Differences

This shows you the differences between two versions of the page.

--- auditing:list_auditd_rules [2016/07/16 08:57] – created peter
+++ auditing:list_auditd_rules [2019/11/26 20:10] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== Auditing - List auditd rules ======
-The first time that auditd is installed there will be no rules available yet.
-Check what audit rules are set:
-<code bash>
-sudo auditctl -l
-</code>
-Result:
-If no rules were set:
-<code>
-No rules
-</code>
-otherwise, something like this:
-<code>
--a always,exit -F arch=b64 -S mknod,mknodat -F key=specialfiles
--a always,exit -F arch=b64 -S mount,umount2 -F key=mount
--a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -F key=time
--w /etc/cron.allow -p wa -k cron
--w /etc/cron.deny -p wa -k cron
--w /etc/cron.d/ -p wa -k cron
--w /etc/cron.daily/ -p wa -k cron
--w /etc/cron.hourly/ -p wa -k cron
--w /etc/cron.monthly/ -p wa -k cron
--w /etc/cron.weekly/ -p wa -k cron
--w /etc/crontab -p wa -k cron
--w /var/spool/cron/crontabs/ -p rwxa -k cron
--w /etc/group -p wa -k etcgroup
--w /etc/passwd -p wa -k etcpasswd
--w /etc/gshadow -p rwxa -k etcgroup
--w /etc/shadow -p rwxa -k etcpasswd
--w /etc/security/opasswd -p rwxa -k opasswd
--w /usr/bin/passwd -p x -k passwd_modification
--w /usr/sbin/groupadd -p x -k group_modification
--w /usr/sbin/groupmod -p x -k group_modification
--w /usr/sbin/addgroup -p x -k group_modification
--w /usr/sbin/useradd -p x -k user_modification
--w /usr/sbin/usermod -p x -k user_modification
--w /usr/sbin/adduser -p x -k user_modification
--w /etc/login.defs -p wa -k login
--w /etc/securetty -p wa -k login
--w /var/log/faillog -p wa -k login
--w /var/log/lastlog -p wa -k login
--w /var/log/tallylog -p wa -k login
--w /etc/hosts -p wa -k hosts
--w /etc/network/ -p wa -k network
--w /etc/inittab -p wa -k init
--w /etc/init.d/ -p wa -k init
--w /etc/init/ -p wa -k init
--w /etc/ld.so.conf -p wa -k libpath
--w /etc/localtime -p wa -k localtime
--w /etc/sysctl.conf -p wa -k sysctl
--w /etc/modprobe.conf -p wa -k modprobe
--w /etc/pam.d/ -p wa -k pam
--w /etc/security/limits.conf -p wa -k pam
--w /etc/security/pam_env.conf -p wa -k pam
--w /etc/security/namespace.conf -p wa -k pam
--w /etc/security/namespace.init -p wa -k pam
--w /etc/aliases -p wa -k mail
--w /etc/postfix -p wa -k mail
--w /etc/ssh/sshd_config -p rwxa -k sshd
--a always,exit -F arch=b64 -S sethostname -F key=hostname
--w /etc/issue -p wa -k etcissue
--w /etc/issue.net -p wa -k etcissue
--a always,exit -F arch=b64 -S execve -F euid=0 -F key=rootcmd
--a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -F key=unauthedfileacess
--a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -F key=unauthedfileacess
--a always,exit -F arch=b64 -S open -F dir=/sbin -F success=0 -F key=unauthedfileacess
--a always,exit -F arch=b64 -S open -F dir=/usr/bin -F success=0 -F key=unauthedfileacess
--a always,exit -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -F key=unauthedfileacess
--a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -F key=unauthedfileacess
--a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -F key=unauthedfileacess
--a always,exit -F arch=b64 -S open -F dir=/srv -F success=0 -F key=unauthedfileacess
--w /bin/su -p x -k priv_esc
--w /usr/bin/sudo -p x -k priv_esc
--w /etc/sudoers -p rw -k priv_esc
--w /sbin/shutdown -p x -k power
--w /sbin/poweroff -p x -k power
--w /sbin/reboot -p x -k power
--w /sbin/halt -p x -k power
-</code>