}
|
||||
-a always,exit -F arch=b64 -F dir=/etc/fcron/ -F perm=wa -F key=cron
|
||||
-a always,exit -F arch=b64 -F dir=/etc/crontabs/ -F perm=wa -F key=cron
|
||||
-a always,exit -F arch=b64 -F dir=/etc/cron.d/ -F perm=wa -F key=cron
|
||||
-a always,exit -F arch=b64 -F dir=/var/spool/cron/ -F perm=wa -F key=cron
|
||||
-a always,exit -F arch=b64 -F dir=/var/spool/fcron/ -F perm=wa -F key=cron
|
||||
-a always,exit -F arch=b64 -F dir=/etc/periodic/ -F perm=wa -F key=cron
|
||||
{% endif %}
|
||||
|
||||
## User, group, password databases
|
||||
-a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F key=etcgroup
|
||||
|
@ -183,7 +186,7 @@
|
|||
-a always,exit -F arch=b64 -F path=/sbin/halt -F perm=x -F key=power
|
||||
|
||||
## Session initiation information
|
||||
-a always,exit -F arch=b64 -F dir=/var/log/swtmp/ -F perm=wa -F key=session
|
||||
-a always,exit -F arch=b64 -F dir=/var/log/swtpm/ -F perm=wa -F key=session
|
||||
|
||||
# Special Rules ---------------------------------------------------------------
|
||||
|
||||
|
|
Reference in New Issue