搜索

此内容没有您所选择的语言版本。

7.5.2. Defining Persistent Audit Rules and Controls in the /etc/audit/audit.rules File

download PDF
To define Audit rules that are persistent across reboots, you must include them in the /etc/audit/audit.rules file. This file uses the same auditctl command line syntax to specify the rules. Any empty lines or any text following a hash sign (#) is ignored.
The auditctl command can also be used to read rules from a specified file with the -R option, for example:
~]# auditctl -R /usr/share/doc/audit-version/stig.rules

Defining Control Rules

A file can contain only the following control rules that modify the behavior of the Audit system: -b, -D, -e, -f, and -r. For more information on these options, see the section called “Defining Control Rules”.

Example 7.3. Control rules in audit.rules

# Delete all previous rules
-D

# Set buffer size
-b 8192

# Make the configuration immutable -- reboot is required to change audit rules
-e 2

# Panic when a failure occurs
-f 2

# Generate at most 100 audit messages per second
-r 100

Defining File System and System Call Rules

File system and system call rules are defined using the auditctl syntax. The examples in Section 7.5.1, “Defining Audit Rules with the auditctl Utility” can be represented with the following rules file:

Example 7.4. File system and system call rules in audit.rules

-w /etc/passwd -p wa -k passwd_changes
-w /etc/selinux/ -p wa -k selinux_changes
-w /sbin/insmod -p x -k module_insertion

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time_change
-a always,exit -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete

Preconfigured Rules Files

In the /usr/share/doc/audit-version/ directory, the audit package provides a set of pre-configured rules files according to various certification standards:
  • nispom.rules — Audit rule configuration that meets the requirements specified in Chapter 8 of the National Industrial Security Program Operating Manual.
  • capp.rules — Audit rule configuration that meets the requirements set by Controlled Access Protection Profile (CAPP), which is a part of the Common Criteria certification.
  • lspp.rules — Audit rule configuration that meets the requirements set by Labeled Security Protection Profile (LSPP), which is a part of the Common Criteria certification.
  • stig.rules — Audit rule configuration that meets the requirements set by Security Technical Implementation Guides (STIG).
To use these configuration files, create a backup of your original /etc/audit/audit.rules file and copy the configuration file of your choice over the /etc/audit/audit.rules file:
~]# cp /etc/audit/audit.rules /etc/audit/audit.rules_backup
~]# cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.