7.5.2. Defining Persistent Audit Rules and Controls in the /etc/audit/audit.rules File
To define Audit rules that are persistent across reboots, you must include them in the
/etc/audit/audit.rulesfile. This file uses the same
auditctlcommand line syntax to specify the rules. Any empty lines or any text following a hash sign (
#) is ignored.
auditctlcommand can also be used to read rules from a specified file with the
-Roption, for example:
auditctl -R /usr/share/doc/audit-version/stig.rules
Defining Control Rules
A file can contain only the following control rules that modify the behavior of the Audit system:
-r. For more information on these options, see the section called “Defining Control Rules”.
Example 7.3. Control rules in
# Delete all previous rules -D # Set buffer size -b 8192 # Make the configuration immutable -- reboot is required to change audit rules -e 2 # Panic when a failure occurs -f 2 # Generate at most 100 audit messages per second -r 100
Defining File System and System Call Rules
File system and system call rules are defined using the
auditctlsyntax. The examples in Section 7.5.1, “Defining Audit Rules with the auditctl Utility” can be represented with the following rules file:
Example 7.4. File system and system call rules in
-w /etc/passwd -p wa -k passwd_changes -w /etc/selinux/ -p wa -k selinux_changes -w /sbin/insmod -p x -k module_insertion -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time_change -a always,exit -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
Preconfigured Rules Files
/usr/share/doc/audit-version/directory, the audit package provides a set of pre-configured rules files according to various certification standards:
nispom.rules— Audit rule configuration that meets the requirements specified in Chapter 8 of the National Industrial Security Program Operating Manual.
capp.rules— Audit rule configuration that meets the requirements set by Controlled Access Protection Profile (CAPP), which is a part of the Common Criteria certification.
lspp.rules— Audit rule configuration that meets the requirements set by Labeled Security Protection Profile (LSPP), which is a part of the Common Criteria certification.
stig.rules— Audit rule configuration that meets the requirements set by Security Technical Implementation Guides (STIG).
To use these configuration files, create a backup of your original
/etc/audit/audit.rulesfile and copy the configuration file of your choice over the
cp /etc/audit/audit.rules /etc/audit/audit.rules_backup~]#
cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules