Table of Contents
Advertisement
-w /etc/postfix/ -p wa
-w /etc/ssh/sshd_config
-w /etc/stunnel/stunnel.conf
-w /etc/stunnel/stunnel.pem
-w /etc/vsftpd.ftpusers
-w /etc/vsftpd/vsftpd.conf
-a exit,always -S sethostname
-w /etc/issue -p wa
-w /etc/issue.net -p wa
Set watches on the at and cron configuration and the scheduled jobs and assign
labels to these events.
Set watches on the user, group, password, and login databases and logs and set
labels to better identify any login-related events, such as failed login attempts.
Set a watch and a label on the static hostname configuration in /etc/hosts.
Track changes to the system configuration directory, /etc/sysconfig. Enable
per-file watches if you are interested in file events. Set watches and labels for
changes to the boot configuration in /etc/inittab and the /etc/init.d
directory. Enable per-file watches if you are interested in file events. Set watches
and labels for any changes to the linker configuration in /etc/ld.so.conf.
Set watches and a label for /etc/localtime. Set watches and labels for the
kernel configuration files /etc/sysctl.conf, /etc/modprobe.d/, /etc/
modprobe.conf.local, and /etc/modprobe.conf.
Set watches on the PAM configuration directory. If you are interested in particular
files below the directory level, add explicit watches to these files as well.
Set watches to the postfix configuration to log any write attempt or attribute change
and use labels for better tracking in the logs.
Set watches and labels on the ssh, stunnel, and vsftpd configuration files.
Perform an audit of the sethostname system call and set watches and labels
on the system identification configuration in /etc/issue and /etc/issue
.net.
Introducing an Audit Rule Set
53
Hide quick links:
Advertisement
Table of Contents
