/usr/share/doc/auditd/examples/rules/README-rules is in auditd 1:2.6.7-2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | The rules in this directory should be copied to /etc/audit/rules.d/
The file in this directory are organized into groups with the
following meanings:
10 - Kernel and auditctl configuration
20 - Rules that could match general rules but we want a different match
30 - Main rules
40 - Optional rules
50 - Server Specific rules
70 - System local rules
90 - Finalize (immutable)
There is one set of rules, 31-privileged.rules, that should be regenerated.
There is a script in the comments of that file. You can uncomment the commands
and run the script and then rename the resulting file.
The augenrules program will sort the rules based on the file name. It will
compile the individual files into a master audit.rules file and place in
the correct location.
If you wanted to set a system up in the STIG configuration, copy rules
10, 30-stig, 31, and 99. Add more to suit your preferences.
|