Minor correction to audit rules
This commit is contained in:
parent
51a5a5a5b7
commit
632571b0bb
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
# Choices of components ────────────────────────────────────────────────────────────
|
# Choices of components ────────────────────────────────────────────────────────────
|
||||||
# NOTE: verified with `reqirements/accepted_variables.yml`, so keep them as top-level
|
# NOTE: verified with `requirements/accepted_variables.yml`, so keep them as top-level
|
||||||
|
|
||||||
snapshot_tool: btrbk
|
snapshot_tool: btrbk
|
||||||
|
|
||||||
|
|
|
@ -36,11 +36,11 @@
|
||||||
-a always,exit -F arch=b64 -F path=/usr/sbin/augenrules -F perm=x -F key=audittools
|
-a always,exit -F arch=b64 -F path=/usr/sbin/augenrules -F perm=x -F key=audittools
|
||||||
|
|
||||||
## Access to all audit trails
|
## Access to all audit trails
|
||||||
-a always,exit -F path=/usr/sbin/ausearch -F perm=x -F key=auditlog_local_access
|
-a always,exit -F arch=b64 -F path=/usr/sbin/ausearch -F perm=x -F key=auditlog_local_access
|
||||||
-a always,exit -F path=/usr/sbin/aureport -F perm=x -F key=auditlog_local_access
|
-a always,exit -F arch=b64 -F path=/usr/sbin/aureport -F perm=x -F key=auditlog_local_access
|
||||||
-a always,exit -F path=/usr/bin/aulast -F perm=x -F key=auditlog_local_access
|
-a always,exit -F arch=b64 -F path=/usr/bin/aulast -F perm=x -F key=auditlog_local_access
|
||||||
-a always,exit -F path=/usr/bin/aulastlog -F perm=x -F key=auditlog_local_access
|
-a always,exit -F arch=b64 -F path=/usr/bin/aulastlog -F perm=x -F key=auditlog_local_access
|
||||||
-a always,exit -F path=/usr/bin/auvirt -F perm=x -F key=auditlog_local_access
|
-a always,exit -F arch=b64 -F path=/usr/bin/auvirt -F perm=x -F key=auditlog_local_access
|
||||||
|
|
||||||
# Filters ---------------------------------------------------------------------
|
# Filters ---------------------------------------------------------------------
|
||||||
|
|
||||||
|
@ -59,8 +59,7 @@
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
## High Volume Event Filter (especially on Linux Workstations)
|
## High Volume Event Filter (especially on Linux Workstations)
|
||||||
-a never,exit -F arch=b64 -F dir=/dev/shm -F key=sharedmemaccess
|
-a never,exit -F arch=b64 -F dir=/dev/shm/ -F key=sharedmemaccess
|
||||||
-a never,exit -F arch=b64 -F dir=/var/lock/lvm -F key=locklvm
|
|
||||||
|
|
||||||
# Rules -----------------------------------------------------------------------
|
# Rules -----------------------------------------------------------------------
|
||||||
|
|
||||||
|
@ -96,14 +95,18 @@
|
||||||
-a always,exit -F arch=b64 -F path=/etc/localtime -F perm=wa -F key=localtime
|
-a always,exit -F arch=b64 -F path=/etc/localtime -F perm=wa -F key=localtime
|
||||||
|
|
||||||
## Cron configuration & scheduled jobs
|
## Cron configuration & scheduled jobs
|
||||||
|
-a always,exit -F arch=b64 -F dir=/etc/crontabs/ -F perm=wa -F key=cron
|
||||||
|
-a always,exit -F arch=b64 -F dir=/var/spool/cron/ -F perm=wa -F key=cron
|
||||||
|
-a always,exit -F arch=b64 -F dir=/etc/periodic/ -F perm=wa -F key=cron
|
||||||
|
{% if crond_provider == 'cronie' %}
|
||||||
|
-a always,exit -F arch=b64 -F dir=/etc/cron.d/ -F perm=wa -F key=cron
|
||||||
-a always,exit -F arch=b64 -F path=/etc/cron.allow -F perm=wa -F key=cron
|
-a always,exit -F arch=b64 -F path=/etc/cron.allow -F perm=wa -F key=cron
|
||||||
-a always,exit -F arch=b64 -F path=/etc/cron.deny -F perm=wa -F key=cron
|
-a always,exit -F arch=b64 -F path=/etc/cron.deny -F perm=wa -F key=cron
|
||||||
|
{% endif %}
|
||||||
|
{% if crond_provider == 'fcron' %}
|
||||||
-a always,exit -F arch=b64 -F dir=/etc/fcron/ -F perm=wa -F key=cron
|
-a always,exit -F arch=b64 -F dir=/etc/fcron/ -F perm=wa -F key=cron
|
||||||
-a always,exit -F arch=b64 -F dir=/etc/crontabs/ -F perm=wa -F key=cron
|
|
||||||
-a always,exit -F arch=b64 -F dir=/etc/cron.d/ -F perm=wa -F key=cron
|
|
||||||
-a always,exit -F arch=b64 -F dir=/var/spool/cron/ -F perm=wa -F key=cron
|
|
||||||
-a always,exit -F arch=b64 -F dir=/var/spool/fcron/ -F perm=wa -F key=cron
|
-a always,exit -F arch=b64 -F dir=/var/spool/fcron/ -F perm=wa -F key=cron
|
||||||
-a always,exit -F arch=b64 -F dir=/etc/periodic/ -F perm=wa -F key=cron
|
{% endif %}
|
||||||
|
|
||||||
## User, group, password databases
|
## User, group, password databases
|
||||||
-a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F key=etcgroup
|
-a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F key=etcgroup
|
||||||
|
@ -183,7 +186,7 @@
|
||||||
-a always,exit -F arch=b64 -F path=/sbin/halt -F perm=x -F key=power
|
-a always,exit -F arch=b64 -F path=/sbin/halt -F perm=x -F key=power
|
||||||
|
|
||||||
## Session initiation information
|
## Session initiation information
|
||||||
-a always,exit -F arch=b64 -F dir=/var/log/swtmp/ -F perm=wa -F key=session
|
-a always,exit -F arch=b64 -F dir=/var/log/swtpm/ -F perm=wa -F key=session
|
||||||
|
|
||||||
# Special Rules ---------------------------------------------------------------
|
# Special Rules ---------------------------------------------------------------
|
||||||
|
|
||||||
|
|
Reference in a new issue