Skip to content

linux auditd services rules generate (Can be used for DevOps or information security level protection integration)

License

Notifications You must be signed in to change notification settings

ljq/gen-auditd-service-rules

Repository files navigation

app name gen-audit-rules

Linux generate auditd service rules tools Version 1.0

CN 中文文档说明

python module
The import of os, json, time

Important rules for the main configuration file auditd.conf

The maximum log file size in MB. When this capacity is reached, the actions specified by max_log_file _action are executed
# (if the file is set too small, a large number of files will be generated. You can set the appropriate size)
Max_log_file = 6

Action taken when max_log_file's log file size is reached. The values must be one of IGNORE, SYSLOG, SUSPEND, ROTATE, and KEEP_LOGS.
# IGNORE: no action will be taken if the log file reaches max_log_file.
# SYSLOG: a warning is written to system log /var/log/messages when the file size is reached.
SUSPEND: does not write an audit message to the log file after its file capacity has been reached.
# ROTATE: loops around log files as the specified file size is reached, but only a certain number of old files are saved, specified by the num_logs parameter.
The name of the old file will be audit.log.n, where N is a number. The larger the number, the older the file.
# KEEP_LOGS: the log file is looped, but the num_logs parameter is ignored, so no log files are deleted.
#
# (this configuration does not need to be moved)
Max_log_file_action = ROTATE

Configuration rules (infinite nodes)

# custom rule configuration reference instance (conf/audit_rules_conf.json) :

{
    "web01":{
        "/data/www/web":"-p rwa",
        "/data/www/vendor":"-p rwa"
    },
    "web02":{
        "/data/www/web":"-p rwa",
        "/data/www/vendor":"-p rwa"
    },
    "web03":{
        "/data/www/web":"-p rwa",
        "/data/www/vendor":"-p rwa"
    },
    "web0N":{
        "/data/www/web":"-p rwa",
        "/data/www/vendor":"-p rwa"
    },
    "system":{
        "/etc/passwd":"-k PASSWD",
        "/etc/my.conf":"-k PASSWD"
    }
    ...
}

Composition of audit rules (consolidation)

[system default rules] The conf/audit.Rules. Default

[custom rules, infinite nodes] The conf/audit_rules_conf.Json

Create rule instances (rules default -w)

APP NAME Audit Rules Created By DataTime: 2019/01/01 00:00:00

# audit rule block: web
-w /data/WWW/web -p rwa
-w /data/WWW/vendor -p rwa

Rule block: # audit system
-w /etc/my.cnf -k PASSWD
-w /etc/passwd -k passwd

Built rules file path: gen_audit_rules/audit.rules

centos 6.x path: /etc/audit/audit.rules

centos 7.x path: /etc/audit/rules.d/audit.rules

Common command tools


Auditctl: a tool for controlling the behavior of the audit daemon in real time, such as adding rules.
Aureport: a tool for viewing and generating audit reports.
Ausearch: a tool for finding audit events.
Auditspd: forwards event notifications to other applications instead of writing them to the audit log file.
Autrace: a command used to trace a process.

# the conf file:
/etc/auditd.conf: the configuration file for the auditd tool.
/etc/audit/audit.rules: files that record audit rules.

The audit log format

Time: audit time. Name: audit object CWD: current path. Syscall: the associated system call. Auid: audit user ID. Uid and gid: the user ID and user group ID that access the file. Comm: the user's command to access the file. Exe: the executable file path for the above command.

About

linux auditd services rules generate (Can be used for DevOps or information security level protection integration)

Topics

Resources

License

Code of conduct

Stars

Watchers

Forks

Sponsor this project

Packages

No packages published