{"description": "The auditd program can perform comprehensive\nmonitoring of system activity. This section describes recommended\nconfiguration settings for comprehensive auditing, but a full\ndescription of the auditing system's capabilities is beyond the\nscope of this guide. The mailing list linux-audit@redhat.com exists\nto facilitate community discussion of the auditing system.\n
\nThe audit subsystem supports extensive collection of events, including:\n
\n\n- Tracing of arbitrary system calls (identified by name or number)\non entry or exit.
\n- Filtering by PID, UID, call success, system call argument (with\nsome limitations), etc.
\n- Monitoring of specific files for modifications to the file's\ncontents or metadata.
\n
\n
\nAuditing rules at startup are controlled by the file /etc/audit/audit.rules.\nAdd rules to it to meet the auditing requirements for your organization.\nEach line in /etc/audit/audit.rules represents a series of arguments\nthat can be passed to auditctl and can be individually tested\nduring runtime. See documentation in /usr/share/doc/audit-VERSION and\nin the related man pages for more details.\n
\nIf copying any example audit rulesets from /usr/share/doc/audit-VERSION,\nbe sure to comment out the\nlines containing arch= which are not appropriate for your system's\narchitecture. Then review and understand the following rules,\nensuring rules are activated as needed for the appropriate\narchitecture.\n
\nAfter reviewing all the rules, reading the following sections, and\nediting as needed, the new rules can be activated as follows:\n$ sudo service auditd restart
", "warnings": [], "requires": [], "conflicts": [], "values": ["var_audit_failure_mode"], "groups": ["audit_dac_actions", "audit_execution_acl_commands", "audit_execution_selinux_commands", "audit_file_deletion_events", "audit_file_modification", "audit_kernel_module_loading", "audit_login_events", "audit_privileged_commands", "audit_time_rules"], "rules": ["audit_rules_continue_loading", "audit_rules_enable_syscall_auditing", "audit_rules_etc_cron_d", "audit_rules_etc_group_open", "audit_rules_etc_group_open_by_handle_at", "audit_rules_etc_group_openat", "audit_rules_etc_gshadow_open", "audit_rules_etc_gshadow_open_by_handle_at", "audit_rules_etc_gshadow_openat", "audit_rules_etc_passwd_open", "audit_rules_etc_passwd_open_by_handle_at", "audit_rules_etc_passwd_openat", "audit_rules_etc_shadow_open", "audit_rules_etc_shadow_open_by_handle_at", "audit_rules_etc_shadow_openat", "audit_rules_immutable", "audit_rules_immutable_login_uids", "audit_rules_mac_modification", "audit_rules_mac_modification_etc_apparmor", "audit_rules_mac_modification_etc_apparmor_d", "audit_rules_mac_modification_etc_selinux", "audit_rules_mac_modification_usr_share", "audit_rules_media_export", "audit_rules_networkconfig_modification", "audit_rules_networkconfig_modification_etc_hosts", "audit_rules_networkconfig_modification_etc_issue", "audit_rules_networkconfig_modification_etc_issue_net", "audit_rules_networkconfig_modification_etc_networkmanager_system_connections", "audit_rules_networkconfig_modification_etc_sysconfig_network", "audit_rules_networkconfig_modification_hostname_file", "audit_rules_networkconfig_modification_network_scripts", "audit_rules_networkconfig_modification_networkmanager", "audit_rules_networkconfig_modification_setdomainname", "audit_rules_networkconfig_modification_sethostname", "audit_rules_session_events", "audit_rules_session_events_btmp", "audit_rules_session_events_utmp", "audit_rules_session_events_wtmp", "audit_rules_sudoers", "audit_rules_sudoers_d", "audit_rules_suid_auid_privilege_function", "audit_rules_suid_privilege_function", "audit_rules_sysadmin_actions", "audit_rules_system_shutdown", "audit_rules_usergroup_modification", "audit_rules_usergroup_modification_group", "audit_rules_usergroup_modification_gshadow", "audit_rules_usergroup_modification_nsswitch_conf", "audit_rules_usergroup_modification_opasswd", "audit_rules_usergroup_modification_pam_conf", "audit_rules_usergroup_modification_pamd", "audit_rules_usergroup_modification_passwd", "audit_rules_usergroup_modification_shadow", "audit_rules_var_log_journal", "audit_rules_var_spool_cron", "audit_sudo_log_events", "directory_access_var_log_audit", "directory_group_ownership_var_log_audit", "directory_ownership_var_log_audit", "directory_permissions_var_log_audit", "file_group_ownership_var_log_audit", "file_group_ownership_var_log_audit_stig", "file_groupownership_audit_configuration", "file_ownership_audit_configuration", "file_ownership_var_log_audit", "file_ownership_var_log_audit_stig", "file_permissions_audit_configuration", "file_permissions_var_log_audit", "file_permissions_var_log_audit_stig"], "platform": "package[audit]", "platforms": ["package[audit]"], "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_audit"], "title": "Configure auditd Rules for Comprehensive Auditing", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/group.yml"}