auditd configuration

Signed-off-by: Pratyush Desai <pratyush.desai@liberta.casa>
2021-12-16 03:44:17 +05:30 · 2021-12-16 03:44:17 +05:30 · d62cf1510f
parent cf7a3e93e4
commit d62cf1510f
6 changed files with 38 additions and 0 deletions
--- a/scripts/install.sh
+++ b/scripts/install.sh
@ -0,0 +1,11 @@
+#!/bin/bash
+
+
+
+# install yay
+cd ~
+git clone https://aur.archlinux.org/yay.git
+cd yay
+makepkg -si
+cd ..
+sudo rm -rf yay
--- a/services/audit-framework/auditd/.auread-aliases
+++ b/services/audit-framework/auditd/.auread-aliases
@ -0,0 +1,20 @@
+#!/bin/bash
+
+# aureport and ausearch
+
+alias aurepwk='aureport --start this-week'
+alias aurepwkv='aureport --start this-week --key --summary'
+
+# syscall audit rule for failure to open files due to EPERM with key field access
+
+# add to syscall.rules
+# -a always,exit -F arch=b64 -S open -S openat -F exit=-EPERM -k access
+
+# check which files have been attempted
+alias aurfilist='ausearch --start this-week -k access --raw | aureport --file --summary'
+
+# check the user accounts implicated 
+
+alias aurlusfi='ausearch --start this-week -k access --raw | aureport --user --summary'
+
+
--- a/services/audit-framework/auditd/auditd.conf
+++ b/services/audit-framework/auditd/auditd.conf
--- a/services/audit-framework/auditd/auditd.rules
+++ b/services/audit-framework/auditd/auditd.rules
--- a/services/audit-framework/auditd/rules.d/file.rules
+++ b/services/audit-framework/auditd/rules.d/file.rules
@ -0,0 +1,3 @@
+-w /etc/passwd -p rwxa
+-w /etc/sudoers -p rwxa
+-w /etc/nftables.conf -p rwxa
--- a/services/audit-framework/auditd/rules.d/syscalls.rules
+++ b/services/audit-framework/auditd/rules.d/syscalls.rules
@ -0,0 +1,4 @@
+
+-a entry,always -S chmod
+-a entry,always -S chown
+