15 lines
583 B
Plaintext
15 lines
583 B
Plaintext
|
## Executions.
|
||
|
-a always,exit -F arch=b32 -S execve,execveat -k exec
|
||
|
|
||
|
## External access (warning: these can be expensive to audit).
|
||
|
-a always,exit -F arch=b32 -S accept4,bind,connect -F key=external-access
|
||
|
|
||
|
## Identity changes.
|
||
|
-w /etc/group -p wa -k identity
|
||
|
-w /etc/passwd -p wa -k identity
|
||
|
-w /etc/gshadow -p wa -k identity
|
||
|
|
||
|
## Unauthorized access attempts.
|
||
|
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
|
||
|
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
|