auditd
auditd copied to clipboard
Neo23x0
Best Practice Auditd Configuration
CHANGED -k description -w /var/log/audit/ -k T1005_Data_From_Local_System_audit_log ### macOS -w /var/audit/ -k T1005_Data_From_Local_System_audit_log
Dear @Neo23x0, thanks for starting and maintaining this utterly useful project. Do you think it would make sense to require contributors to issue a) descriptive commit messages (e.g., "add rules...
Hello It looks like line 68 is missing an = -a always,exclude -F msgtypeAVC should be -a always,exclude -F msgtype=AVC
starting with v5.11.7 kernel goes into oops mode starting auditd service. Sorry I don't have more specific information since I don't know how to debug auditd rules.
I was testing a subset of these rules along with what my $dayjob currently has. Something I noticed testing on PopOS/Ubuntu was that with the DAC modifications, they wouldn't catch...
https://github.com/Neo23x0/auditd/blob/da8d66d5565e4a4634db8387891ebc1f61e4b9d2/audit.rules#L117 Why it the order of action and filter in this line "-a exit,always" and not "-a always,exit" like all the other lines have? This line https://github.com/Neo23x0/auditd/blob/master/audit.rules#L90 also seems to...
Hello! I could check that this audit rules are not compatible with the output that is expected by audit2allow to fix selinux issues. I have to revert the changes, get...
