Reload systemd daemon to reload changes made in auditd service unit file:<\/p>\n
systemctl daemon-reload<\/code><\/pre>\nRestart the auditd service: service auditd restart<\/em><\/p>\nRULE EXAMPLES<\/strong><\/p>\n## Remove any existing rules\r\n-D\r\n\r\n## Buffer Size\r\n## Feel free to increase this if the machine panic's\r\n-b 8192\r\n\r\n## Failure Mode\r\n## Possible values are 0 (silent), 1 (printk, print a failure message),\r\n## and 2 (panic, halt the system).\r\n-f 1\r\n\r\n## Audit the audit logs.\r\n## successful and unsuccessful attempts to read information from the\r\n## audit records; all modifications to the audit trail\r\n-w \/var\/log\/audit\/ -k auditlog\r\n\r\n## Auditd configuration\r\n## modifications to audit configuration that occur while the audit\r\n## collection functions are operating.\r\n-w \/etc\/audit\/ -p wa -k auditconfig\r\n-w \/etc\/libaudit.conf -p wa -k auditconfig\r\n-w \/etc\/audisp\/ -p wa -k audispconfig\r\n\r\n## Monitor for use of audit management tools\r\n-w \/sbin\/auditctl -p x -k audittools\r\n-w \/sbin\/auditd -p x -k audittools\r\n\r\n## special files\r\n-a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles\r\n-a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles\r\n\r\n## Mount operations\r\n-a exit,always -F arch=b32 -S mount -S umount -S umount2 -k mount\r\n-a exit,always -F arch=b64 -S mount -S umount2 -k mount\r\n\r\n## changes to the time\r\n##\r\n-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -k time\r\n-a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time\r\n\r\n## Use stunnel\r\n-w \/usr\/sbin\/stunnel -p x -k stunnel\r\n\r\n## cron configuration & scheduled jobs\r\n-w \/etc\/cron.allow -p wa -k cron\r\n-w \/etc\/cron.deny -p wa -k cron\r\n-w \/etc\/cron.d\/ -p wa -k cron\r\n-w \/etc\/cron.daily\/ -p wa -k cron\r\n-w \/etc\/cron.hourly\/ -p wa -k cron\r\n-w \/etc\/cron.monthly\/ -p wa -k cron\r\n-w \/etc\/cron.weekly\/ -p wa -k cron\r\n-w \/etc\/crontab -p wa -k cron\r\n-w \/var\/spool\/cron\/crontabs\/ -k cron\r\n\r\n## user, group, password databases\r\n-w \/etc\/group -p wa -k etcgroup\r\n-w \/etc\/passwd -p wa -k etcpasswd\r\n-w \/etc\/gshadow -k etcgroup\r\n-w \/etc\/shadow -k etcpasswd\r\n-w \/etc\/security\/opasswd -k opasswd\r\n\r\n## monitor usage of passwd\r\n-w \/usr\/bin\/passwd -p x -k passwd_modification\r\n\r\n#Monitor for use of tools to change group identifiers\r\n-w \/usr\/sbin\/groupadd -p x -k group_modification\r\n-w \/usr\/sbin\/groupmod -p x -k group_modification\r\n-w \/usr\/sbin\/addgroup -p x -k group_modification\r\n-w \/usr\/sbin\/useradd -p x -k user_modification\r\n-w \/usr\/sbin\/usermod -p x -k user_modification\r\n-w \/usr\/sbin\/adduser -p x -k user_modification\r\n\r\n## login configuration and information\r\n-w \/etc\/login.defs -p wa -k login\r\n-w \/etc\/securetty -p wa -k login\r\n-w \/var\/log\/faillog -p wa -k login\r\n-w \/var\/log\/lastlog -p wa -k login\r\n-w \/var\/log\/tallylog -p wa -k login\r\n\r\n## network configuration\r\n-w \/etc\/hosts -p wa -k hosts\r\n-w \/etc\/network\/ -p wa -k network\r\n\r\n## system startup scripts\r\n-w \/etc\/inittab -p wa -k init\r\n-w \/etc\/init.d\/ -p wa -k init\r\n-w \/etc\/init\/ -p wa -k init\r\n\r\n## library search paths\r\n-w \/etc\/ld.so.conf -p wa -k libpath\r\n\r\n## local time zone\r\n-w \/etc\/localtime -p wa -k localtime\r\n\r\n## kernel parameters\r\n-w \/etc\/sysctl.conf -p wa -k sysctl\r\n\r\n## modprobe configuration\r\n-w \/etc\/modprobe.conf -p wa -k modprobe\r\n\r\n## pam configuration\r\n-w \/etc\/pam.d\/ -p wa -k pam\r\n-w \/etc\/security\/limits.conf -p wa -k pam\r\n-w \/etc\/security\/pam_env.conf -p wa -k pam\r\n-w \/etc\/security\/namespace.conf -p wa -k pam\r\n-w \/etc\/security\/namespace.init -p wa -k pam\r\n\r\n## GDS specific secrets\r\n-w \/etc\/puppet\/ssl -p wa -k puppet_ssl\r\n\r\n## postfix configuration\r\n-w \/etc\/aliases -p wa -k mail\r\n-w \/etc\/postfix\/ -p wa -k mail\r\n\r\n## ssh configuration\r\n-w \/etc\/ssh\/sshd_config -k sshd\r\n\r\n## changes to hostname\r\n-a exit,always -F arch=b32 -S sethostname -k hostname\r\n-a exit,always -F arch=b64 -S sethostname -k hostname\r\n\r\n## changes to issue\r\n-w \/etc\/issue -p wa -k etcissue\r\n-w \/etc\/issue.net -p wa -k etcissue\r\n\r\n## this was to noisy currently.\r\n# log all commands executed by an effective id of 0 aka root.\r\n-a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd\r\n-a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd\r\n\r\n## Capture all failures to access on critical elements\r\n-a exit,always -F arch=b64 -S open -F dir=\/etc -F success=0 -k unauthedfileacess\r\n-a exit,always -F arch=b64 -S open -F dir=\/bin -F success=0 -k unauthedfileacess\r\n-a exit,always -F arch=b64 -S open -F dir=\/sbin -F success=0 -k unauthedfileacess\r\n-a exit,always -F arch=b64 -S open -F dir=\/usr\/bin -F success=0 -k unauthedfileacess\r\n-a exit,always -F arch=b64 -S open -F dir=\/usr\/sbin -F success=0 -k unauthedfileacess\r\n-a exit,always -F arch=b64 -S open -F dir=\/var -F success=0 -k unauthedfileacess\r\n-a exit,always -F arch=b64 -S open -F dir=\/home -F success=0 -k unauthedfileacess\r\n-a exit,always -F arch=b64 -S open -F dir=\/srv -F success=0 -k unauthedfileacess\r\n\r\n## Monitor for use of process ID change (switching accounts) applications\r\n-w \/bin\/su -p x -k priv_esc\r\n-w \/usr\/bin\/sudo -p x -k priv_esc\r\n-w \/etc\/sudoers -p rw -k priv_esc\r\n\r\n## Monitor usage of commands to change power state\r\n-w \/sbin\/shutdown -p x -k power\r\n-w \/sbin\/poweroff -p x -k power\r\n-w \/sbin\/reboot -p x -k power\r\n-w \/sbin\/halt -p x -k power\r\n\r\n## Make the configuration immutable\r\n-e 2<\/code><\/pre>\nP.S After a reboot, total crash with auditd, IP internal Conflict ! and total CSF block! Good luck with this one!<\/em><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"Reload systemd daemon to reload changes made in auditd service unit file: systemctl daemon-reload Restart the auditd service: service auditd restart RULE EXAMPLES ## Remove any existing rules -D ## Buffer Size ## Feel free to increase this if the machine panic’s -b 8192 ## Failure Mode ## Possible values are 0 (silent), 1 (printk, … Continue reading Auditd service<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1509","post","type-post","status-publish","format-standard","hentry","category-general"],"_links":{"self":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts\/1509","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/comments?post=1509"}],"version-history":[{"count":0,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts\/1509\/revisions"}],"wp:attachment":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/media?parent=1509"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/categories?post=1509"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/tags?post=1509"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}