2 OS::TripleO::Services::AuditD: ../puppet/services/auditd.yaml
6 'Record attempts to alter time through adjtimex':
7 content: '-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules'
9 'Record attempts to alter time through settimeofday':
10 content: '-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules'
12 'Record Attempts to Alter Time Through stime':
13 content: '-a always,exit -F arch=b64 -S stime -k audit_time_rules'
15 'Record Attempts to Alter Time Through clock_settime':
16 content: '-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules'
18 'Record Attempts to Alter the localtime File':
19 content: '-w /etc/localtime -p wa -k audit_time_rules'
21 'Record Events that Modify the Systems Discretionary Access Controls - chmod':
22 content: '-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'
24 'Record Events that Modify the Systems Discretionary Access Controls - chown':
25 content: '-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
27 'Record Events that Modify the Systems Discretionary Access Controls - fchmod':
28 content: '-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'
30 'Record Events that Modify the Systems Discretionary Access Controls - fchmodat':
31 content: '-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
33 'Record Events that Modify the Systems Discretionary Access Controls - fchown':
34 content: '-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
36 'Record Events that Modify the Systems Discretionary Access Controls - fchownat':
37 content: '-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
39 'Record Events that Modify the Systems Discretionary Access Controls - fremovexattr':
40 content: '-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
42 'Record Events that Modify the Systems Discretionary Access Controls - fsetxattr':
43 content: '-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
45 'Record Events that Modify the Systems Discretionary Access Controls - lchown':
46 content: '-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
48 'Record Events that Modify the Systems Discretionary Access Controls - lremovexattr':
49 content: '-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
51 'Record Events that Modify the Systems Discretionary Access Controls - lsetxattr':
52 content: '-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
54 'Record Events that Modify the Systems Discretionary Access Controls - removexattr':
55 content: '-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
57 'Record Events that Modify the Systems Discretionary Access Controls - setxattr':
58 content: '-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
60 'Record Events that Modify User/Group Information - /etc/group':
61 content: '-w /etc/group -p wa -k audit_rules_usergroup_modification'
63 'Record Events that Modify User/Group Information - /etc/passwd':
64 content: '-w /etc/passwd -p wa -k audit_rules_usergroup_modification'
66 'Record Events that Modify User/Group Information - /etc/gshadow':
67 content: '-w /etc/gshadow -p wa -k audit_rules_usergroup_modification'
69 'Record Events that Modify User/Group Information - /etc/shadow':
70 content: '-w /etc/shadow -p wa -k audit_rules_usergroup_modification'
72 'Record Events that Modify User/Group Information - /etc/opasswd':
73 content: '-w /etc/opasswd -p wa -k audit_rules_usergroup_modification'
75 'Record Events that Modify the Systems Network Environment - sethostname / setdomainname':
76 content: '-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification'
78 'Record Events that Modify the Systems Network Environment - /etc/issue':
79 content: '-w /etc/issue -p wa -k audit_rules_networkconfig_modification'
81 'Record Events that Modify the Systems Network Environment - /etc/issue.net':
82 content: '-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification'
84 'Record Events that Modify the Systems Network Environment - /etc/hosts':
85 content: '-w /etc/hosts -p wa -k audit_rules_networkconfig_modification'
87 'Record Events that Modify the Systems Network Environment - /etc/sysconfig/network':
88 content: '-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification'
90 'Record Events that Modify the Systems Mandatory Access Controls':
91 content: '-w /etc/selinux/ -p wa -k MAC-policy'
93 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EACCES)':
94 content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
96 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EPERM)':
97 content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
99 'Ensure auditd Collects Information on the Use of Privileged Commands':
100 content: '-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged'
102 'Ensure auditd Collects Information on Exporting to Media (successful)':
103 content: '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export'
105 'Ensure auditd Collects File Deletion Events by User':
106 content: '-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
108 'Ensure auditd Collects System Administrator Actions':
109 content: '-w /etc/sudoers -p wa -k actions'
111 'Ensure auditd Collects Information on Kernel Module Loading and Unloading (insmod)':
112 content: '-w /usr/sbin/insmod -p x -k modules'
114 'Ensure auditd Collects Information on Kernel Module Loading and Unloading (rmmod)':
115 content: '-w /usr/sbin/rmmod -p x -k modules'
117 'Ensure auditd Collects Information on Kernel Module Loading and Unloading (modprobe)':
118 content: '-w /usr/sbin/modprobe -p x -k modules'