Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / auditd / 1c3ec8da0bd713adaba1d3fdb39191a3e7a88601 / . / metadata / service / rules / ciscat.yml
blob: fca89c3f70e1d71e7b24379db7c24b1e84dad8e0 [file] [log] [blame]
Ivan Suzdal50a360f2018-06-04 16:07:41 +0400[diff] [blame]1applications:
2- auditd
3classes:
4- service.auditd.support
5parameters:
6 auditd:
7 rules:
Ivan Suzdal9f9fbf42018-07-11 18:27:25 +0400[diff] [blame]8 filter_fs:
9 - binfmt_misc
10 - cgroup
11 - debugfs
12 - devpts
13 - devtmpfs
14 - fusectl
15 - hugetlbfs
16 - mqueue
17 - nsfs
18 - proc
19 - pstore
20 - securityfs
21 - sysfs
22 filter_paths:
23 - /var/lib/docker
Ivan Suzdal50a360f2018-06-04 16:07:41 +0400[diff] [blame]24 options:
Ivan Suzdal91e02452018-06-20 12:33:16 +0400[diff] [blame]25 enabled: 2
Ivan Suzdal50a360f2018-06-04 16:07:41 +0400[diff] [blame]26 bufsize: 8192
27 rules:
Ivan Suzdal1c3ec8d2018-07-30 10:11:54 +0400[diff] [blame^]28 100:
29 key: MAC_policy
Ivan Suzdal50a360f2018-06-04 16:07:41 +0400[diff] [blame]30 enabled: true
31 rule_list:
Ivan Suzdal1c3ec8d2018-07-30 10:11:54 +0400[diff] [blame^]32 - '-w /etc/apparmor/ -p wa'
33 - '-w /etc/apparmor.d/ -p wa'
34 110:
35 key: access
Ivan Suzdal50a360f2018-06-04 16:07:41 +0400[diff] [blame]36 enabled: true
37 rule_list:
Ivan Suzdal1c3ec8d2018-07-30 10:11:54 +0400[diff] [blame^]38 - '-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295'
39 - '-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295'
40 - '-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295'
41 - '-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295'
42 120:
43 key: actions
Ivan Suzdal50a360f2018-06-04 16:07:41 +0400[diff] [blame]44 enabled: true
45 rule_list:
Ivan Suzdal1c3ec8d2018-07-30 10:11:54 +0400[diff] [blame^]46 - '-w /var/log/sudo.log -p wa'
47 130:
48 key: delete
Ivan Suzdal50a360f2018-06-04 16:07:41 +0400[diff] [blame]49 enabled: true
50 rule_list:
Ivan Suzdal1c3ec8d2018-07-30 10:11:54 +0400[diff] [blame^]51 - '-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295'
52 - '-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295'
53 140:
54 key: identity
Ivan Suzdal50a360f2018-06-04 16:07:41 +0400[diff] [blame]55 enabled: true
56 rule_list:
Ivan Suzdal1c3ec8d2018-07-30 10:11:54 +0400[diff] [blame^]57 - '-w /etc/group -p wa'
58 - '-w /etc/passwd -p wa'
59 - '-w /etc/gshadow -p wa'
60 - '-w /etc/shadow -p wa'
61 - '-w /etc/security/opasswd -p wa'
62 150:
63 key: logins
Ivan Suzdal50a360f2018-06-04 16:07:41 +0400[diff] [blame]64 enabled: true
65 rule_list:
Ivan Suzdal1c3ec8d2018-07-30 10:11:54 +0400[diff] [blame^]66 - '-w /var/log/faillog -p wa'
67 - '-w /var/log/lastlog -p wa'
68 - '-w /var/log/tallylog -p wa'
69 160:
70 key: modules
Ivan Suzdal50a360f2018-06-04 16:07:41 +0400[diff] [blame]71 enabled: true
72 rule_list:
Ivan Suzdal1c3ec8d2018-07-30 10:11:54 +0400[diff] [blame^]73 - '-w /sbin/insmod -p x'
74 - '-w /sbin/rmmod -p x'
75 - '-w /sbin/modprobe -p x'
76 - '-a always,exit -F arch=b64 -S init_module -S delete_module'
77 170:
78 key: mounts
Ivan Suzdal50a360f2018-06-04 16:07:41 +0400[diff] [blame]79 enabled: true
80 rule_list:
Ivan Suzdal1c3ec8d2018-07-30 10:11:54 +0400[diff] [blame^]81 - '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295'
82 - '-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295'
83 180:
84 key: perm_mod
Ivan Suzdal50a360f2018-06-04 16:07:41 +0400[diff] [blame]85 enabled: true
86 rule_list:
Ivan Suzdal1c3ec8d2018-07-30 10:11:54 +0400[diff] [blame^]87 - '-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295'
88 - '-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295'
89 - '-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295'
90 - '-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295'
91 - '-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295'
92 - '-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295'
93 190:
94 key: privileged
Ivan Suzdal50a360f2018-06-04 16:07:41 +0400[diff] [blame]95 enabled: true
Ivan Suzdal1c3ec8d2018-07-30 10:11:54 +0400[diff] [blame^]96 200:
97 key: scope
Ivan Suzdal50a360f2018-06-04 16:07:41 +0400[diff] [blame]98 enabled: true
99 rule_list:
Ivan Suzdal1c3ec8d2018-07-30 10:11:54 +0400[diff] [blame^]100 - '-w /etc/sudoers -p wa'
101 - '-w /etc/sudoers.d -p wa'
102 210:
103 key: session
Ivan Suzdal50a360f2018-06-04 16:07:41 +0400[diff] [blame]104 enabled: true
105 rule_list:
Ivan Suzdal1c3ec8d2018-07-30 10:11:54 +0400[diff] [blame^]106 - '-w /var/run/utmp -p wa'
107 - '-w /var/log/wtmp -p wa'
108 - '-w /var/log/btmp -p wa'
109 220:
110 key: system_locale
Ivan Suzdal50a360f2018-06-04 16:07:41 +0400[diff] [blame]111 enabled: true
112 rule_list:
Ivan Suzdal1c3ec8d2018-07-30 10:11:54 +0400[diff] [blame^]113 - '-a always,exit -F arch=b64 -S sethostname -S setdomainname'
114 - '-a always,exit -F arch=b32 -S sethostname -S setdomainname'
115 - '-w /etc/issue -p wa'
116 - '-w /etc/issue.net -p wa'
117 - '-w /etc/hosts -p wa'
118 - '-w /etc/network -p wa'
119 - '-w /etc/networks -p wa'
120 230:
121 key: time_change
Ivan Suzdal50a360f2018-06-04 16:07:41 +0400[diff] [blame]122 enabled: true
123 rule_list:
Ivan Suzdal1c3ec8d2018-07-30 10:11:54 +0400[diff] [blame^]124 - '-a always,exit -F arch=b64 -S adjtimex -S settimeofday'
125 - '-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime'
126 - '-a always,exit -F arch=b64 -S clock_settime'
127 - '-a always,exit -F arch=b32 -S clock_settime'
128 - '-w /etc/localtime -p wa'