Creating Audit Rules
Create audit rules in the /etc/audit/audit.rules configuration
file to collect more relevant data for analysis.
By default, auditing captures specific events such as system logins, modifications to
accounts, and sudo actions. You can configure auditing to capture
detailed system call activity and modifications to certain files. The kernel audit daemon
(auditd) records the events that you configure, including the event type, a
timestamp, the associated user ID, and whether a system call succeeded or failed.
The entries in the audit rules file, /etc/audit/audit.rules, configures
which events are audited. Each rule is a command line option that's passed to the
auditctl command. Configure this file to match organization's
security policy.
The following are examples of rules that can be set in the
/etc/audit/audit.rules file:
To record all unsuccessful exits from open and
truncate system calls for files and store the information in
the /etc directory hierarchy, add the following line:
-a exit,always -S open -S truncate -F /etc -F success=0To record all files opened by a user with a UID value of 10, add the following line:
-a exit,always -S open -F uid=10To record all files that have been revised or whose attributes were changed by any
user who originally signed in with a UID value of
500 or greater, add the following line:
-a exit,always -S open -F auid>=500 -F perm=waTo record requests for write or for file attribute change access, you can store the
records in the /etc/sudoers file and tag such a record with the
string sudoers-change:
-w /etc/sudoers -p wa -k sudoers-changeTo record requests for write and for file attribute change access and store records
in the /etc directory hierarchy, add the following line:
-w /etc/ -p waTo require a reboot after changing the audit configuration, add the following line:
-e 2Note:
Defining a rule to reboot at the end of the
/etc/audit/audit.rules file is considered good security
practice.
For more examples of audit rules, see also the auditctl(8) and
audit.rules(7) manual pages.