RHEL審計內容/etc/audit/audit.rules

fjzcau發表於2015-01-24
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

# Feel free to add below this line. See auditctl man page
# Enable auditing

-e 1

## login configuration and information

-w /etc/login.defs -p wa -k CFG_login.defs

-w /etc/securetty -p wa -k CFG_securetty

-w /var/log/faillog -p wa -k LOG_faillog

-w /var/log/lastlog -p wa -k LOG_lastlog

-w /var/log/tallylog -p wa -k LOG_tallylog

## directory operations

#-a entry,always -S mkdir -S mkdirat -S rmdir

-a entry,always  -F arch=b64 -S mkdir -S rmdir

## cron configuration & scheduled jobs

-w /etc/cron.allow -p wa -k CFG_cron.allow

-w /etc/cron.deny -p wa -k CFG_cron.deny

#-w /etc/cron.d/ -p wa -k CFG_cron.d -w /etc/cron.daily/ -p wa -k CFG_cron.daily

-w /etc/cron.hourly/ -p wa -k CFG_cron.hourly

-w /etc/cron.monthly/ -p wa -k CFG_cron.monthly

-w /etc/cron.weekly/ -p wa -k CFG_cron.weekly

-w /etc/crontab -p wa -k CFG_crontab

-w /var/spool/cron/root -k CFG_crontab_root

## user, group, password databases

-w /etc/group -p wa -k CFG_group

-w /etc/passwd -p wa -k CFG_passwd

-w /etc/gshadow -k CFG_gshadow

-w /etc/shadow -k CFG_shadow

-w /etc/security/opasswd -k CFG_opasswd

# ----- File System audit rules -----

# Add a watch on "passwd" with the arbitrary filterkey "fk_passwd" that

# generates records for "reads, writes, executes, and appends" on "passwd"

-w /etc/passwd -k fk_passwd -p rwxa  

# Add a watch "shadow" with a NULL filterkey that has permissions

# filtering turned off

-w /etc/shadow

來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/22661144/viewspace-1413417/,如需轉載,請註明出處,否則將追究法律責任。

相關文章