From fd03550606296a8cf8e5ca1f56f7fe416da4b62d Mon Sep 17 00:00:00 2001 From: Mohamed LAKRI Date: Sat, 16 Nov 2024 22:48:29 +0100 Subject: [PATCH] Update audit.rules Hi, I have added monitoring for the execution of binaries used to read files. The current configuration only logs the reading of predefined files, such as /etc/passwd (except for actions performed by the root user). For example, if we have a sensitive file located in a directory like /opt/CustomApp/Sensitive.conf, I believe the current configuration does not log this action. --- audit.rules | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/audit.rules b/audit.rules index f71bf7c..44f01ef 100644 --- a/audit.rules +++ b/audit.rules @@ -787,6 +787,15 @@ -w /bin/sh -p x -k susp_shell -w /bin/ksh -p x -k susp_shell +## Files viewers for potentially sensitive files +-w /usr/bin/cat -p x -k sensitive_file_access +-w /usr/bin/tac -p x -k sensitive_file_access +-w /usr/bin/less -p x -k sensitive_file_access +-w /usr/bin/more -p x -k sensitive_file_access +-w /usr/bin/tail -p x -k sensitive_file_access +-w /usr/bin/head -p x -k sensitive_file_access +-w /usr/bin/nl -p x -k sensitive_file_access + ## Root command executions -a always,exit -F arch=b64 -F euid=0 -F auid>=1000 -F auid!=-1 -S execve -k rootcmd