Initial commit

[ta/infra-ansible.git] / roles / audit / templates / 50-file-changes.rules.j2

diff --git a/roles/audit/templates/50-file-changes.rules.j2 b/roles/audit/templates/50-file-changes.rules.j2
new file mode 100644 (file)
index 0000000..af0ca75
--- /dev/null
+++ b/roles/audit/templates/50-file-changes.rules.j2
@@ -0,0 +1,22 @@
+## file changes
+-w /boot/ -p rwxa -k dir_boot
+-w /opt/ -p aw -k dir_opt
+-w /etc/ -p rwa -k dir_etc
+-w /usr/bin -p aw -k usr-bin
+-w /usr/sbin -p aw -k usr-sbin
+-w /usr/libexec -p aw -k usr-libexex
+-w /usr/local -p rwxa -k usr-local
+-w /mnt/symptomreport/ -p awr -k symptomreport
+-w /usr/lib -p aw -k usr-lib
+-w /usr/lib64 -p aw -k usr-lib64
+-w /var/log/audit/ -k audit-logs
+-w /var/log/sudo.log -p wa -k actions
+-a always,exit -F arch=b64 -S epoll_wait_old -F key=64bit_epoll_wait_old
+-a always,exit -F arch=b32 -S inotify_add_watch -F key=32bit_inotify_add_watch
+-a always,exit -F arch=b64 -S inotify_add_watch -F key=64bit_inotify_add_watch
+-a always,exit -F arch=b32 -S inotify_init -F key=32bit_inotify_init
+-a always,exit -F arch=b64 -S inotify_init -F key=64bit_inotify_init
+-a always,exit -F arch=b32 -S inotify_init1 -F key=32bit_inotify_init1
+-a always,exit -F arch=b64 -S inotify_init1 -F key=64bit_inotify_init1
+-a always,exit -F arch=b32 -S inotify_rm_watch -F key=32bit_inotify_rm_watch
+-a always,exit -F arch=b64 -S inotify_rm_watch -F key=64bit_inotify_rm_watch