Audit¶

sudo apt install auditd audispd-plugins

sudo nano /etc/audit/auditd.conf

log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
max_log_file = 8
num_logs = 5
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND

sudo nano /etc/audit/rules.d/audit.rules

# Lösche alle existierenden Regeln
-D

# Systemaufrufe überwachen
-a always,exit -F arch=b64 -S execve -k exec

# Dateizugriffe überwachen
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k identity
-w /etc/group -p wa -k identity

# SSH überwachen
-w /etc/ssh/sshd_config -p wa -k sshd
-w /var/log/auth.log -p wa -k logins

# Netzwerk überwachen
-a always,exit -F arch=b64 -S bind,connect -k network

# Systemzeit überwachen
-a always,exit -F arch=b64 -S adjtimex,settimeofday,stime,time -k time

# Unprivilegierte Promiscuous Sockets
-a always,exit -F arch=b64 -S socket -F a0=1 -k promiscuous

# Überwachung von /etc/hosts
-w /etc/hosts -p wa -k hosts

sudo augenrules --load

sudo auditctl -l
sudo auditctl -s

# Alle Events
sudo ausearch -k exec

# Login-Events
sudo ausearch -k logins

# Netzwerk-Events
sudo ausearch -k network

sudo systemctl restart auditd
sudo systemctl enable auditd