auditd

exemplo /etc/audit/audit.rules

## Add keys to the audit rules below using the -k option to allow for more 
## organized and quicker searches with the ausearch tool.  See auditctl(8) 
## and ausearch(8) for more information.

# Remove any existing rules
-D

# Increase buffer size to handle the increased number of messages.
-b 16384

# Failure of auditd causes a kernel panic
-f 2

## (GEN002800)The SA will configure the auditing system to audit
## logon (unsuccessful and successful) and logout (successful)
-w /bin/login -p x
-w /bin/logout -p x

## (GEN002740: CAT II) The SA will configure the auditing system to audit
## discretionary access control permission modification (unsuccessful and
## successful use of chown/chmod)
<% if architecture == "x86_64" %>
-a exit,always -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b32 -S chown32 -S fchown32 -S lchown32 -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
<% end %>

<% if architecture != "x86_64" %>
-a exit,always -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b32 -S chown32 -S fchown32 -S lchown32 -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
<% end %>


## (GEN002760: CAT II) The SA will configure the auditing system to audit
## unauthorized access attempts to files (unsuccessful)
<% if architecture == "x86_64" %>
-a exit,always -F arch=b32 -S mknod -S pipe -S mkdir -S creat -S open -S openat -S truncate -S ftruncate -S truncate64 -S ftruncate64 -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a exit,always -F arch=b32 -S mknod -S pipe -S mkdir -S creat -S open -S openat -S truncate -S ftruncate -S truncate64 -S ftruncate64 -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a exit,always -F arch=b64 -S mknod -S pipe -S mkdir -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a exit,always -F arch=b64 -S mknod -S pipe -S mkdir -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
<% end %>

<% if architecture != "x86_64" %>
-a exit,always -F arch=b32 -S mknod -S pipe -S mkdir -S creat -S open -S openat -S truncate -S ftruncate -S truncate64 -S ftruncate64 -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a exit,always -F arch=b32 -S mknod -S pipe -S mkdir -S creat -S open -S openat -S truncate -S ftruncate -S truncate64 -S ftruncate64 -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
<% end %>


## (GEN002780: CAT II) The SA will configure the auditing system to audit
## use of privileged commands (unsuccessful and successful)
-w /usr/sbin/pwck -k priv-command
-w /bin/chgrp -k priv-command
-w /usr/bin/newgrp -k priv-command
-w /usr/sbin/groupadd -k priv-command
-w /usr/sbin/groupmod -k priv-command
-w /usr/sbin/groupdel -k priv-command
-w /usr/sbin/useradd -k priv-command
-w /usr/sbin/userdel -k priv-command
-w /usr/sbin/usermod -k priv-command
-w /usr/bin/chage -k priv-command
-w /usr/bin/setfacl -k priv-command
-w /usr/bin/chacll -k priv-command



## (GEN002720: CAT II) The SA will configure the auditing system to audit
## files and programs deleted by the user (successful and unsuccessful)
<% if architecture == "x86_64" %>
-a exit,always -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=500 -F auid!=4294967295 -k deleted
-a exit,always -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=500 -F auid!=4294967295 -k deleted
-a exit,always -F arch=b32 -S link -S symlink -S acct -F auid>=500 -F auid!=4294967295 -k created
-a exit,always -F arch=b64 -S link -S symlink -S acct -F auid>=500 -F auid!=4294967295 -k created
<% end %>

<% if architecture != "x86_64" %>
-a exit,always -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k deleted
-a exit,always -F arch=b32 -S link -S symlink -S acct -F auid>=500 -F auid!=4294967295 -k created
<% end %>


## (GEN002820: CAT II) The SA will configure the auditing system to audit
## all system administration actions
-w /var/log/audit/audit.log -k admin-actions
-w /var/log/audit/audit[1-4].log -k admin-actions
-w /var/log/messages -k admin-actions
-w /var/log/lastlog -k admin-actions
-w /var/log/faillog -k admin-actions
-w /etc/passwd -p wa -k admin-actions
-w /etc/shadow -p wa -k admin-actions
-w /etc/group  -p wa -k admin-actions
-w /etc/ld.so.conf -p wa -k admin-actions
-w /etc/ld.so.conf.d -p wa -k admin-actions
-w /etc/ssh/sshd_config -k admin-actions
-w /etc/login.defs -k admin-actions
-w /etc/rc.d/init.d -k admin-actions
-w /etc/inittab -p wa -k admin-actions
-w /var/run/utmp -k admin-actions
-w /var/run/wtmp -k admin-actions

<% if architecture == "x86_64" %>
-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S stime -k admin-actions
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -k admin-actions
-a exit,always -F arch=b32 -S sethostname -S setdomainname -k admin-actions
-a exit,always -F arch=b64 -S sethostname -S setdomainname -k admin-actions
-a exit,always -F arch=b32 -S mount -S chroot -S umount2 -S umount -S kill -F auid!=4294967295 -k admin-actions
-a exit,always -F arch=b64 -S mount -S chroot -S umount2 -S kill -F auid!=4294967295 -k admin-actions
-a exit,always -F arch=b32 -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S swapon -k admin-actions
-a exit,always -F arch=b64 -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S swapon -k admin-actions
<% end %>

<% if architecture != "x86_64" %>
-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S stime -k admin-actions
-a exit,always -F arch=b32 -S sethostname -S setdomainname -k admin-actions
-a exit,always -F arch=b32 -S mount -S chroot -S umount2 -S umount -S kill -F auid!=4294967295 -k admin-actions
<% end %>
-w /etc/localtime -p wa -k time



## (GEN002840: CAT II) The SA will configure the auditing system to audit
## all security personnel actions
-w /etc/audit/auditd.conf -p wa -k security-actions
-w /etc/audit/audit.rules -p wa -k security-actions
-w /etc/selinux/config -p wa -k security-actions
-w /etc/pam.d -k admin-actions

<% if architecture == "x86_64" %>
-a exit,always -F arch=b32 -S init_module -S delete_module -k security-actions
-a exit,always -F arch=b64 -S init_module -S delete_module -k security-actions
<% end %>

<% if architecture != "x86_64" %>
-a exit,always -F arch=b32 -S init_module -S delete_module -k security-actions
<% end %>

-w /bin/su

# Enable auditing with immutability (for integrity purposes)
-e 2