logging root authorized_keys file manipulation

Neo23x0 / auditd

Best Practice Auditd Configuration

Apache License 2.0

1.49k stars 258 forks source link

logging root authorized_keys file manipulation #152

Open borross opened 2 months ago

borross commented 2 months ago

for correct logging add pls under the section ## root ssh key tampering such value -w /root/.ssh/authorized_keys -p wa -k rootkey

Commands for check:

ssh-keygen -t rsa -f test_key
cat test_key.pub >> /root/.ssh/authorized_keys

Log sample:

type=PATH msg=audit(1723720092.480:12186438): item=0 name="/root/.ssh/authorized_keys" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Pierre-Gronau-ndaal commented 2 months ago

what about:

-a always,exit -F arch=b32 -F dir=/root/.ssh/authorized_keys -F perm=wa -F key=rootkey -a always,exit -F arch=b64 -F dir=/root/.ssh/authorized_keys -F perm=wa -F key=rootkey