CIS Benchmark SYSTEM HARDENING VULNERABILITY MANAGEMENT

What are the recommended linux hardening guide Audit Policy settings for Linux (CentOS, RHEL, Oracle, Solaris, Debian, Ubuntu, SUSE) when implementing logging for the PCI DSS or other security standard?

Recommended Linux security audit checklist guide Audit Policy settings for PCI DSS and other compliance standards – configuration settings for audit.d conf

Use of the audit policy to generate audit logs is an essential best practice for compliance and security. Its vital to get expert advice, not just to make sure you are getting all the audit events needed, but also to know where to stop to avoid an event log tsunami. Simply enabling all audit policy subcategories for all categories in the Advanced Audit Policy Configuration will burn up disk space and normalization resources on your SIEM system quicker than you can say 'How many Terabytes?!'

NNT have put together the following audit policies, based on expert guidance from RedHat, Oracle, SUSE, Center for Internet Security and our experienced PCI QSA/Security Auditor partners.

To enable logging of all relevant Linux security events to underpin your security policy, it is necessary to configure the audit.rules files (usually located on either the /etc/audit/rules.d/ or /etc/audit/ path). The audit policy specification is detailed below for most popular platforms but if we don't list your chosen platfrom, please let us know at This email address is being protected from spambots. You need JavaScript enabled to view it. and we'll be right back with a policy for you.

The Easy Route: Audit Policy GPO Downloads for Compliance
Download the NNT Audit Policy Wizard file for direct execution on your host, or for mass deployment using Puppet, for example, and automatically configure an auditor-ready audit policy.

CentOS
NNT CentOS Linux 7 Benchmark v2.1.0
NNT CentOS Linux 6 Benchmark v2.0.1

RHEL
NNT Red Hat Enterprise Linux 7 Benchmark v2.1.0
NNT Red Hat Enterprise Linux 6 Benchmark v2.0.1

Oracle
NNT Oracle Linux 7 Benchmark v1.1.0
NNT Oracle Linux 6 Benchmark v1.0.0

Debian
NNT Debian Linux 8 Benchmark v1.0.0
NNT Debian Linux 7 Benchmark v1.0.0

SUSE
NNT SUSE Linux Enterprise Server 12 Benchmark v1.0.0

Request Other Platforms

group policy icon

 

CentOS Linux 7 Audit Policy For Compliance

Date and Time

Ensure events that modify date and time information are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules

-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

User/Group

Ensure events that modify user/group information are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules

-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Network Environment

Ensure events that modify the system's network environment are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules

-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Mandatory Access Controls

Ensure events that modify the system's Mandatory Access Controls are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules

-w /etc/selinux/ -p wa -k MAC-policy

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Login and Logout

Ensure login and logout events are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules

-w /var/run/faillock/ -p wa -k logins
-w /var/log/lastlog -p wa -k logins

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Session Initiation

Ensure session initiation information is collected - Ensure the following exists for /etc/audit/rules.d/audit.rules

-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Discretionary Access Control

Ensure discretionary access control permission modification events are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules

-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Unsuccessful Unauthorized File Access Attempts

Ensure unsuccessful unauthorized file access attempts are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules

-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Use Of Privileged Commands

Ensure use of privileged commands is collected - Ensure the following exists for /etc/audit/rules.d/audit.rules

-a always,exit -F path=$file -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Successful File System Mounts

Ensure successful file system mounts are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules

-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

File Deletion Events By Users

Ensure file deletion events by users are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules

-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

System Administration Scope

Ensure changes to system administration scope (sudoers) is collected - Ensure the following exists for /etc/audit/rules.d/audit.rules

-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d -p wa -k scope

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

System Administrator Actions

Ensure system administrator actions (sudolog) are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules

-w /var/log/sudo.log -p wa -k actions

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Kernel Module Loading And Unloading

Ensure kernel module loading and unloading is collected - Ensure the following exists for /etc/audit/rules.d/audit.rules

-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit arch=b32 -S init_module -S delete_module -k modules
-a always,exit arch=b64 -S init_module -S delete_module -k modules

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

CentOS Linux 6 Audit Policy For Compliance

Date and Time

Ensure events that modify date and time information are collected - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

User/Group

Ensure events that modify user/group information are collected - Ensure the following exists for /etc/audit/audit.rules

-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Network Environment

Ensure events that modify the system's network environment are collected - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Mandatory Access Controls

Ensure events that modify the system's Mandatory Access Controls are collected - Ensure the following exists for /etc/audit/audit.rules

-w /etc/selinux/ -p wa -k MAC-policy

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Login and Logout

Ensure login and logout events are collected - Ensure the following exists for /etc/audit/audit.rules

-w /var/run/faillock/ -p wa -k logins
-w /var/log/lastlog -p wa -k logins

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Session Initiation

Ensure session initiation information is collected - Ensure the following exists for /etc/audit/audit.rules -w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Discretionary Access Control

Ensure discretionary access control permission modification events are collected - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Unsuccessful Unauthorized File Access Attempts

Ensure unsuccessful unauthorized file access attempts are collected - Ensure the following exists for /etc/audit/audit.rules -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Use Of Privileged Commands

Ensure use of privileged commands is collected - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F path=$file -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Successful File System Mounts

Ensure successful file system mounts are collected - Ensure the following exists for /etc/audit/audit.rules -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

File Deletion Events By Users

Ensure file deletion events by users are collected - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

System Administration Scope

Ensure changes to system administration scope (sudoers) is collected - Ensure the following exists for /etc/audit/audit.rules

-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d -p wa -k scope

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

System Administrator Actions

Ensure system administrator actions (sudolog) are collected - Ensure the following exists for /etc/audit/audit.rules

-w /var/log/sudo.log -p wa -k actions

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Kernel Module Loading And Unloading

Ensure kernel module loading and unloading is collected - Ensure the following exists for /etc/audit/audit.rules

-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit arch=b32 -S init_module -S delete_module -k modules
-a always,exit arch=b64 -S init_module -S delete_module -k modules

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

RHEL 7 Audit Policy For Compliance

Date and Time

Ensure events that modify date and time information are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules

-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

User/Group

Ensure events that modify user/group information are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules

-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Network Environment

Ensure events that modify the system's network environment are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules

-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Mandatory Access Controls

Ensure events that modify the system's Mandatory Access Controls are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules

-w /etc/selinux/ -p wa -k MAC-policy

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Login and Logout

Ensure login and logout events are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules

-w /var/run/faillock/ -p wa -k logins
-w /var/log/lastlog -p wa -k logins

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Session Initiation

Ensure session initiation information is collected - Ensure the following exists for /etc/audit/rules.d/audit.rules

-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Discretionary Access Control

Ensure discretionary access control permission modification events are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules

-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Unsuccessful Unauthorized File Access Attempts

Ensure unsuccessful unauthorized file access attempts are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules

-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Use Of Privileged Commands

Ensure use of privileged commands is collected - Ensure the following exists for /etc/audit/rules.d/audit.rules

-a always,exit -F path=$file -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Successful File System Mounts

Ensure successful file system mounts are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules

-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

File Deletion Events By Users

Ensure file deletion events by users are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules

-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

System Administration Scope

Ensure changes to system administration scope (sudoers) is collected - Ensure the following exists for /etc/audit/rules.d/audit.rules

-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d -p wa -k scope

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

System Administrator Actions

Ensure system administrator actions (sudolog) are collected - Ensure the following exists for /etc/audit/rules.d/audit.rules

-w /var/log/sudo.log -p wa -k actions

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Kernel Module Loading And Unloading

Ensure kernel module loading and unloading is collected - Ensure the following exists for /etc/audit/rules.d/audit.rules

-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit arch=b32 -S init_module -S delete_module -k modules
-a always,exit arch=b64 -S init_module -S delete_module -k modules

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

RHEL 6 Audit Policy For Compliance

Date and Time

Ensure events that modify date and time information are collected - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

User/Group

Ensure events that modify user/group information are collected - Ensure the following exists for /etc/audit/audit.rules

-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Network Environment

Ensure events that modify the system's network environment are collected - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Mandatory Access Controls

Ensure events that modify the system's Mandatory Access Controls are collected - Ensure the following exists for /etc/audit/audit.rules

-w /etc/selinux/ -p wa -k MAC-policy

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Login and Logout

Ensure login and logout events are collected - Ensure the following exists for /etc/audit/audit.rules

-w /var/run/faillock/ -p wa -k logins
-w /var/log/lastlog -p wa -k logins

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Session Initiation

Ensure session initiation information is collected - Ensure the following exists for /etc/audit/audit.rules

-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Discretionary Access Control

Ensure discretionary access control permission modification events are collected - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Unsuccessful Unauthorized File Access Attempts

Ensure unsuccessful unauthorized file access attempts are collected - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Use Of Privileged Commands

Ensure use of privileged commands is collected - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F path=$file -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Successful File System Mounts

Ensure successful file system mounts are collected - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

File Deletion Events By Users

Ensure file deletion events by users are collected - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

System Administration Scope

Ensure changes to system administration scope (sudoers) is collected - Ensure the following exists for /etc/audit/audit.rules

-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d -p wa -k scope

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

System Administrator Actions

Ensure system administrator actions (sudolog) are collected - Ensure the following exists for /etc/audit/audit.rules

-w /var/log/sudo.log -p wa -k actions

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Kernel Module Loading And Unloading

Ensure kernel module loading and unloading is collected - Ensure the following exists for /etc/audit/audit.rules

-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit arch=b32 -S init_module -S delete_module -k modules
-a always,exit arch=b64 -S init_module -S delete_module -k modules

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Oracle Linux 7 Audit Policy For Compliance

Date and Time

Record Events That Modify Date and Time Information - Ensure the following exists for /etc/audit/rules.d/audit.rules

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

User/Group

Record Events That Modify User/Group Information - Ensure the following exists for /etc/audit/rules.d/audit.rules

-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Network Environment

Record Events That Modify the System's Network Environment - Ensure the following exists for /etc/audit/rules.d/audit.rules

-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Mandatory Access Controls

Record Events That Modify the System's Mandatory Access Controls - Ensure the following exists for /etc/audit/rules.d/audit.rules

-w /etc/selinux/ -p wa -k MAC-policy

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Login and Logout

Collect Login and Logout Events - Ensure the following exists for /etc/audit/rules.d/audit.rules

-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Session Initiation

Collect Session Initiation Information - Ensure the following exists for /etc/audit/rules.d/audit.rules

-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Discretionary Access Control

Collect Discretionary Access Control Permission Modification Events - Ensure the following exists for /etc/audit/rules.d/audit.rules

-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Unsuccessful Unauthorized File Access Attempts

Collect Unsuccessful Unauthorized Access Attempts to Files - Ensure the following exists for /etc/audit/rules.d/audit.rules

-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Use Of Privileged Commands

Collect Use of Privileged Commands - Ensure the following exists for /etc/audit/rules.d/audit.rules

-a always,exit -F path=$file -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Successful File System Mounts

Collect Successful File System Mounts - Ensure the following exists for /etc/audit/rules.d/audit.rules

-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

File Deletion Events By Users

Collect File Deletion Events by User - Ensure the following exists for /etc/audit/rules.d/audit.rules

-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

System Administration Scope

Collect Changes to System Administration Scope (sudoers) - Ensure the following exists for /etc/audit/rules.d/audit.rules

-w /etc/sudoers -p wa -k scope

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

System Administrator Actions

Collect System Administrator Actions (sudolog) - Ensure the following exists for /etc/audit/rules.d/audit.rules

-w /var/log/sudo.log -p wa -k actions

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Kernel Module Loading And Unloading

Collect Kernel Module Loading and Unloading - Ensure the following exists for /etc/audit/rules.d/audit.rules

-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Oracle Linux 6 Audit Policy For Compliance

Date and Time

Ensure events that modify date and time information are collected - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

User/Group

Ensure events that modify user/group information are collected - Ensure the following exists for /etc/audit/audit.rules

-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Network Environment

Ensure events that modify the system's network environment are collected - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Mandatory Access Controls

Ensure events that modify the system's Mandatory Access Controls are collected - Ensure the following exists for /etc/audit/audit.rules

-w /etc/selinux/ -p wa -k MAC-policy

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Login and Logout

Ensure login and logout events are collected - Ensure the following exists for /etc/audit/audit.rules

-w /var/run/faillock/ -p wa -k logins
-w /var/log/lastlog -p wa -k logins

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Session Initiation

Ensure session initiation information is collected - Ensure the following exists for /etc/audit/audit.rules

-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Discretionary Access Control

Ensure discretionary access control permission modification events are collected - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Unsuccessful Unauthorized File Access Attempts

Ensure unsuccessful unauthorized file access attempts are collected - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Use Of Privileged Commands

Ensure use of privileged commands is collected - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F path=$file -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Successful File System Mounts

Ensure successful file system mounts are collected - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

File Deletion Events By Users

Ensure file deletion events by users are collected - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

System Administration Scope

Ensure changes to system administration scope (sudoers) is collected - Ensure the following exists for /etc/audit/audit.rules

-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d -p wa -k scope

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

System Administrator Actions

Ensure system administrator actions (sudolog) are collected - Ensure the following exists for /etc/audit/audit.rules

-w /var/log/sudo.log -p wa -k actions

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Kernel Module Loading And Unloading

Ensure kernel module loading and unloading is collected - Ensure the following exists for /etc/audit/audit.rules

-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit arch=b32 -S init_module -S delete_module -k modules
-a always,exit arch=b64 -S init_module -S delete_module -k modules

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Debian Linux 8 Audit Policy For Compliance

Date and Time

Record Events That Modify Date and Time Information - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

User/Group

Record Events That Modify User/Group Information - Ensure the following exists for /etc/audit/audit.rules

-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Network Environment

Record Events That Modify the System's Network Environment - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Mandatory Access Controls

Record Events That Modify the System's Mandatory Access Controls - Ensure the following exists for /etc/audit/audit.rules

-w /etc/selinux/ -p wa -k MAC-policy

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Login and Logout

Collect Login and Logout Events - Ensure the following exists for /etc/audit/audit.rules

-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Session Initiation

Collect Session Initiation Information - Ensure the following exists for /etc/audit/audit.rules

-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Discretionary Access Control

Collect Discretionary Access Control Permission Modification Events - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Unsuccessful Unauthorized File Access Attempts

Collect Unsuccessful Unauthorized Access Attempts to Files - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Use Of Privileged Commands

Collect Use of Privileged Commands - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F path=$file -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Successful File System Mounts

Collect Successful File System Mounts - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

File Deletion Events By Users

Collect File Deletion Events by User - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

System Administration Scope

Collect Changes to System Administration Scope (sudoers) - Ensure the following exists for /etc/audit/audit.rules

-w /etc/sudoers -p wa -k scope

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

System Administrator Actions

Collect System Administrator Actions (sudolog) - Ensure the following exists for /etc/audit/audit.rules

-w /var/log/sudo.log -p wa -k actions

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Kernel Module Loading And Unloading

Collect Kernel Module Loading and Unloading - Ensure the following exists for /etc/audit/audit.rules

-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Debian Linux 7 Audit Policy For Compliance

Date and Time

Record Events That Modify Date and Time Information - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

User/Group

Record Events That Modify User/Group Information - Ensure the following exists for /etc/audit/audit.rules

-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Network Environment

Record Events That Modify the System's Network Environment - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Mandatory Access Controls

Record Events That Modify the System's Mandatory Access Controls - Ensure the following exists for /etc/audit/audit.rules

-w /etc/selinux/ -p wa -k MAC-policy

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Login and Logout

Collect Login and Logout Events - Ensure the following exists for /etc/audit/audit.rules

-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Session Initiation

Collect Session Initiation Information - Ensure the following exists for /etc/audit/audit.rules

-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Discretionary Access Control

Collect Discretionary Access Control Permission Modification Events - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Unsuccessful Unauthorized File Access Attempts

Collect Unsuccessful Unauthorized Access Attempts to Files - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Use Of Privileged Commands

Collect Use of Privileged Commands - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F path=$file -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Successful File System Mounts

Collect Successful File System Mounts - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

File Deletion Events By Users

Collect File Deletion Events by User - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

System Administration Scope

Collect Changes to System Administration Scope (sudoers) - Ensure the following exists for /etc/audit/audit.rules

-w /etc/sudoers -p wa -k scope

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

System Administrator Actions

Collect System Administrator Actions (sudolog) - Ensure the following exists for /etc/audit/audit.rules

-w /var/log/sudo.log -p wa -k actions

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Kernel Module Loading And Unloading

Collect Kernel Module Loading and Unloading - Ensure the following exists for /etc/audit/audit.rules

-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

SUSE Linux Enterprise Server 12 Audit Policy For Compliance

Date and Time

Record Events That Modify Date and Time Information - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

User/Group

Record Events That Modify User/Group Information - Ensure the following exists for /etc/audit/audit.rules

-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Network Environment

Record Events That Modify the System's Network Environment - Ensure the following exists for /etc/audit/audit.rules

-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Mandatory Access Controls

Record Events That Modify the System's Mandatory Access Controls - Ensure the following exists for /etc/audit/audit.rules
-w /etc/selinux/ -p wa -k MAC-policy

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Login and Logout

Collect Login and Logout Events - Ensure the following exists for /etc/audit/audit.rules

-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Session Initiation

Collect Session Initiation Information - Ensure the following exists for /etc/audit/audit.rules

-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Discretionary Access Control

Collect Discretionary Access Control Permission Modification Events - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Unsuccessful Unauthorized File Access Attempts

Collect Unsuccessful Unauthorized Access Attempts to Files - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Use Of Privileged Commands

Collect Use of Privileged Commands - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F path=$file -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Successful File System Mounts

Collect Successful File System Mounts - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

File Deletion Events By Users

Collect File Deletion Events by User - Ensure the following exists for /etc/audit/audit.rules

-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

System Administration Scope

Collect Changes to System Administration Scope (sudoers) - Ensure the following exists for /etc/audit/audit.rules

-w /etc/sudoers -p wa -k scope

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

System Administrator Actions

Collect System Administrator Actions (sudolog) - Ensure the following exists for /etc/audit/audit.rules

-w /var/log/sudo.log -p wa -k actions

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Kernel Module Loading And Unloading

Collect Kernel Module Loading and Unloading - Ensure the following exists for /etc/audit/audit.rules

-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

NNT Products
USA Offices
New Net Technologies LLC
Naples
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
Atlanta
201 17th Street, Suite 300
Atlanta, Georgia, 30363.

Tel: 1-888-898-0674
email [email protected]
UK Office
New Net Technologies LLC
Rivers Lodge
West Common
Harpenden
Hertfordshire
AL5 2JN

Tel: 01582 287310
email [email protected]
Connect
Google+ Linkedin Twitter - Change Tracker Facebook rss feed YouTube
CIS benchmarking SEWP Cybersecurity 500 Sans Institute
Copyright 2017, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.