auditd configuration

Signed-off-by: Pratyush Desai <pratyush.desai@liberta.casa>

scripts/install.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+
+
+# install yay
+cd ~
+git clone https://aur.archlinux.org/yay.git
+cd yay
+makepkg -si
+cd ..
+sudo rm -rf yay

services/audit-framework/auditd/.auread-aliases

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# aureport and ausearch
+
+alias aurepwk='aureport --start this-week'
+alias aurepwkv='aureport --start this-week --key --summary'
+
+# syscall audit rule for failure to open files due to EPERM with key field access
+
+# add to syscall.rules
+# -a always,exit -F arch=b64 -S open -S openat -F exit=-EPERM -k access
+
+# check which files have been attempted
+alias aurfilist='ausearch --start this-week -k access --raw | aureport --file --summary'
+
+# check the user accounts implicated 
+
+alias aurlusfi='ausearch --start this-week -k access --raw | aureport --user --summary'
+
+

services/audit-framework/auditd/rules.d/file.rules

@@ -0,0 +1,3 @@
+-w /etc/passwd -p rwxa
+-w /etc/sudoers -p rwxa
+-w /etc/nftables.conf -p rwxa

services/audit-framework/auditd/rules.d/syscalls.rules

@@ -0,0 +1,4 @@
+
+-a entry,always -S chmod
+-a entry,always -S chown
+