https://pastein.ru/t/34y
Загрузка данных
sudo auditctl -l
-a never,exit -F arch=b64 -S open,openat -F path=/proc/filesystems
-a never,exit -F arch=b32 -S open,openat -F path=/proc/filesystems
-a never,exit -F arch=b64 -S socket,connect,accept,listen,execve,ptrace,setuid,setgid,setreuid,setregid,capset,adjtimex,settimeofday,setxattr,lsetxattr,fsetxattr,clock_settime,accept4,execveat -F exe=/usr/bin/vmtoolsd
-a never,exit -F arch=b64 -S socket,connect,accept,listen,execve,ptrace,setuid,setgid,setreuid,setregid,capset,adjtimex,settimeofday,setxattr,lsetxattr,fsetxattr,clock_settime,accept4,execveat -F exe=/usr/sbin/haproxy
-a never,exit -F arch=b64 -S socket,connect,accept,listen,execve,ptrace,setuid,setgid,setreuid,setregid,capset,adjtimex,settimeofday,setxattr,lsetxattr,fsetxattr,clock_settime,accept4,execveat -F exe=/usr/sbin/cron
-a never,exit -F arch=b64 -S socket,connect,accept,listen,execve,ptrace,setuid,setgid,setreuid,setregid,capset,adjtimex,settimeofday,setxattr,lsetxattr,fsetxattr,clock_settime,accept4,execveat -F exe=/lib/systemd/systemd-timesyncd
-a never,exit -F arch=b64 -S socket,connect,accept,listen,execve,ptrace,setuid,setgid,setreuid,setregid,capset,adjtimex,settimeofday,setxattr,lsetxattr,fsetxattr,clock_settime,accept4,execveat -F exe=/usr/lib/systemd/systemd-timesyncd
-a never,exit -F arch=b64 -S socket,connect,accept,listen,execve,ptrace,setuid,setgid,setreuid,setregid,capset,adjtimex,settimeofday,setxattr,lsetxattr,fsetxattr,clock_settime,accept4,execveat -F exe=/lib/systemd/systemd-logind
-a never,exit -F arch=b64 -S socket,connect,accept,listen,execve,ptrace,setuid,setgid,setreuid,setregid,capset,adjtimex,settimeofday,setxattr,lsetxattr,fsetxattr,clock_settime,accept4,execveat -F exe=/usr/lib/systemd/systemd-logind
-a never,exit -F arch=b64 -S open,socket,connect,accept,openat -F exe=/usr/bin/zabbix_agentd
-a never,exit -F arch=b64 -S open,openat -F exe=/usr/bin/ps
-a never,exit -F arch=b64 -S open,openat -F exe=/usr/bin/top
-a never,exit -F arch=b64 -S open,openat -F exe=/usr/bin/htop
-a never,exit -F arch=b64 -S open,openat -F exe=/usr/bin/find
-a never,exit -F arch=b64 -S open,openat -F exe=/usr/lib/systemd/systemd
-a never,exit -F arch=b32 -S execve,setuid,ptrace,setgid,setreuid,setregid,settimeofday,adjtimex,capset,setxattr,lsetxattr,fsetxattr,clock_settime,execveat,socket,connect,listen,accept4 -F exe=/usr/bin/vmtoolsd
-a never,exit -F arch=b32 -S execve,setuid,setgid,setreuid,setregid,settimeofday,adjtimex,capset,setxattr,lsetxattr,fsetxattr,clock_settime,execveat,socket,connect,listen,accept4 -F exe=/usr/sbin/haproxy
-a never,exit -F arch=b32 -S execve,setuid,ptrace,setgid,setreuid,setregid,settimeofday,adjtimex,capset,setxattr,lsetxattr,fsetxattr,clock_settime,execveat,socket,connect,listen,accept4 -F exe=/usr/sbin/cron
-a never,exit -F arch=b32 -S execve,setuid,ptrace,setgid,setreuid,setregid,settimeofday,adjtimex,capset,setxattr,lsetxattr,fsetxattr,clock_settime,execveat,socket,connect,listen,accept4 -F exe=/lib/systemd/systemd-timesyncd
-a never,exit -F arch=b32 -S execve,setuid,ptrace,setgid,setreuid,setregid,settimeofday,adjtimex,capset,setxattr,lsetxattr,fsetxattr,clock_settime,execveat,socket,connect,listen,accept4 -F exe=/usr/lib/systemd/systemd-timesyncd
-a never,exit -F arch=b32 -S execve,setuid,ptrace,setgid,setreuid,setregid,settimeofday,adjtimex,capset,setxattr,lsetxattr,fsetxattr,clock_settime,execveat,socket,connect,listen,accept4 -F exe=/usr/lib/systemd/systemd-logind
-a never,exit -F arch=b32 -S execve,setuid,ptrace,setgid,setreuid,setregid,settimeofday,adjtimex,capset,setxattr,lsetxattr,fsetxattr,clock_settime,execveat,socket,connect,listen,accept4 -F exe=/lib/systemd/systemd-logind
-a never,exit -F arch=b32 -S open,openat,socket,connect,accept4 -F exe=/usr/bin/zabbix_agentd
-a never,exit -F arch=b32 -S open,openat -F exe=/usr/bin/ps
-a never,exit -F arch=b32 -S open,openat -F exe=/usr/bin/top
-a never,exit -F arch=b32 -S open,openat -F exe=/usr/bin/htop
-a never,exit -F arch=b32 -S open,openat -F exe=/usr/bin/find
-a never,exit -F arch=b32 -S open,openat -F exe=/usr/lib/systemd/systemd
-a always,exit -F arch=b64 -S execve,execveat -F key=pt_siem_execve
-a always,exit -F arch=b64 -S socket -F a0=0x2 -F a1=0x3 -F key=pt_siem_api_socket
-a always,exit -F arch=b64 -S socket -F a0=0xA -F a1=0x3 -F key=pt_siem_api_socket
-a always,exit -F arch=b64 -S socket -F a0=0x2 -F a1=0xA -F key=pt_siem_api_socket
-a always,exit -F arch=b64 -S socket -F a0=0xA -F a1=0xA -F key=pt_siem_api_socket
-a always,exit -F arch=b64 -S socket -F a0=0x11 -F key=pt_siem_api_socket
-a always,exit -F arch=b64 -S connect -F a2=0x10 -F key=pt_siem_api_connect
-a always,exit -F arch=b64 -S connect -F a2=0x1C -F key=pt_siem_api_connect
-a always,exit -F arch=b64 -S accept4 -F key=pt_siem_api_accept
-a always,exit -F arch=b64 -S accept -F key=pt_siem_api_accept
-a always,exit -F arch=b64 -S listen -F key=pt_siem_api_listen
-a always,exit -S all -F path=/etc/shadow -F perm=r -F auid!=-1 -F key=pt_siem_etc_read
-a always,exit -S all -F path=/etc/gshadow -F perm=r -F auid!=-1 -F key=pt_siem_etc_read
-a always,exit -S all -F path=/etc/passwd -F perm=r -F auid!=-1 -F key=pt_siem_etc_read
-a always,exit -S all -F path=/etc/group -F perm=r -F auid!=-1 -F key=pt_siem_etc_read
-a always,exit -S all -F path=/etc/security/opasswd -F perm=r -F auid!=-1 -F key=pt_siem_etc_read
-a always,exit -S all -F path=/etc/master.passwd -F perm=r -F auid!=-1 -F key=pt_siem_etc_read
-a always,exit -S all -F path=/etc/spwd.db -F perm=r -F auid!=-1 -F key=pt_siem_etc_read
-a always,exit -S all -F path=/etc/sudoers -F perm=r -F auid!=-1 -F key=pt_siem_etc_read
-a always,exit -S all -F dir=/etc/sudoers.d -F perm=r -F auid!=-1 -F key=pt_siem_etc_read
-a always,exit -S all -F dir=/etc/pam.d -F perm=r -F auid!=-1 -F key=pt_siem_etc_read
-a always,exit -S all -F dir=/var/log -F perm=wa -F auid!=-1 -F key=pt_siem_var_log_access
-a always,exit -S open,openat -F dir=/proc -F filetype=32768 -F perm=r -F auid!=-1 -F key=pt_siem_proc
-w /etc -p wa -k pt_siem_etc_modify
-w /root -p rwa -k pt_siem_root_home_access
-w /var/www -p wa -k pt_siem_www_home_access
-w /var/spool/cron -p wa -k pt_siem_cron_modify
-w /var/spool/at -p wa -k pt_siem_cron_modify
-w /bin -p wa -k pt_siem_bin_modify
-w /usr/bin -p wa -k pt_siem_bin_modify
-w /sbin -p wa -k pt_siem_bin_modify
-w /usr/sbin -p wa -k pt_siem_bin_modify
-w /usr/local/bin -p wa -k pt_siem_bin_modify
-w /usr/local/sbin -p wa -k pt_siem_bin_modify
-w /usr/libexec -p wa -k pt_siem_bin_modify
-w /lib -p wa -k pt_siem_lib_modify
-w /lib64 -p wa -k pt_siem_lib_modify
-w /usr/lib -p wa -k pt_siem_lib_modify
-w /usr/lib64 -p wa -k pt_siem_lib_modify
-w /boot -p wa -k pt_siem_boot_modify
-a always,exit -F arch=b64 -S capset -F key=pt_siem_api_caps
-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr -F key=pt_siem_api_xattr
-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -F key=pt_siem_api_time
-a always,exit -F arch=b64 -S init_module,delete_module -F auid!=-1 -F key=pt_siem_api_kernel_mods
-a always,exit -F arch=b64 -S finit_module -F auid!=-1 -F key=pt_siem_api_kernel_mods
-a always,exit -F arch=b64 -S ptrace -F a0=0x0 -F key=pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0xD -F key=pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0xF -F key=pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x10 -F key=pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x11 -F key=pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x13 -F key=pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x4203 -F key=pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x4205 -F key=pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x4206 -F key=pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x4207 -F key=pt_siem_api_ptrace
-a always,exit -F arch=b64 -S setuid,setgid,setreuid,setregid -F key=pt_siem_api_setuid
-a always,exit -F arch=b32 -S execve,execveat -F key=pt_siem_execve
-a always,exit -F arch=b32 -S capset -F key=pt_siem_api_caps
-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr -F key=pt_siem_api_xattr
-a always,exit -F arch=b32 -S settimeofday,adjtimex,clock_settime -F key=pt_siem_api_time
-a always,exit -F arch=b32 -S init_module,delete_module -F auid!=-1 -F key=pt_siem_api_kernel_mods
-a always,exit -F arch=b32 -S finit_module -F auid!=-1 -F key=pt_siem_api_kernel_mods
-a always,exit -F arch=b32 -S ptrace -F a0=0x0 -F key=pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0xD -F key=pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0xF -F key=pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x10 -F key=pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x11 -F key=pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x13 -F key=pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x4203 -F key=pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x4205 -F key=pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x4206 -F key=pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x4207 -F key=pt_siem_api_ptrace
-a always,exit -F arch=b32 -S setuid,setgid,setreuid,setregid -F key=pt_siem_api_setuid
-a always,exit -F arch=b64 -S open,execve,rename,mkdir,rmdir,creat,link,unlink,symlink,chmod,fchmod,chown,fchown,lchown,setuid,setgid,setreuid,setregid,setresuid,setresgid,setfsuid,setfsgid,mknod,chroot,mount,umount2,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,openat,mkdirat,mknodat,fchownat,unlinkat,renameat,linkat,symlinkat,fchmodat,finit_module,renameat2,execveat,move_mount -F subj_type=psaud -F key=parsec-p
-a always,exit -F arch=b32 -S open,creat,link,unlink,execve,mknod,chmod,lchown,mount,setuid,rename,mkdir,rmdir,setgid,umount2,chroot,setreuid,setregid,symlink,fchmod,fchown,init_module,delete_module,setfsuid,setfsgid,setresuid,setresgid,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,openat,mkdirat,mknodat,fchownat,unlinkat,renameat,linkat,symlinkat,fchmodat,finit_module,renameat2,execveat,move_mount -F subj_type=psaud -F key=parsec-p
-a always,exit -F arch=b64 -S open,execve,rename,mkdir,rmdir,creat,link,unlink,symlink,chmod,fchmod,chown,fchown,lchown,mknod,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,openat,mkdirat,mknodat,fchownat,unlinkat,renameat,linkat,symlinkat,fchmodat,renameat2,execveat -F obj_type=faud -F key=parsec-f
-a always,exit -F arch=b32 -S open,creat,link,unlink,execve,mknod,chmod,lchown,rename,mkdir,rmdir,symlink,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,openat,mkdirat,mknodat,fchownat,unlinkat,renameat,linkat,symlinkat,fchmodat,renameat2,execveat -F obj_type=faud -F key=parsec-f
-a always,exit -F arch=b64 -S unlink,unlinkat -F path=/var/log/audit/audit.log -F key=remove_audit
-a always,exit -F arch=b64 -S rename,renameat,renameat2 -F path=/var/log/audit/audit.log -F key=rename_audit
-a always,exit -F arch=b64 -S unlink,unlinkat -F path=/parsec/log/astra/events -F key=remove_events
-a always,exit -F arch=b64 -S rename,renameat,renameat2 -F path=/parsec/log/astra/events -F key=rename_events
-a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,fchownat,fchmodat -F path=/parsec/log/astra/events -F key=events_modified
-a always,exit -F arch=b64 -S openat -F a3!=0x0 -F path=/parsec/log/astra/events -F key=events_modified
-w /etc/astra-syslog.conf -p wa -k /etc/astra-syslog.conf
-w /etc/audit/rules.d/astra-syslog.rules -p wa -k /etc/audit/rules.d/astra-syslog.rules
-w /etc/syslog-ng/conf.d/mod-astra.conf -p wa -k /etc/syslog-ng/conf.d/mod-astra.conf
-w /usr/share/syslog-ng-mod-astra/mod-astra.conf -p wa -k /usr/share/syslog-ng-mod-astra/mod-astra.conf
-a always,exit -F arch=b64 -S mount -F key=mount_device
-a always,exit -F arch=b64 -S umount2 -F key=umount_device
-w /etc/parsec/macdb -p wa -k /etc/parsec/macdb
-w /etc/parsec/micdb -p wa -k /etc/parsec/micdb
-w /etc/fly-kiosk -p wa -k /etc/fly-kiosk
-w /media -p wa -k /media
-w /etc/digsig/digsig_initramfs.conf -p wa -k /etc/digsig/digsig_initramfs.conf
-w /etc/digsig/xattr_control -p wa -k /etc/digsig/xattr_control
-w /etc/parsec/mac_levels -p wa -k /etc/parsec/mac_levels
-w /boot/grub/grub.cfg -p wa -k /boot/grub/grub.cfg
-w /etc/parsec/mac_categories -p wa -k /etc/parsec/mac_categories
-w /etc/security/access.conf -p wa -k /etc/security/access.conf
-w /var/lib/dpkg/statoverride -p wa -k /var/lib/dpkg/statoverride
-w /etc/sysctl.d/99-sysctl.conf -p wa -k /etc/sysctl.d/99-sysctl.conf
-w /etc/sysctl.d/99-astra.conf -p wa -k /etc/sysctl.d/99-astra.conf
-w /etc/security/limits.conf -p wa -k /etc/security/limits.conf
-w /lib/udev/rules.d/91-group-floppy.rules -p wa -k /lib/udev/rules.d/91-group-floppy.rules
-w /etc/fstab -p wa -k /etc/fstab
-w /etc/parsec/astra_mode -p wa -k /etc/parsec/astra_mode
-w /etc/parsec/kiosk2_enforce -p wa -k /etc/parsec/kiosk2_enforce
-w /etc/parsec/fs-ilev.conf -p wa -k /etc/parsec/fs-ilev.conf
-a always,exit -S all -F dir=/home -F perm=rwa -F auid!=-1 -F auid>=1000 -C auid!=obj_uid -F key=pt_siem_home_access
