7.5.2. Defining Persistent Audit Rules and Controls in the /etc/audit/audit.rules File
/etc/audit/audit.rulesfile. This file uses the same
auditctlcommand line syntax to specify the rules. Any empty lines or any text following a hash sign (
#) is ignored.
auditctlcommand can also be used to read rules from a specified file with the
-Roption, for example:
auditctl -R /usr/share/doc/audit-version/stig.rules
Defining Control Rules
-r. For more information on these options, see the section called “Defining Control Rules”.
Example 7.3. Control rules in
# Delete all previous rules -D # Set buffer size -b 8192 # Make the configuration immutable -- reboot is required to change audit rules -e 2 # Panic when a failure occurs -f 2 # Generate at most 100 audit messages per second -r 100
Defining File System and System Call Rules
auditctlsyntax. The examples in Section 7.5.1, “Defining Audit Rules with the auditctl Utility” can be represented with the following rules file:
Example 7.4. File system and system call rules in
-w /etc/passwd -p wa -k passwd_changes -w /etc/selinux/ -p wa -k selinux_changes -w /sbin/insmod -p x -k module_insertion -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time_change -a always,exit -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
Preconfigured Rules Files
/usr/share/doc/audit-version/directory, the audit package provides a set of pre-configured rules files according to various certification standards:
nispom.rules— Audit rule configuration that meets the requirements specified in Chapter 8 of the National Industrial Security Program Operating Manual.
capp.rules— Audit rule configuration that meets the requirements set by Controlled Access Protection Profile (CAPP), which is a part of the Common Criteria certification.
lspp.rules— Audit rule configuration that meets the requirements set by Labeled Security Protection Profile (LSPP), which is a part of the Common Criteria certification.
stig.rules— Audit rule configuration that meets the requirements set by Security Technical Implementation Guides (STIG).
/etc/audit/audit.rulesfile and copy the configuration file of your choice over the
cp /etc/audit/audit.rules /etc/audit/audit.rules_backup~]#
cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules