What are the recommended Audit Policy settings for Windows & Linux?
Recommended Windows & Linux security audit checklist guide - Audit Policy settings for PCI DSS and other compliance standards
The use of the audit policy to generate audit logs is an essential best practice for compliance and security. It’s vital to get expert advice, not just to make sure you are getting all the audit events needed, but also to know where to stop to avoid an event log tsunami. Simply enabling all audit policy subcategories for all categories in the Advanced Audit Policy Configuration will burn up disk space and normalization resources on your SIEM system quicker than you can say 'How many Terabytes?!'
NNT have put together the following audit policies, based on expert guidance, including – Microsoft, RedHat, Center for Internet Security, Oracle, SUSE and our experienced PCI QSA/Security Auditor partners.
To enable logging of all relevant security events to underpin your security policy, it is necessary to configure the audit.rules files or the local security policy for the server/workstation. Get started now by selecting one of the audit policy specifications detailed below for some of today’s most popular platforms.
Download the GPO template file for direct import and deployment via Active Directory
Windows Server 2012R2
For a full overview on using any of these Audit Policy GPO files or the other NNT Remediation Kit content available, take a look at the notes and recorded demo HERE»
IMPORTANT! Make sure that the Advanced Audit Policy Subcategory Settings are not over-written by the application of Standard Audit Policy settings by configuring the 'Audit: Force Audit Policy Subcategory Settings (Windows Vista or later) to Override Audit Policy Category Settings' to 'Enable'
Audit Policies
Server 2019 – Audit Policy for PCI Compliance
Account Management
Audit Policy: Account Management: Audit Application Group Management is set to 'Success and Failure'
Audit Policy: Account Management: Audit Computer Account Management is set to 'Success and Failure'
Audit Policy: Account Management: Audit Distribution Group Management is set to 'Success and Failure' (DC
only)
Audit Policy: Account Management: Audit Other Account Management Events is set to include
'Success' (DC only)
Audit Policy: Account Management: Audit Security Group Management is set to
include 'Success'
Audit Policy: Account Management: Audit User Account Management is set to 'Success
and Failure'
Detailed Tracking
Audit Policy: Detailed Tracking: Audit PNP Activity to 'Success'
Audit Policy: Detailed Tracking: Audit
Process Creation to 'Success'
Logon/Logoff
Audit Policy: Logon/Logoff: Audit Account Lockout to 'Success, Failure'
Audit Policy: Logon/Logoff:
Audit Group Membership to 'Success'
Audit Policy: Logon/Logoff: Audit Logoff to 'Success'
Audit
Policy: Logon/Logoff: Audit Logon to 'Success, Failure'
Audit Policy: Logon/Logoff: Audit Other
Logon/Logoff Events to 'Success, Failure'
Audit Policy: Logon/Logoff: Audit Special Logon to 'Success'
Policy Change
Audit Policy: Policy Change: Audit Audit Policy Change is set to include 'Success'
Audit Policy: Policy
Change: Audit Authentication Policy Change is set to include 'Success'
Audit Policy: Policy Change:
Audit Authorization Policy Change is set to include 'Success'
Audit Policy: Policy Change: Audit
MPSSVC Rule-Level Policy Change is set to 'Success and Failure'
Audit Policy: Policy Change: Audit
Other Policy Change Events is set to include 'Failure'
System
Audit Policy: System: Audit IPsec Driver is set to 'Success and Failure'
Audit Policy: System: Audit
Other System Events is set to 'Success and Failure'
Audit Policy: System: Audit Security State Change
is set to include 'Success'
Audit Policy: System: Audit Security System Extension is set to include
'Success'
Audit Policy: System: Audit System Integrity is set to 'Success and Failure'
Server 2016 – Audit Policy for PCI Compliance
Account Management
Audit Policy: Account Management: Audit Application Group Management is set to 'Success and Failure'
Audit Policy: Account Management: Audit Computer Account Management is set to 'Success and Failure'
Audit Policy: Account Management: Audit Distribution Group Management is set to 'Success and Failure' (DC
only)
Audit Policy: Account Management: Audit Other Account Management Events is set to include
'Success and Failure' (DC only)
Audit Policy: Account Management: Audit Security Group Management is
set to include 'Success and Failure'
Audit Policy: Account Management: Audit User Account Management
is set to 'Success and Failure'
Detailed Tracking
Audit Policy: Detailed Tracking: Audit PNP Activity to 'Success'
Audit Policy: Detailed Tracking: Audit
Process Creation to 'Success'
Logon/Logoff
Audit Policy: Logon/Logoff: Audit Directory Service Access is set to 'Success and Failure' (DC only)
Audit Policy: Logon/Logoff: Audit Directory Service Changes is set to 'Success and Failure' (DC only)
Audit Policy: Logon/Logoff: Audit Account Lockout is set to include 'Success and Failure'
Audit
Policy: Logon/Logoff: Audit Group Membership is set to include 'Success
Audit Policy: Logon/Logoff:
Audit Logoff is set to include 'Success'
Audit Policy: Logon/Logoff: Audit Logon is set to 'Success
and Failure'
Audit Policy: Logon/Logoff: Audit Other Logon/Logoff Events is set to 'Success and
Failure'
Audit Policy: Logon/Logoff: Audit Special Logon is set to include 'Success'
Object Access
Audit Policy: Object Access: Audit Other Object Access Events is set to 'Success and Failure'
Audit
Policy: Object Access: Audit Removable Storage is set to 'Success and Failure'
Policy Change
Audit Policy: Policy Change: Audit Audit Policy Change is set to include 'Success and Failure'
Audit
Policy: Policy Change: Audit Audit Authentication Policy Change is set to include 'Success'
Audit
Policy: Policy Change: Audit Authorization Policy Change is set to include 'Success'
System
Audit Policy: System: Audit IPsec Driver to 'Success, Failure'
Audit Policy: System: Audit Other System
Events to 'Success, Failure'
Audit Policy: System: Audit Security State Change to 'Success'
Audit Policy: System: Audit Security System Extension to 'Success, Failure'
Audit Policy: System:
Audit System Integrity to 'Success, Failure'
Server 2012R2 – Audit Policy for PCI Compliance
Account Management
Audit Policy: Account Management: Audit Application Group Management is set to 'Success and Failure'
Audit Policy: Account Management: Audit Computer Account Management is set to 'Success and Failure'
Audit Policy: Account Management: Audit Distribution Group Management is set to 'Success and Failure' (DC
only)
Audit Policy: Account Management: Audit Other Account Management Events is set to include
'Success and Failure'
Audit Policy: Account Management: Audit Security Group Management is set to
include 'Success and Failure'
Audit Policy: Account Management: Audit User Account Management is set
to 'Success and Failure'
Detailed Tracking
Audit Policy: Detailed Tracking: Audit Process Creation is set to include 'Success' DS Access
Audit
Policy: Logon/Logoff: Audit Directory Service Access is set to 'Success and Failure' (DC only)
Audit
Policy: Logon/Logoff: Audit Directory Service Changes is set to 'Success and Failure' (DC only)
Logon/Logoff
Audit Policy: Logon/Logoff: Audit Account Lockout is set to include 'Success and Failure'
Audit Policy:
Logon/Logoff: Audit Logoff is set to include 'Success'
Audit Policy: Logon/Logoff: Audit Logon is set
to 'Success and Failure'
Audit Policy: Logon/Logoff: Audit Other Logon/Logoff Events is set to
'Success and Failure'
Audit Policy: Logon/Logoff: Audit Special Logon is set to include 'Success'
Object Access
Audit Policy: Object Access: Audit Other Object Access Events is set to 'Success and Failure'
Audit
Policy: Object Access: Audit Removable Storage is set to 'Success and Failure'
Policy Change
Audit Policy: Policy Change: Audit Audit Policy Change is set to include 'Success and Failure'
Audit
Policy: Policy Change: Audit Authentication Policy Change is set to include 'Success'
Audit Policy:
Policy Change: Audit Authorization Policy Change is set to include 'Success'
System
Audit Policy: System: Audit IPsec Driver to 'Success, Failure'
Audit Policy: System: Audit Other System
Events to 'Success, Failure'
Audit Policy: System: Audit Security State Change to 'Success'
Audit Policy: System: Audit Security System Extension to 'Success, Failure'
Audit Policy: System:
Audit System Integrity to 'Success, Failure'
Windows 10 (1809) – Audit Policy for PCI Compliance
Account Management
Audit Policy: Account Management: Audit Application Group Management is set to 'Success and Failure'
Audit Policy: Account Management: Audit Computer Account Management is set to 'Success and Failure'
Audit Policy: Account Management: Audit Security Group Management is set to include 'Success'
Audit
Policy: Account Management: Audit User Account Management is set to 'Success and Failure'
Detailed Tracking
Audit Policy: Detailed Tracking: Audit PNP Activity to 'Success'
Audit Policy: Detailed Tracking: Audit
Process Creation to 'Success'
Logon/Logoff
Audit Policy: Logon/Logoff: Audit Account Lockout is set to include 'Failure'
Audit Policy:
Logon/Logoff: Audit Group Membership is set to include 'Success'
Audit Policy: Logon/Logoff: Audit
Logoff is set to include 'Success'
Audit Policy: Logon/Logoff: Audit Logon is set to 'Success and
Failure'
Audit Policy: Logon/Logoff: Audit Other Logon/Logoff Events is set to 'Success and
Failure'
Audit Policy: Logon/Logoff: Audit Special Logon is set to include 'Success'
Object Access
Audit Policy: Object Access: Audit Detailed File Share is set to include 'Failure'
Audit Policy: Object
Access: Audit File Share is set to 'Success and Failure'
Audit Policy: Object Access: Audit Other
Object Access Events is set to 'Success and Failure'
Audit Policy: Object Access: Audit Removable
Storage is set to 'Success and Failure'
Policy Change
Audit Policy: Policy Change: Audit Audit Policy Change is set to include 'Success'
Audit Policy: Policy
Change: Audit Authentication Policy Change is set to include 'Success'
Audit Policy: Policy Change:
Audit Authorization Policy Change is set to include 'Success'
Audit Policy: Policy Change: Audit
MPSSVC Rule-Level Policy Change is set to 'Success and Failure'
Audit Policy: Policy Change: Audit
Other Policy Change Events is set to include 'Failure'
System
Audit Policy: System: Audit IPsec Driver is set to 'Success and Failure'
Audit Policy: System: Audit
Other System Events is set to 'Success and Failure'
Audit Policy: System: Audit Security State Change
is set to include 'Success'
Audit Policy: System: Audit Security System Extension is set to include
'Success'
Audit Policy: System: Audit System Integrity is set to 'Success and Failure'
Windows 2008,2003,XP – Audit Policy for PCI Compliance
- Account Logon Events – Success and Failure
- Account Management Events – Success and Failure
- Directory Service Access Events – Failure *
- Logon Events – Success and Failure
- Object Access Events – Success and Failure **
- Policy Change Events – Success and Failure
- Privilege Use Events - Failure
- Process Tracking – No Auditing ***
- System Events – Success and Failure ****
* Directory Service Access Events available on a Domain Controller only
** Object Access – Used in conjunction with Folder and File Auditing. Auditing Failures reveals attempted access to forbidden secure objects which may be an attempted security breach. Auditing Success is used to provide an Audit Trail of all access to secured date, for example, card data in a settlement/transaction file/folder.
Note: when using Server 2008/Win7 or later, there is an 'Advanced Audit Policy Configuration' option available which allows more precise application of auditing of Object Access events and is useful in eliminating unwanted events. If available, enable the 'Audit File System' option only for Success, and optionally Failure, but leave other settings as 'Not Configured'.
*** Process Tracking – not recommended as this will generate a large number of events. Better to use a specialized whitelisting/blacklisting technology such as NNT Remote Angel.
**** System Events – Not required for PCI DSS compliance but often used to provided additional 'added value' from a PCI DSS initiative, providing early warning signs of problems with hardware and so pre-empt system failures.
Download the NNT Audit Policy Wizard file for direct execution on your host, or for mass deployment using Puppet, automatically configure an auditor-ready audit policy.
Audit Policies
RedHat Enterprise Linux / CentOS Linux Audit Policy Additional Notes
Ensure auditd Service is Enabled
Ensure auditd service is enabled: Run the following command:
For Version 8, # systemctl --now enable auditd
For Version 7, # systemctl enable auditd
For Version 6, # chkconfig auditd on
Audit Log Size
Configure maximum audit log storage size: Edit auditd.conf, for example: vi /etc/audit/auditd.conf
Add/edit the line
max_log_file = <MB>,
where <MB> is the maximum audit log size
Audit Log Actions
Configure actions for when the audit log is full: Edit auditd.conf, for example: vi /etc/audit/auditd.conf
Add/edit the line
space_left_action = email
action_mail_acct = root
admin_space_left_action = halt
Audit Log Retention
Configure actions for when the audit log is full: Edit auditd.conf, for example: vi /etc/audit/auditd.conf
Add/edit the line
max_log_file_action = keep_logs,
where <MB> is the maximum audit log size
Audit All Processes
Ensure auditing for processes that start prior to auditd is enabled: Edit /etc/default/grub, for example: vi /etc/default/grub
Add/edit the line
GRUB_CMDLINE_LINUX="audit=1",
Then update the the grub2 configuration y running the following command
# grub2-mkconfig -o /boot/grub2/grub.cfg
Ensure Audit Configuration is Immutable
Ensure the audit configuration is immutable: Add the following rules to an audit policy file, for example: vi /etc/audit/rules.d/audit.rules
-e 2
General Notes
Ensure rsyslog Service is enabled: Run the following command:
For Version 8, # systemctl --now enable rsyslog
For Version 7, # systemctl enable rsyslog
For Version 6, # chkconfig rsyslog on
Note: Once configuration changes have been made to /etc/audit/audit.rules, the auditd configuration must be
reloaded:
# service auditd reload
CentOS Linux 7 Audit Policy For Compliance
Date and Time
Ensure events that modify date and time information are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
User/Group
Ensure events that modify user/group information are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
Network Environment
Ensure events that modify the system's network environment are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-w /etc/sysconfig/network-scripts/ -p wa -k system-locale
Mandatory Access Controls
Ensure events that modify the system's Mandatory Access Controls are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules
-w /etc/selinux/ -p wa -k MAC-policy
Login and Logout
Ensure login and logout events are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules
-w /var/run/faillock/ -p wa -k logins
-w /var/log/lastlog -p wa -k logins
Session Initiation
Ensure session initiation information is collected - Ensure the following exists for /etc/audit/rules.d/audit.rules
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
Discretionary Access Control
Ensure discretionary access control permission modification events are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
-F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
-F auid>=1000 -F auid!=4294967295 -k perm_mod
Unsuccessful Unauthorized File Access Attempts
Ensure unsuccessful unauthorized file access attempts are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F
auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F
auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F
auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F
auid!=4294967295 -k access
Use Of Privileged Commands
Ensure use of privileged commands is collected - Ensure the following exists for /etc/audit/rules.d/audit.rules
"Run the following command replacing with a list of partitions where programs can be executed from on your system: # find <partition> -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 \-k privileged" }'
Then add all resulting lines to the /etc/audit/rules.d/privileged.rules file. Example: # find <partition>
-xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F
auid>=1000 -F auid!=4294967295 \-k privileged" }' >> /etc/audit/rules.d/privileged.rules"
Successful File System Mounts
Ensure successful file system mounts are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
File Deletion Events By Users
Ensure file deletion events by users are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k
delete
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k
delete
System Administration Scope
Ensure changes to system administration scope (sudoers) is collected - Ensure the following exists for /etc/audit/rules.d/audit.rules
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d -p wa -k scope
System Administrator Actions
Ensure system administrator actions (sudolog) are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules
-w /var/log/sudo.log -p wa -k actions
Kernel Module Loading And Unloading
Ensure kernel module loading and unloading is collected - Ensure the following exists for /etc/audit/rules.d/audit.rules
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit arch=b32 -S init_module -S delete_module -k modules
-a always,exit arch=b64 -S init_module -S delete_module -k modules
CentOS Linux 6 Audit Policy For Compliance
Date and Time
Ensure events that modify date and time information are collected - Ensure the following exists for /etc/audit/audit.rules
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
User/Group
Ensure events that modify user/group information are collected - Ensure the following exists for /etc/audit/audit.rules
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
Network Environment
Ensure events that modify the system's network environment are collected - Ensure the following exists for /etc/audit/audit.rules
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
Mandatory Access Controls
Ensure events that modify the system's Mandatory Access Controls are collected - Ensure the following exists for /etc/audit/audit.rules
-w /etc/selinux/ -p wa -k MAC-policy
Login and Logout
Ensure login and logout events are collected - Ensure the following exists for /etc/audit/audit.rules
-w /var/run/faillock/ -p wa -k logins
-w /var/log/lastlog -p wa -k logins
Session Initiation
Ensure session initiation information is collected - Ensure the
following exists for /etc/audit/audit.rules
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
Discretionary Access Control
Ensure discretionary access control permission modification events are collected - Ensure the following exists for /etc/audit/audit.rules
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
-F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
-F auid>=500 -F auid!=4294967295 -k perm_mod
Unsuccessful Unauthorized File Access Attempts
Ensure unsuccessful unauthorized file
access attempts are collected - Ensure the following exists for /etc/audit/audit.rules
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F
auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F
auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F
auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F
auid!=4294967295 -k access
Use Of Privileged Commands
Ensure use of privileged commands is collected - Ensure the following exists for /etc/audit/audit.rules
-a always,exit -F path=$file -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
Successful File System Mounts
Ensure successful file system mounts are collected -
Ensure the following exists for /etc/audit/audit.rules
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
File Deletion Events By Users
Ensure file deletion events by users are collected - Ensure the following exists for /etc/audit/audit.rules
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k
delete
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k
delete
System Administration Scope
Ensure changes to system administration scope (sudoers) is collected - Ensure the following exists for /etc/audit/audit.rules
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d -p wa -k scope
System Administrator Actions
Ensure system administrator actions (sudolog) are collected - Ensure the following exists for /etc/audit/audit.rules
-w /var/log/sudo.log -p wa -k actions
Kernel Module Loading And Unloading
Ensure kernel module loading and unloading is collected - Ensure the following exists for /etc/audit/audit.rules
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit arch=b32 -S init_module -S delete_module -k modules
-a always,exit arch=b64 -S init_module -S delete_module -k modules
RHEL 8 Audit Policy For Compliance
Date and Time
Ensure events that modify date and time information are collected: Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules, for example: vi /etc/audit/rules.d/time-change.rules
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
User/Group
Ensure events that modify user/group information are collected: Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules, for example: vi /etc/audit/rules.d/identity.rules
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
Network Environment
Ensure events that modify the system's network environment are collected: Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules, for example: vi /etc/audit/rules.d/system-locale.rules
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
Mandatory Access Controls
Ensure events that modify the system's Mandatory Access Controls are collected: Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules, for example: vi /etc/audit/rules.d/MAC-policy.rules
-w /etc/selinux/ -p wa -k MAC-policy
Login and Logout
Edit or create a file in the /etc/audit/rules.d/ directory ending
in .rules, for example: vi /etc/audit/rules.d/audit.rules
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
Session Initiation
Ensure session initiation information is collected: Edit or
create a file in the /etc/audit/rules.d/ directory ending in .rules, for example: vi
/etc/audit/rules.d/logins.rules
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
Discretionary Access Control
Ensure discretionary access control permission
modification events are collected - Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules,
for example: vi /etc/audit/rules.d/perm_mod.rules
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
-F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
-F auid>=1000 -F auid!=4294967295 -k perm_mod
Unsuccessful Unauthorized File Access Attempts
Ensure unsuccessful unauthorized file
access attempts are collected: Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules, for
example: vi /etc/audit/rules.d/access.rules
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F
auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F
auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F
auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F
auid!=4294967295 -k access
Use Of Privileged Commands
Ensure use of privileged commands is collected: Edit or create a file in the /etc/audit/rules.d/ directory ending
in .rules, for example: vi /etc/audit/rules.d/privileged.rules
"Run the following command replacing with a list of partitions where programs can be executed from on your
system: # find <partition> -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print ""-a always,exit
-F path="" $1 "" -F perm=x -F auid>='""$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)""' -F auid!=4294967295
-k privileged"" }'
Then add all resulting lines to the /etc/audit/rules.d/privileged.rules file. Example: # find <partition>
-xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print ""-a always,exit -F path="" $1 "" -F perm=x -F
auid>='""$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)""' -F auid!=4294967295 -k privileged"" }' >>
/etc/audit/rules.d/privileged.rules"
Successful File System Mounts
Ensure successful file system mounts are collected:
Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules, for example: vi
/etc/audit/rules.d/mounts.rules
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
File Deletion Events By Users
Ensure file deletion events by users are collected:
Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules, for example: vi
/etc/audit/rules.d/delete.rules
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k
delete
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k
delete
System Administration Scope
Ensure changes to system administration scope (sudoers)
is collected: - Ensure the following exists for /etc/audit/rules.d/audit.rules
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d -p wa -k scope
System Administrator Actions
Ensure system administrator actions (sudolog) are collected: Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules, for example: vi /etc/audit/rules.d/scope.rules
-w /var/log/sudo.log -p wa -k actions
Kernel Module Loading And Unloading
Ensure kernel module loading and unloading is
collected: Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules, for example: vi
/etc/audit/rules.d/modules.rules
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit arch=b32 -S init_module -S delete_module -k modules
-a always,exit arch=b64 -S init_module -S delete_module -k modules
RHEL 7 Audit Policy For Compliance
Date and Time
Ensure events that modify date and time information are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
User/Group
Ensure events that modify user/group information are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
Network Environment
Ensure events that modify the system's network environment are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
Mandatory Access Controls
Ensure events that modify the system's Mandatory Access Controls are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules
-w /etc/selinux/ -p wa -k MAC-policy
Login and Logout
Ensure login and logout events are collected - Ensure the following exists for
/etc/audit/rules.d/audit.rules
-w /var/run/faillock/ -p wa -k logins
-w /var/log/lastlog -p wa -k logins
Session Initiation
Ensure session initiation information is collected - Ensure the following exists for
/etc/audit/rules.d/audit.rules
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
Discretionary Access Control
Ensure discretionary access control permission modification events are collected - Ensure the following exists
for /etc/audit/rules.d/audit.rules
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
-F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
-F auid>=1000 -F auid!=4294967295 -k perm_mod
Unsuccessful Unauthorized File Access Attempts
Ensure unsuccessful unauthorized file access attempts are collected - Ensure the following exists for
/etc/audit/rules.d/audit.rules
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F
auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F
auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F
auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F
auid!=4294967295 -k access
Use Of Privileged Commands
Ensure use of privileged commands is collected - Ensure the following exists for
/etc/audit/rules.d/audit.rules
-a always,exit -F path=$file -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
Successful File System Mounts
Ensure successful file system mounts are collected - Ensure the following exists for
/etc/audit/rules.d/audit.rules
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
File Deletion Events By Users
Ensure file deletion events by users are collected - Ensure the following exists for
/etc/audit/rules.d/audit.rules
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k
delete
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k
delete
System Administration Scope
Ensure changes to system administration scope (sudoers) is collected - Ensure the following exists for
/etc/audit/rules.d/audit.rules
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d -p wa -k scope
System Administrator Actions
Ensure system administrator actions (sudolog) are collected - Ensure the following exists for
/etc/audit/rules.d/audit.rules
-w /var/log/sudo.log -p wa -k actions
Kernel Module Loading And Unloading
Ensure kernel module loading and unloading is collected - Ensure the following exists for
/etc/audit/rules.d/audit.rules
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit arch=b32 -S init_module -S delete_module -k modules
-a always,exit arch=b64 -S init_module -S delete_module -k modules
RHEL 6 Audit Policy For Compliance
Date and Time
Ensure events that modify date and time information are collected - Ensure the following exists for
/etc/audit/audit.rules
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
User/Group
Ensure events that modify user/group information are collected - Ensure the following exists for
/etc/audit/audit.rules
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
Network Environment
Ensure events that modify the system's network environment are
collected - Ensure the following exists for /etc/audit/audit.rules
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
Mandatory Access Controls
Ensure events that modify the system's Mandatory Access
Controls are collected - Ensure the following exists for /etc/audit/audit.rules
-w /etc/selinux/ -p wa -k MAC-policy
Login and Logout
Ensure login and logout events are collected - Ensure the following
exists for /etc/audit/audit.rules
-w /var/run/faillock/ -p wa -k logins
-w /var/log/lastlog -p wa -k logins
Session Initiation
Ensure session initiation information is collected - Ensure the
following exists for /etc/audit/audit.rules
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
Discretionary Access Control
Ensure discretionary access control permission
modification events are collected - Ensure the following exists for /etc/audit/audit.rules
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
-F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
-F auid>=500 -F auid!=4294967295 -k perm_mod
Unsuccessful Unauthorized File Access Attempts
Ensure unsuccessful unauthorized file
access attempts are collected - Ensure the following exists for /etc/audit/audit.rules
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F
auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F
auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F
auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F
auid!=4294967295 -k access
Use Of Privileged Commands
Ensure use of privileged commands is collected - Ensure
the following exists for /etc/audit/audit.rules
-a always,exit -F path=$file -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
Successful File System Mounts
Ensure successful file system mounts are collected -
Ensure the following exists for /etc/audit/audit.rules
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
File Deletion Events By Users
Ensure file deletion events by users are collected -
Ensure the following exists for /etc/audit/audit.rules
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k
delete
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k
delete
System Administration Scope
Ensure changes to system administration scope (sudoers)
is collected - Ensure the following exists for /etc/audit/audit.rules
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d -p wa -k scope
System Administrator Actions
Ensure system administrator actions (sudolog) are
collected - Ensure the following exists for /etc/audit/audit.rules
-w /var/log/sudo.log -p wa -k actions
Kernel Module Loading And Unloading
Ensure kernel module loading and unloading is
collected - Ensure the following exists for /etc/audit/audit.rules
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit arch=b32 -S init_module -S delete_module -k modules
-a always,exit arch=b64 -S init_module -S delete_module -k modules
Oracle Linux 7 Audit Policy For Compliance
Date and Time
Record Events That Modify Date and Time Information - Ensure the following exists for
/etc/audit/rules.d/audit.rules
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
User/Group
Record Events That Modify User/Group Information - Ensure the following exists for
/etc/audit/rules.d/audit.rules
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
Network Environment
Record Events That Modify the System's Network Environment -
Ensure the following exists for /etc/audit/rules.d/audit.rules
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
Mandatory Access Controls
Record Events That Modify the System's Mandatory Access
Controls - Ensure the following exists for /etc/audit/rules.d/audit.rules
-w /etc/selinux/ -p wa -k MAC-policy
Login and Logout
Collect Login and Logout Events - Ensure the following exists for
/etc/audit/rules.d/audit.rules
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
Session Initiation
Collect Session Initiation Information - Ensure the following
exists for /etc/audit/rules.d/audit.rules
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
Discretionary Access Control
Collect Discretionary Access Control Permission
Modification Events - Ensure the following exists for /etc/audit/rules.d/audit.rules
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
-F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
-F auid>=1000 -F auid!=4294967295 -k perm_mod
Unsuccessful Unauthorized File Access Attempts
Collect Unsuccessful Unauthorized
Access Attempts to Files - Ensure the following exists for /etc/audit/rules.d/audit.rules
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F
auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F
auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F
auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F
auid!=4294967295 -k access
Use Of Privileged Commands
Collect Use of Privileged Commands - Ensure the following
exists for /etc/audit/rules.d/audit.rules
-a always,exit -F path=$file -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
Successful File System Mounts
Collect Successful File System Mounts - Ensure the
following exists for /etc/audit/rules.d/audit.rules
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
File Deletion Events By Users
Collect File Deletion Events by User - Ensure the
following exists for /etc/audit/rules.d/audit.rules
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k
delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k
delete
System Administration Scope
Collect Changes to System Administration Scope (sudoers)
- Ensure the following exists for /etc/audit/rules.d/audit.rules
-w /etc/sudoers -p wa -k scope
System Administrator Actions
Collect System Administrator Actions (sudolog) - Ensure
the following exists for /etc/audit/rules.d/audit.rules
-w /var/log/sudo.log -p wa -k actions
Kernel Module Loading And Unloading
Collect Kernel Module Loading and Unloading -
Ensure the following exists for /etc/audit/rules.d/audit.rules
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules
Oracle Linux 6 Audit Policy For Compliance
Date and Time
Ensure events that modify date and time information are collected - Ensure the following exists for
/etc/audit/audit.rules
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
User/Group
Ensure events that modify user/group information are collected - Ensure the following exists for
/etc/audit/audit.rules
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
Network Environment
Ensure events that modify the system's network environment are
collected - Ensure the following exists for /etc/audit/audit.rules
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
Mandatory Access Controls
Ensure events that modify the system's Mandatory Access
Controls are collected - Ensure the following exists for /etc/audit/audit.rules
-w /etc/selinux/ -p wa -k MAC-policy
Login and Logout
Ensure login and logout events are collected - Ensure the following
exists for /etc/audit/audit.rules
-w /var/run/faillock/ -p wa -k logins
-w /var/log/lastlog -p wa -k logins
Session Initiation
Ensure session initiation information is collected - Ensure the
following exists for /etc/audit/audit.rules
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
Discretionary Access Control
Ensure discretionary access control permission
modification events are collected - Ensure the following exists for /etc/audit/audit.rules
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
-F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
-F auid>=500 -F auid!=4294967295 -k perm_mod
Unsuccessful Unauthorized File Access Attempts
Ensure unsuccessful unauthorized file
access attempts are collected - Ensure the following exists for /etc/audit/audit.rules
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F
auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F
auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F
auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F
auid!=4294967295 -k access
Use Of Privileged Commands
Ensure use of privileged commands is collected - Ensure
the following exists for /etc/audit/audit.rules
-a always,exit -F path=$file -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
Successful File System Mounts
Ensure successful file system mounts are collected -
Ensure the following exists for /etc/audit/audit.rules
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
File Deletion Events By Users
Ensure file deletion events by users are collected -
Ensure the following exists for /etc/audit/audit.rules
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k
delete
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k
delete
System Administration Scope
Ensure changes to system administration scope (sudoers)
is collected - Ensure the following exists for /etc/audit/audit.rules
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d -p wa -k scope
System Administrator Actions
Ensure system administrator actions (sudolog) are
collected - Ensure the following exists for /etc/audit/audit.rules
-w /var/log/sudo.log -p wa -k actions
Kernel Module Loading And Unloading
Ensure kernel module loading and unloading is
collected - Ensure the following exists for /etc/audit/audit.rules
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit arch=b32 -S init_module -S delete_module -k modules
-a always,exit arch=b64 -S init_module -S delete_module -k modules
Debian Linux 8 Audit Policy For Compliance
Date and Time
Record Events That Modify Date and Time Information - Ensure the following exists for
/etc/audit/audit.rules
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
User/Group
Record Events That Modify User/Group Information - Ensure the following exists for
/etc/audit/audit.rules
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
Network Environment
Record Events That Modify the System's Network Environment -
Ensure the following exists for /etc/audit/audit.rules
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
Mandatory Access Controls
Record Events That Modify the System's Mandatory Access
Controls - Ensure the following exists for /etc/audit/audit.rules
-w /etc/selinux/ -p wa -k MAC-policy
Login and Logout
Collect Login and Logout Events - Ensure the following exists for
/etc/audit/audit.rules
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
Session Initiation
Collect Session Initiation Information - Ensure the following
exists for /etc/audit/audit.rules
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
Discretionary Access Control
Collect Discretionary Access Control Permission
Modification Events - Ensure the following exists for /etc/audit/audit.rules
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
-F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
-F auid>=1000 -F auid!=4294967295 -k perm_mod
Unsuccessful Unauthorized File Access Attempts
Collect Unsuccessful Unauthorized
Access Attempts to Files - Ensure the following exists for /etc/audit/audit.rules
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F
auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F
auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F
auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F
auid!=4294967295 -k access
Use Of Privileged Commands
Collect Use of Privileged Commands - Ensure the following
exists for /etc/audit/audit.rules
-a always,exit -F path=$file -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
Successful File System Mounts
Collect Successful File System Mounts - Ensure the
following exists for /etc/audit/audit.rules
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
File Deletion Events By Users
Collect File Deletion Events by User - Ensure the
following exists for /etc/audit/audit.rules
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k
delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k
delete
System Administration Scope
Collect Changes to System Administration Scope (sudoers)
- Ensure the following exists for /etc/audit/audit.rules
-w /etc/sudoers -p wa -k scope
System Administrator Actions
Collect System Administrator Actions (sudolog) - Ensure
the following exists for /etc/audit/audit.rules
-w /var/log/sudo.log -p wa -k actions
Kernel Module Loading And Unloading
Collect Kernel Module Loading and Unloading -
Ensure the following exists for /etc/audit/audit.rules
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules
Debian Linux 7 Audit Policy For Compliance
Date and Time
Record Events That Modify Date and Time Information - Ensure the following exists for
/etc/audit/audit.rules
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
User/Group
Record Events That Modify User/Group Information - Ensure the following exists for
/etc/audit/audit.rules
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
Network Environment
Record Events That Modify the System's Network Environment -
Ensure the following exists for /etc/audit/audit.rules
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
Mandatory Access Controls
Record Events That Modify the System's Mandatory Access
Controls - Ensure the following exists for /etc/audit/audit.rules
-w /etc/selinux/ -p wa -k MAC-policy
Login and Logout
Collect Login and Logout Events - Ensure the following exists for
/etc/audit/audit.rules
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
Session Initiation
Collect Session Initiation Information - Ensure the following
exists for /etc/audit/audit.rules
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
Discretionary Access Control
Collect Discretionary Access Control Permission
Modification Events - Ensure the following exists for /etc/audit/audit.rules
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
-F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
-F auid>=1000 -F auid!=4294967295 -k perm_mod
Unsuccessful Unauthorized File Access Attempts
Collect Unsuccessful Unauthorized
Access Attempts to Files - Ensure the following exists for /etc/audit/audit.rules
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F
auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F
auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F
auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F
auid!=4294967295 -k access
Use Of Privileged Commands
Collect Use of Privileged Commands - Ensure the following
exists for /etc/audit/audit.rules
-a always,exit -F path=$file -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
Successful File System Mounts
Collect Successful File System Mounts - Ensure the
following exists for /etc/audit/audit.rules
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
File Deletion Events By Users
Collect File Deletion Events by User - Ensure the
following exists for /etc/audit/audit.rules
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k
delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k
delete
System Administration Scope
Collect Changes to System Administration Scope (sudoers)
- Ensure the following exists for /etc/audit/audit.rules
-w /etc/sudoers -p wa -k scope
System Administrator Actions
Collect System Administrator Actions (sudolog) - Ensure
the following exists for /etc/audit/audit.rules
-w /var/log/sudo.log -p wa -k actions
Kernel Module Loading And Unloading
Collect Kernel Module Loading and Unloading -
Ensure the following exists for /etc/audit/audit.rules
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules
SUSE Linux Enterprise Server 12 Audit Policy For Compliance
Date and Time
Record Events That Modify Date and Time Information - Ensure the following exists for
/etc/audit/audit.rules
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
User/Group
Record Events That Modify User/Group Information - Ensure the following exists for
/etc/audit/audit.rules
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
Network Environment
Record Events That Modify the System's Network Environment -
Ensure the following exists for /etc/audit/audit.rules
-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
Mandatory Access Controls
Record Events That Modify the System's Mandatory Access
Controls - Ensure the following exists for /etc/audit/audit.rules
-w /etc/selinux/ -p wa -k MAC-policy
Login and Logout
Collect Login and Logout Events - Ensure the following exists for
/etc/audit/audit.rules
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
Session Initiation
Collect Session Initiation Information - Ensure the following
exists for /etc/audit/audit.rules
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
Discretionary Access Control
Collect Discretionary Access Control Permission
Modification Events - Ensure the following exists for /etc/audit/audit.rules
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
-F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
-F auid>=500 -F auid!=4294967295 -k perm_mod
Unsuccessful Unauthorized File Access Attempts
Collect Unsuccessful Unauthorized
Access Attempts to Files - Ensure the following exists for /etc/audit/audit.rules
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F
auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F
auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F
auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F
auid!=4294967295 -k access
Use Of Privileged Commands
Collect Use of Privileged Commands - Ensure the following
exists for /etc/audit/audit.rules
-a always,exit -F path=$file -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
Successful File System Mounts
Collect Successful File System Mounts - Ensure the
following exists for /etc/audit/audit.rules
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
File Deletion Events By Users
Collect File Deletion Events by User - Ensure the
following exists for /etc/audit/audit.rules
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k
delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k
delete
System Administration Scope
Collect Changes to System Administration Scope (sudoers)
- Ensure the following exists for /etc/audit/audit.rules
-w /etc/sudoers -p wa -k scope
System Administrator Actions
Collect System Administrator Actions (sudolog) - Ensure
the following exists for /etc/audit/audit.rules
-w /var/log/sudo.log -p wa -k actions
Kernel Module Loading And Unloading
Collect Kernel Module Loading and Unloading -
Ensure the following exists for /etc/audit/audit.rules
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules