v2.4.4 audit sources

Change-Id: I9315a7408817db51edf084fb4d27fbb492785084 Signed-off-by: Ashlee Young <ashlee@wildernessvoice.com>
author: Ashlee Young <ashlee@wildernessvoice.com> 2015-11-29 08:22:13 -0800
committer: Ashlee Young <ashlee@wildernessvoice.com> 2015-11-29 08:22:13 -0800
commit: df5afa4fcd9725380f94ca6476248d4cc24f889a (patch)
tree: 65456f62397305febf7f40778c5a413a35d094ef /framework/src/audit/contrib
parent: 76f6bf922552c00546e6e85ca471eab28f56986c (diff)
9 files changed, 1462 insertions, 0 deletions
diff --git a/framework/src/audit/contrib/avc_snap b/framework/src/audit/contrib/avc_snap
new file mode 100755
index 00000000..f4acba7d
--- /dev/null
+++ b/framework/src/audit/contrib/avc_snap
@@ -0,0 +1,90 @@
+#! /usr/bin/env python
+import os, string, select, struct, syslog
+import audit, avc, traceback
+import AuditMsg
+from setroubleshoot.signature import *
+from setroubleshoot.util import LoadPlugins
+
+class avc_snap:
+    def __init__(self):
+        self.audit_list = []
+        self.cur_sig = ""
+        self.plugins = LoadPlugins()
+        syslog.syslog( "Number of Plugins = %d" % len(self.plugins))
+
+    def is_avc(self):
+        for i in self.audit_list:
+            if i[0] == audit.AUDIT_AVC:
+                return True
+        return False
+        
+    def out(self):
+        if self.is_avc():
+            rules=avc.SERules()
+            l=[]
+            for ( type, data_list ) in self.audit_list:
+                l  += data_list
+
+            if "granted" in l:
+                self.audit_list = []
+                return
+
+            rules.translate(l)
+            myavc = AVC(rules.AVCS[0])
+            for plugin in self.plugins:
+                try:
+                    if plugin.analyze(myavc):
+                        plugin.report()
+                        break;
+                    
+                except TypeError, e:
+                    syslog.syslog("Type exception %s: %s " % ( plugin.analysisID, e.args))
+                except:
+                    syslog.syslog("Plugin Exception %s " % plugin.analysisID) 
+                
+        self.audit_list = []
+
+    def process(self, type, data):
+        data_list=data.split()
+        new_sig=data_list[0]
+
+        if len(self.audit_list) > 0 and new_sig != self.cur_sig:
+            self.out()
+            self.cur_sig = new_sig
+
+        self.audit_list.append((type, data_list[1:]))
+
+    def run(self):
+        while 1:
+            input,output, err = select.select([0],[], [], 5)
+            try:
+                if 0 in input:
+                    msg = AuditMsg.AuditMsg()
+                    if not msg.read_from_fd(0):
+                        syslog.syslog("Connection closing")
+                        return
+                    self.process(msg.get_type(), msg.get_body())
+                else:
+                    self.out()
+
+            except struct.error, e:
+                syslog.syslog("struct exception %s " % e.args)
+                return
+            except TypeError, e:
+                syslog.syslog("Type exception %s " % e.args)
+
+try:
+    syslog.openlog("avc_snap")
+    snap=avc_snap()
+    snap.run()
+
+except IOError,e:
+    syslog.syslog("IOError exception %s" % e.args)
+
+except Exception, e:
+    syslog.syslog("Unexpected exception %s " % e.args)
+    syslog.syslog(traceback.format_exc())
+   
+except:
+    syslog.syslog("Caught Exception")
+    syslog.syslog(traceback.format_exc())
diff --git a/framework/src/audit/contrib/capp.rules b/framework/src/audit/contrib/capp.rules
new file mode 100644
index 00000000..5e38274f
--- /dev/null
+++ b/framework/src/audit/contrib/capp.rules
@@ -0,0 +1,302 @@
+##
+## This file contains a sample audit configuration.  Combined with the
+## system events that are audited by default, this set of rules causes
+## audit to generate records for the auditable events specified by the
+## Controlled Access Protection Profile (CAPP).
+## 
+## It should be noted that this set of rules identifies directories by 
+## leaving a / at the end of the path.
+##
+## For audit 2.0.6 and higher
+##
+
+## Remove any existing rules
+-D
+
+## Increase buffer size to handle the increased number of messages.
+## Feel free to increase this if the machine panic's
+-b 8192
+
+## Set failure mode to panic
+-f 2
+
+##
+## FAU_SAR.1, FAU_SAR.2, FMT_MTD.1
+## successful and unsuccessful attempts to read information from the
+## audit records; all modifications to the audit trail
+##
+-w /var/log/audit/ -k LOG_audit
+
+## 
+## FAU_SEL.1, FMT_MTD.1
+## modifications to audit configuration that occur while the audit
+## collection functions are operating; all modications to the set of
+## audited events
+##
+-w /etc/audit/ -p wa -k CFG_audit
+-w /etc/sysconfig/auditd  -p wa -k CFG_auditd.conf
+-w /etc/libaudit.conf -p wa -k CFG_libaudit.conf
+-w /etc/audisp/ -p wa -k CFG_audisp
+
+##
+## FDP_ACF.1, FMT_MSA.1, FMT_MTD.1, FMT_REV.1
+## all requests to perform an operation on an object covered by the
+## SFP; all modifications of the values of security attributes;
+## modifications to TSF data; attempts to revoke security attributes
+##
+
+## Objects covered by the Security Functional Policy (SFP) are:
+## -File system objects (files, directories, special files, extended attributes)
+## -IPC objects (SYSV shared memory, message queues, and semaphores)
+
+## Operations on file system objects - by default, only monitor
+## files and directories covered by filesystem watches.
+
+## Changes in ownership and permissions
+#-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat 
+#-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat 
+#-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown
+#-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown
+## Enable *32 rules if you are running on i386 or s390
+## Do not use for x86_64, ia64, ppc, ppc64, or s390x
+#-a always,exit -F arch=b32 -S fchown32,chown32,lchown32
+
+## File content modification. Permissions are checked at open time,
+## monitoring individual read/write calls is not useful.
+#-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate
+#-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate
+## Enable *64 rules if you are running on i386, ppc, ppc64, s390
+## Do not use for x86_64, ia64, or s390x
+#-a always,exit -F arch=b32 -S truncate64,ftruncate64
+
+## directory operations
+#-a always,exit -F arch=b32 -S mkdir,mkdirat,rmdir
+#-a always,exit -F arch=b64 -S mkdir,mkdirat,rmdir
+
+## moving, removing, and linking
+#-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat
+#-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat
+#-a always,exit -F arch=b32 -S link,linkat,symlink,symlinkat
+#-a always,exit -F arch=b64 -S link,linkat,symlink,symlinkat
+
+## Extended attribute operations
+## Enable if you are interested in these events
+#-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
+#-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
+
+## special files
+-a always,exit -F arch=b32 -S mknod,mknodat
+-a always,exit -F arch=b64 -S mknod,mknodat
+
+## Other file system operations
+## Enable if i386
+-a always,exit -F arch=b32 -S mount,umount,umount2
+## Enable if ppc, s390, or s390x
+#-a always,exit -F arch=b32 -S mount,umount,umount2
+#-a always,exit -F arch=b64 -S mount,umount,umount2
+## Enable if ia64
+#-a always,exit -F arch=b64 -S mount,umount
+## Enable if x86_64
+#-a always,exit -F arch=b64 -S mount,umount2
+#-a always,exit -F arch=b32 -S mount,umount,umount2
+
+## IPC SYSV message queues
+## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
+## msgctl
+#-a always,exit -S ipc -F a0=14
+## msgget
+#-a always,exit -S ipc -F a0=13
+## Enable if you are interested in these events (x86_64,ia64)
+#-a always,exit -S msgctl
+#-a always,exit -S msgget
+
+## IPC SYSV semaphores
+## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
+## semctl
+#-a always,exit -S ipc -F a0=3
+## semget
+#-a always,exit -S ipc -F a0=2
+## semop
+#-a always,exit -S ipc -F a0=1
+## semtimedop
+#-a always,exit -S ipc -F a0=4
+## Enable if you are interested in these events (x86_64, ia64)
+#-a always,exit -S semctl
+#-a always,exit -S semget
+#-a always,exit -S semop
+#-a always,exit -S semtimedop
+
+## IPC SYSV shared memory
+## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
+## shmctl
+#-a always,exit -S ipc -F a0=24
+## shmget
+#-a always,exit -S ipc -F a0=23
+## Enable if you are interested in these events (x86_64, ia64)
+#-a always,exit -S shmctl
+#-a always,exit -S shmget
+
+##
+## FIA_USB.1
+## success and failure of binding user security attributes to a subject
+##
+## Enable if you are interested in these events
+##
+#-a always,exit -F arch=b32 -S clone
+#-a always,exit -F arch=b64 -S clone
+#-a always,exit -F arch=b32 -S fork,vfork
+#-a always,exit -F arch=b64 -S fork,vfork
+## For ia64 architecture, disable fork and vfork rules above, and
+## enable the following:
+#-a always,exit -S clone2
+
+##
+## FMT_MSA.3
+## modifications of the default setting of permissive or restrictive
+## rules, all modifications of the initial value of security attributes
+##
+## Enable if you are interested in these events
+##
+#-a always,exit -F arch=b32 -S umask
+#-a always,exit -F arch=b64 -S umask
+
+##
+## FPT_STM.1
+## changes to the time
+##
+-a always,exit -F arch=b32 -S adjtimex,settimeofday -S stime
+-a always,exit -F arch=b64 -S adjtimex,settimeofday
+-a always,exit -F arch=b32 -S clock_settime -F a0=0
+-a always,exit -F arch=b64 -S clock_settime -F a0=0
+# Introduced in 2.6.39, commented out because it can make false positives
+#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
+#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
+
+##
+## FTP_ITC.1
+## set-up of trusted channel
+##
+-w /usr/sbin/stunnel -p x
+
+##
+## Security Databases
+##
+
+## cron configuration & scheduled jobs
+-w /etc/cron.allow -p wa -k CFG_cron.allow
+-w /etc/cron.deny -p wa -k CFG_cron.deny
+-w /etc/cron.d/ -p wa -k CFG_cron.d
+-w /etc/cron.daily/ -p wa -k CFG_cron.daily
+-w /etc/cron.hourly/ -p wa -k CFG_cron.hourly
+-w /etc/cron.monthly/ -p wa -k CFG_cron.monthly
+-w /etc/cron.weekly/ -p wa -k CFG_cron.weekly 
+-w /etc/crontab -p wa -k CFG_crontab
+-w /var/spool/cron/root -k CFG_crontab_root
+
+## user, group, password databases
+-w /etc/group -p wa -k CFG_group
+-w /etc/passwd -p wa -k CFG_passwd
+-w /etc/gshadow -k CFG_gshadow
+-w /etc/shadow -k CFG_shadow
+-w /etc/security/opasswd -k CFG_opasswd
+
+## login configuration and information
+-w /etc/login.defs -p wa -k CFG_login.defs
+-w /etc/securetty -p wa -k CFG_securetty
+-w /var/run/faillock/ -p wa -k LOG_faillock
+-w /var/log/lastlog -p wa -k LOG_lastlog
+-w /var/log/tallylog -p wa -k LOG_tallylog
+
+## network configuration
+-w /etc/hosts -p wa -k CFG_hosts
+-w /etc/sysconfig/network-scripts/ -p wa -k CFG_network
+
+## system startup scripts
+-w /etc/sysconfig/init -p wa -k CFG_init
+-w /etc/init/ -p wa -k CFG_init
+-w /etc/inittab -p wa -k CFG_inittab
+-w /etc/rc.d/init.d/ -p wa -k CFG_initscripts
+
+## library search paths
+-w /etc/ld.so.conf -p wa -k CFG_ld.so.conf
+
+## local time zone
+-w /etc/localtime -p wa -k CFG_localtime
+
+## kernel parameters
+-w /etc/sysctl.conf -p wa -k CFG_sysctl.conf
+
+## modprobe configuration
+-w /etc/modprobe.d/ -p wa -k CFG_modprobe
+
+## pam configuration
+-w /etc/pam.d/ -p wa -k CFG_pam
+-w /etc/security/access.conf -p wa  -k CFG_pam
+-w /etc/security/limits.conf -p wa  -k CFG_pam
+-w /etc/security/pam_env.conf -p wa -k CFG_pam
+-w /etc/security/namespace.conf -p wa -k CFG_pam
+-w /etc/security/namespace.d/ -p wa -k CFG_pam
+-w /etc/security/namespace.init -p wa -k CFG_pam
+-w /etc/security/sepermit.conf -p wa -k CFG_pam
+-w /etc/security/time.conf -p wa -k CFG_pam
+
+## postfix configuration
+-w /etc/aliases -p wa -k CFG_aliases
+-w /etc/postfix/ -p wa -k CFG_postfix
+
+## screen configuration
+-w /etc/screenrc -p wa -k CFG_screen
+
+## ssh configuration
+-w /etc/ssh/sshd_config -k CFG_sshd_config
+
+## stunnel configuration
+-w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf
+-w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem
+
+## sudo configuration
+-w /etc/sudoers -k CFG_sudoers
+-w /etc/sudoers.d/ -k CFG_sudoers
+
+## Not specifically required by CAPP; but common sense items
+-a always,exit -F arch=b32 -S sethostname -S setdomainname
+-a always,exit -F arch=b64 -S sethostname -S setdomainname
+-w /etc/issue -p wa -k CFG_issue
+-w /etc/issue.net -p wa -k CFG_issue.net
+
+## Optional - could indicate someone trying to do something bad or
+## just debugging
+#-a always,exit -F arch=b32 -S ptrace -F key=tracing
+#-a always,exit -F arch=b64 -S ptrace -F key=tracing
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection
+
+## Optional - might want to watch module insertion
+#-w /sbin/insmod -p x -k modules
+#-w /sbin/rmmod -p x -k modules
+#-w /sbin/modprobe -p x -k modules
+#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
+#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
+#-a always,exit -F arch=b32 -S delete_module -F key=module-unload
+#-a always,exit -F arch=b64 -S delete_module -F key=module-unload
+
+## Optional - admin may be abusing power by looking in user's home dir
+#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
+
+## Optional - log container creation
+#-a always,exit -F arch=b32 -S clone -F a0&2080505856 -F key=container-create
+#-a always,exit -F arch=b64 -S clone -F a0&2080505856 -F key=container-create
+
+## Optional - watch for containers that may change their configuration
+#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config
+#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config
+
+## Put your own watches after this point
+# -w /your-file -p rwxa -k mykey
+
+## Make the configuration immutable
+#-e 2
diff --git a/framework/src/audit/contrib/lspp.rules b/framework/src/audit/contrib/lspp.rules
new file mode 100644
index 00000000..e0919bd2
--- /dev/null
+++ b/framework/src/audit/contrib/lspp.rules
@@ -0,0 +1,343 @@
+##
+## This file contains a sample audit configuration.  Combined with the
+## system events that are audited by default, this set of rules causes
+## audit to generate records for the auditable events specified by the
+## Labeled Security Protection Profile (LSPP).
+## 
+## It should be noted that this set of rules identifies directories by
+## leaving a / at the end of the path.
+##
+## For audit 2.0.6 and higher
+##
+
+## Remove any existing rules
+-D
+
+## Increase buffer size to handle the increased number of messages.
+## Feel free to increase this if the machine panic's
+-b 8192
+
+## Set failure mode to panic
+-f 2
+
+##
+## FAU_SAR.1, FAU_SAR.2, FMT_MTD.1
+## successful and unsuccessful attempts to read information from the
+## audit records; all modifications to the audit trail
+##
+-w /var/log/audit/ -k LOG_audit
+
+## 
+## FAU_SEL.1, FMT_MTD.1
+## modifications to audit configuration that occur while the audit
+## collection functions are operating; all modications to the set of
+## audited events
+##
+-w /etc/audit/ -p wa -k CFG_audit
+-w /etc/sysconfig/auditd  -p wa -k CFG_auditd.conf
+-w /etc/libaudit.conf -p wa -k CFG_libaudit.conf
+-w /etc/audisp/ -p wa -k CFG_audisp
+
+##
+## FDP_ACF.1, FMT_MSA.1, FMT_MTD.1, FMT_REV.1, FDP_ETC.1, FDP_ITC.2
+## all requests to perform an operation on an object covered by the
+## SFP; all modifications of the values of security attributes;
+## modifications to TSF data; attempts to revoke security attributes;
+## all attempts to export information; all attempts to import user
+## data, including any security attributes
+
+## Objects covered by the Security Functional Policy (SFP) are:
+## -File system objects (files, directories, special files, extended attributes)
+## -IPC objects (SYSV shared memory, message queues, and semaphores)
+
+## Operations on file system objects - by default, only monitor
+## files and directories covered by filesystem watches.
+
+## Changes in ownership and permissions
+#-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat 
+#-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat 
+#-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown
+#-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown
+## Enable *32 rules if you are running on i386 or s390
+## Do not use for x86_64, ia64, ppc, ppc64, or s390x
+#-a always,exit -F arch=b32 -S fchown32,chown32,lchown32
+
+## File content modification. Permissions are checked at open time,
+## monitoring individual read/write calls is not useful.
+#-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate
+#-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate
+## Enable *64 rules if you are running on i386, ppc, ppc64, s390
+## Do not use for x86_64, ia64, or s390x
+#-a always,exit -F arch=b32 -S truncate64,ftruncate64
+
+## directory operations
+#-a always,exit -F arch=b32 -S mkdir,mkdirat,rmdir
+#-a always,exit -F arch=b64 -S mkdir,mkdirat,rmdir
+
+## moving, removing, and linking
+#-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat
+#-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat
+#-a always,exit -F arch=b32 -S link,linkat,symlink,symlinkat
+#-a always,exit -F arch=b64 -S link,linkat,symlink,symlinkat
+
+## Extended attribute operations
+## Enable if you are interested in these events
+-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
+-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
+
+## special files
+-a always,exit -F arch=b32 -S mknod,mknodat
+-a always,exit -F arch=b64 -S mknod,mknodat
+
+## Other file system operations
+## Enable if i386
+-a always,exit -F arch=b32 -S mount,umount,umount2
+## Enable if ppc, s390, or s390x
+#-a always,exit -F arch=b32 -S mount,umount,umount2
+#-a always,exit -F arch=b64 -S mount,umount,umount2
+## Enable if ia64
+#-a always,exit -F arch=b64 -S mount,umount
+## Enable if x86_64
+#-a always,exit -F arch=b64 -S mount,umount2
+#-a always,exit -F arch=b32 -S mount,umount,umount2
+
+## IPC SYSV message queues
+## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
+## msgctl
+#-a always,exit -S ipc -F a0=14
+## msgget
+#-a always,exit -S ipc -F a0=13
+## Enable if you are interested in these events (x86_64,ia64)
+#-a always,exit -S msgctl
+#-a always,exit -S msgget
+
+## IPC SYSV semaphores
+## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
+## semctl
+#-a always,exit -S ipc -F a0=0x3
+## semget
+#-a always,exit -S ipc -F a0=0x2
+## semop
+#-a always,exit -S ipc -F a0=0x1
+## semtimedop
+#-a always,exit -S ipc -F a0=0x4
+## Enable if you are interested in these events (x86_64, ia64)
+#-a always,exit -S semctl
+#-a always,exit -S semget
+#-a always,exit -S semop
+#-a always,exit -S semtimedop
+
+## IPC SYSV shared memory
+## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
+## shmctl
+#-a always,exit -S ipc -F a0=24
+## shmget
+#-a always,exit -S ipc -F a0=23
+## Enable if you are interested in these events (x86_64, ia64)
+#-a always,exit -S shmctl
+#-a always,exit -S shmget
+
+##
+## FIA_USB.1
+## success and failure of binding user security attributes to a subject
+##
+## Enable if you are interested in these events
+##
+#-a always,exit -F arch=b32 -S clone
+#-a always,exit -F arch=b64 -S clone
+#-a always,exit -F arch=b32 -S fork,vfork
+#-a always,exit -F arch=b64 -S fork,vfork
+## For ia64 architecture, disable fork and vfork rules above, and
+## enable the following:
+#-a always,exit -S clone2
+
+##
+## FDP_ETC.2 
+## Export of Labeled User Data
+##
+## Printing
+-w /etc/cups/ -p wa -k CFG_cups
+-w /etc/init.d/cups -p wa -k CFG_initd_cups
+
+##
+## FDP_ETC.2, FDP_ITC.2
+## Export/Import of Labeled User Data
+##
+## Networking
+-w /etc/netlabel.rules -p wa -k CFG_netlabel.rules
+-w /etc/ipsec.conf -p wa -k CFG_ipsec.conf
+-w /etc/ipsec.d/ -p wa -k CFG_ipsec.conf
+-w /etc/ipsec.secrets -p wa -k CFG_ipsec.secrets
+
+##
+## FDP_IFC.1
+## Mandatory Access Control Policy
+##
+-w /etc/selinux/config -p wa -k CFG_selinux_config
+-w /etc/selinux/mls/ -p wa -k CFG_MAC_policy
+-w /usr/share/selinux/mls/ -p wa -k CFG_MAC_policy
+-w /etc/selinux/semanage.conf -p wa -k CFG_MAC_policy
+
+##
+## FMT_MSA.3
+## modifications of the default setting of permissive or restrictive
+## rules, all modifications of the initial value of security attributes
+##
+## Enable if you are interested in these events
+##
+#-a always,exit -F arch=b32 -S umask
+#-a always,exit -F arch=b64 -S umask
+
+##
+## FPT_STM.1
+## changes to the time
+##
+-a always,exit -F arch=b32 -S stime,adjtimex,settimeofday
+-a always,exit -F arch=b64 -S adjtimex,settimeofday
+-a always,exit -F arch=b32 -S clock_settime -F a0=0x0
+-a always,exit -F arch=b64 -S clock_settime -F a0=0x0
+# Introduced in 2.6.39, commented out because it can make false positives
+#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
+#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
+
+##
+## FTP_ITC.1
+## set-up of trusted channel
+##
+-w /usr/sbin/stunnel -p x
+
+##
+## FPT_TST.1 Self Test
+## aide is used to verify integrity of data and executables
+##
+-w /etc/aide.conf -p wa -k CFG_aide.conf
+-w /var/lib/aide/aide.db.gz -k CFG_aide.db
+-w /var/lib/aide/aide.db.new.gz -k CFG_aide.db
+-w /var/log/aide/ -p wa -k CFG_aide.log
+
+##
+## Security Databases
+##
+
+## cron configuration & scheduled jobs
+-w /etc/cron.allow -p wa -k CFG_cron.allow
+-w /etc/cron.deny -p wa -k CFG_cron.deny
+-w /etc/cron.d/ -p wa -k CFG_cron.d
+-w /etc/cron.daily/ -p wa -k CFG_cron.daily
+-w /etc/cron.hourly/ -p wa -k CFG_cron.hourly
+-w /etc/cron.monthly/ -p wa -k CFG_cron.monthly
+-w /etc/cron.weekly/ -p wa -k CFG_cron.weekly 
+-w /etc/crontab -p wa -k CFG_crontab
+-w /var/spool/cron/root -k CFG_crontab_root
+
+## user, group, password databases
+-w /etc/group -p wa -k CFG_group
+-w /etc/passwd -p wa -k CFG_passwd
+-w /etc/gshadow -k CFG_gshadow
+-w /etc/shadow -k CFG_shadow
+-w /etc/security/opasswd -k CFG_opasswd
+
+## login configuration and information
+-w /etc/login.defs -p wa -k CFG_login.defs
+-w /etc/securetty -p wa -k CFG_securetty
+-w /var/run/faillock/ -p wa -k LOG_faillock
+-w /var/log/lastlog -p wa -k LOG_lastlog
+-w /var/log/tallylog -p wa -k LOG_tallylog
+
+## network configuration
+-w /etc/hosts -p wa -k CFG_hosts
+-w /etc/sysconfig/network-scripts/ -p wa -k CFG_network
+
+## system startup scripts
+-w /etc/sysconfig/init -p wa -k CFG_init
+-w /etc/init/ -p wa -k CFG_init
+-w /etc/inittab -p wa -k CFG_inittab
+-w /etc/rc.d/init.d/ -p wa -k CFG_initscripts
+
+## library search paths
+-w /etc/ld.so.conf -p wa -k CFG_ld.so.conf
+
+## local time zone
+-w /etc/localtime -p wa -k CFG_localtime
+
+## kernel parameters
+-w /etc/sysctl.conf -p wa -k CFG_sysctl.conf
+
+## modprobe configuration
+-w /etc/modprobe.d/ -p wa -k CFG_modprobe
+
+## pam configuration
+-w /etc/pam.d/ -p wa -k CFG_pam
+-w /etc/security/access.conf -p wa  -k CFG_pam
+-w /etc/security/limits.conf -p wa  -k CFG_pam
+-w /etc/security/pam_env.conf -p wa -k CFG_pam
+-w /etc/security/namespace.conf -p wa -k CFG_pam
+-w /etc/security/namespace.d/ -p wa -k CFG_pam
+-w /etc/security/namespace.init -p wa -k CFG_pam
+-w /etc/security/sepermit.conf -p wa -k CFG_pam
+-w /etc/security/time.conf -p wa -k CFG_pam
+
+## postfix configuration
+-w /etc/aliases -p wa -k CFG_aliases
+-w /etc/postfix/ -p wa -k CFG_postfix
+
+## screen configuration
+-w /etc/screenrc -p wa -k CFG_screen
+
+## ssh configuration
+-w /etc/ssh/sshd_config -k CFG_sshd_config
+
+## stunnel configuration
+-w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf
+-w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem
+
+## sudo configuration
+-w /etc/sudoers -k CFG_sudoers
+-w /etc/sudoers.d/ -k CFG_sudoers
+
+## xinetd configuration
+-w /etc/xinetd.d/ -k CFG_xinetd.d
+-w /etc/xinetd.conf -k CFG_xinetd.conf
+
+## Not specifically required by LSPP; but common sense items
+-a always,exit -F arch=b32 -S sethostname,setdomainname
+-a always,exit -F arch=b64 -S sethostname,setdomainname
+-w /etc/issue -p wa -k CFG_issue
+-w /etc/issue.net -p wa -k CFG_issue.net
+
+## Optional - could indicate someone trying to do something bad or
+## just debugging
+#-a always,exit -F arch=b32 -S ptrace -F key=tracing
+#-a always,exit -F arch=b64 -S ptrace -F key=tracing
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection
+
+## Optional - might want to watch module insertion
+#-w /sbin/insmod -p x -k modules
+#-w /sbin/rmmod -p x -k modules
+#-w /sbin/modprobe -p x -k modules
+#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
+#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
+#-a always,exit -F arch=b32 -S delete_module -F key=module-unload
+#-a always,exit -F arch=b64 -S delete_module -F key=module-unload
+
+## Optional - admin may be abusing power by looking in user's home dir
+#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
+
+## Optional - log container creation
+#-a always,exit -F arch=b32 -S clone -F a0&0x2080505856 -F key=container-create
+#-a always,exit -F arch=b64 -S clone -F a0&0x2080505856 -F key=container-create
+
+## Optional - watch for containers that may change their configuration
+#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config
+#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config
+
+## Put your own watches after this point
+# -w /your-file -p rwxa -k mykey
+
+## Make the configuration immutable
+#-e 2
diff --git a/framework/src/audit/contrib/nispom.rules b/framework/src/audit/contrib/nispom.rules
new file mode 100644
index 00000000..6bcca086
--- /dev/null
+++ b/framework/src/audit/contrib/nispom.rules
@@ -0,0 +1,148 @@
+##
+## This file contains the a sample audit configuration intended to
+## meet the NISPOM Chapter 8 rules.
+##
+## This file should be saved as /etc/audit/audit.rules.
+##
+## For audit 1.6.5 and higher
+##
+
+## Remove any existing rules
+-D
+
+## Increase buffer size to handle the increased number of messages.
+## Feel free to increase this if the machine panic's
+-b 8192
+
+## Set failure mode to panic
+-f 2
+
+## Make the loginuid immutable. This prevents tampering with the auid.
+--loginuid-immutable
+
+## Audit 1, 1(a) Enough information to determine the date and time of
+## action (e.g., common network time), the system locale of the action,
+## the system entity that initiated or completed the action, the resources
+## involved, and the action involved.
+
+## Things that could affect time
+-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change
+-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
+-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
+-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
+# Introduced in 2.6.39, commented out because it can make false positives
+#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
+#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
+-w /etc/localtime -p wa -k time-change
+
+## Things that could affect system locale
+-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
+-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
+-w /etc/issue -p wa -k system-locale
+-w /etc/issue.net -p wa -k system-locale
+-w /etc/hosts -p wa -k system-locale
+-w /etc/sysconfig/network -p wa -k system-locale
+-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale
+
+## Audit 1, 1(b) Successful and unsuccessful logons and logoffs.
+## This is covered by patches to login, gdm, and openssh
+## Might also want to watch these files if needing extra information
+#-w /var/log/tallylog -p wa -k logins
+#-w /var/run/faillock/ -p wa -k logins
+#-w /var/log/lastlog -p wa -k logins
+#-w /var/log/btmp -p wa -k logins
+#-w /var/run/utmp -p wa -k logins
+
+## Audit 1, 1(c) Successful and unsuccessful accesses to
+## security-relevant objects and directories, including
+## creation, open, close, modification, and deletion.
+
+## unsuccessful creation
+-a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -F key=creation
+-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -F key=creation
+-a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -F key=creation
+-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -F key=creation
+
+## unsuccessful open
+-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F key=open
+-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F key=open
+-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F key=open
+-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F key=open
+
+## unsuccessful close
+-a always,exit -F arch=b32 -S close -F exit=-EIO -F key=close
+-a always,exit -F arch=b64 -S close -F exit=-EIO -F key=close
+
+## unsuccessful modifications
+-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -F key=mods
+-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -F key=mods
+-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -F key=mods
+-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -F key=mods
+
+## unsuccessful deletion
+-a always,exit -F arch=b32 -S unlink,rmdir,unlinkat -F exit=-EACCES -F key=delete
+-a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F exit=-EACCES -F key=delete
+-a always,exit -F arch=b32 -S unlink,rmdirunlinkat -F exit=-EPERM -F key=delete
+-a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F exit=-EPERM -F key=delete
+
+## Audit 1, 1(d) Changes in user authenticators.
+## Covered by patches to libpam, passwd, and shadow-utils
+## Might also want to watch these files for changes
+-w /etc/group -p wa -k auth
+-w /etc/passwd -p wa -k auth
+-w /etc/gshadow -p wa -k auth
+-w /etc/shadow -p wa -k auth
+-w /etc/security/opasswd -p wa -k auth
+
+## Audit 1, 1(e) The blocking or blacklisting of a user ID,
+## terminal, or access port and the reason for the action.
+## Covered by patches to pam_tally2 or pam_faillock and pam_limits
+
+## Audit 1, 1(f) Denial of access resulting from an excessive
+## number of unsuccessful logon attempts.
+## Covered by patches to pam_tally2 or pam_faillock
+
+## Audit 1, 2 Audit Trail Protection. The contents of audit trails
+## shall be protected against unauthorized access, modification,
+## or deletion.
+## This should be covered by file permissions, but we can watch it
+## to see any activity
+-w /var/log/audit/ -k audit-logs
+
+## Not specifically required by NISPOM; but common sense items
+## Optional - could indicate someone trying to do something bad or
+## just debugging
+#-a always,exit -F arch=b32 -S ptrace -F key=tracing
+#-a always,exit -F arch=b64 -S ptrace -F key=tracing
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection
+
+## Optional - might want to watch module insertion
+#-w /sbin/insmod -p x -k modules
+#-w /sbin/rmmod -p x -k modules
+#-w /sbin/modprobe -p x -k modules
+#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
+#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
+#-a always,exit -F arch=b32 -S delete_module -F key=module-unload
+#-a always,exit -F arch=b64 -S delete_module -F key=module-unload
+
+## Optional - admin may be abusing power by looking in user's home dir
+#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
+
+## Optional - log container creation
+#-a always,exit -F arch=b32 -S clone -F a0&0x2080505856 -F key=container-create
+#-a always,exit -F arch=b64 -S clone -F a0&0x2080505856 -F key=container-create
+
+## Optional - watch for containers that may change their configuration
+#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config
+#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config
+
+## Put your own watches after this point
+# -w /your-file -p rwxa -k mykey
+
+## Make the configuration immutable
+#-e 2
diff --git a/framework/src/audit/contrib/plugin/Makefile b/framework/src/audit/contrib/plugin/Makefile
new file mode 100644
index 00000000..4256c4d1
--- /dev/null
+++ b/framework/src/audit/contrib/plugin/Makefile
@@ -0,0 +1,7 @@
+CFLAGS=-g -W -Wall -Wundef
+LIBS= -lauparse -laudit
+all:
+	gcc $(CFLAGS) audisp-example.c -o audisp-example $(LIBS)
+
+clean:
+	rm -f audisp-example *.o
diff --git a/framework/src/audit/contrib/plugin/audisp-example.c b/framework/src/audit/contrib/plugin/audisp-example.c
new file mode 100644
index 00000000..6fcca1a1
--- /dev/null
+++ b/framework/src/audit/contrib/plugin/audisp-example.c
@@ -0,0 +1,229 @@
+/* audisp-example.c --
+ * Copyright 2012 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ *
+ * Authors:
+ *   Steve Grubb <sgrubb@redhat.com>
+ *
+ * This is a sample program to demonstrate several concepts of how to
+ * write an audispd plugin using libauparse. It can be tested by using a
+ * file of raw audit records. You can generate the test file like:
+ *
+ * ausearch --start today --raw > test.log.
+ *
+ * Then you can test this app by: cat test.log | ./audisp-example
+ *
+ * It will print things to stdout. In a real program, you wouldn't
+ * do anything with stdout since that is likely to be pointing to /dev/null.
+ *
+ * Excluding some init/destroy items you might need to add to main, the 
+ * event_handler function is the main place that you would modify to do
+ * things specific to your plugin. 
+ *
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <signal.h>
+#include <string.h>
+#include <sys/select.h>
+#include <errno.h>
+#include "libaudit.h"
+#include "auparse.h"
+
+/* Global Data */
+static volatile int stop = 0;
+static volatile int hup = 0;
+static auparse_state_t *au = NULL;
+
+/* Local declarations */
+static void handle_event(auparse_state_t *au,
+		auparse_cb_event_t cb_event_type, void *user_data);
+
+/*
+ * SIGTERM handler
+ */
+static void term_handler( int sig )
+{
+        stop = 1;
+}
+
+/*
+ * SIGHUP handler: re-read config
+ */
+static void hup_handler( int sig )
+{
+        hup = 1;
+}
+
+static void reload_config(void)
+{
+	hup = 0;
+}
+
+int main(int argc, char *argv[])
+{
+	char tmp[MAX_AUDIT_MESSAGE_LENGTH+1];
+	struct sigaction sa;
+
+	/* Register sighandlers */
+	sa.sa_flags = 0;
+	sigemptyset(&sa.sa_mask);
+	/* Set handler for the ones we care about */
+	sa.sa_handler = term_handler;
+	sigaction(SIGTERM, &sa, NULL);
+	sa.sa_handler = hup_handler;
+	sigaction(SIGHUP, &sa, NULL);
+
+	/* Initialize the auparse library */
+	au = auparse_init(AUSOURCE_FEED, 0);
+	if (au == NULL) {
+		printf("audisp-example is exiting due to auparse init errors");
+		return -1;
+	}
+	auparse_add_callback(au, handle_event, NULL, NULL);
+	do {
+		fd_set read_mask;
+		struct timeval tv;
+		int retval;
+
+		/* Load configuration */
+		if (hup) {
+			reload_config();
+		}
+		do {
+			tv.tv_sec = 5;
+			tv.tv_usec = 0;
+			FD_ZERO(&read_mask);
+			FD_SET(0, &read_mask);
+			if (auparse_feed_has_data(au))
+				retval= select(1, &read_mask, NULL, NULL, &tv);
+			else
+				retval= select(1, &read_mask, NULL, NULL, NULL);
+		} while (retval == -1 && errno == EINTR && !hup && !stop);
+
+		/* Now the event loop */
+		 if (!stop && !hup && retval > 0) {
+			if (fgets_unlocked(tmp, MAX_AUDIT_MESSAGE_LENGTH,
+				stdin)) {
+				auparse_feed(au, tmp, strnlen(tmp,
+						MAX_AUDIT_MESSAGE_LENGTH));
+			}
+		} else if (retval == 0)
+			auparse_flush_feed(au);
+		if (feof(stdin))
+			break;
+	} while (stop == 0);
+
+	/* Flush any accumulated events from queue */
+	auparse_flush_feed(au);
+	auparse_destroy(au);
+	if (stop)
+		printf("audisp-example is exiting on stop request\n");
+	else
+		printf("audisp-example is exiting on stdin EOF\n");
+
+	return 0;
+}
+
+/* This function shows how to dump a whole event by iterating over records */
+static void dump_whole_event(auparse_state_t *au)
+{
+	auparse_first_record(au);
+	do {
+		printf("%s\n", auparse_get_record_text(au));
+	} while (auparse_next_record(au) > 0);
+	printf("\n");
+}
+
+/* This function shows how to dump a whole record's text */
+static void dump_whole_record(auparse_state_t *au)
+{
+	printf("%s: %s\n", audit_msg_type_to_name(auparse_get_type(au)),
+		auparse_get_record_text(au));
+	printf("\n");
+}
+
+/* This function shows how to iterate through the fields of a record
+ * and print its name and raw value and interpretted value. */
+static void dump_fields_of_record(auparse_state_t *au)
+{
+	printf("record type %d(%s) has %d fields\n", auparse_get_type(au),
+		audit_msg_type_to_name(auparse_get_type(au)),
+		auparse_get_num_fields(au));
+
+	printf("line=%d file=%s\n", auparse_get_line_number(au),
+		auparse_get_filename(au) ? auparse_get_filename(au) : "stdin");
+
+	const au_event_t *e = auparse_get_timestamp(au);
+	if (e == NULL) {
+		printf("Error getting timestamp - aborting\n");
+		return;
+	}
+	/* Note that e->sec can be treated as time_t data if you want
+	 * something a little more readable */
+	printf("event time: %u.%u:%lu, host=%s\n", (unsigned)e->sec,
+		e->milli, e->serial, e->host ? e->host : "?");
+		auparse_first_field(au);
+
+	do {
+		printf("field: %s=%s (%s)\n",
+		auparse_get_field_name(au),
+		auparse_get_field_str(au),
+		auparse_interpret_field(au));
+	} while (auparse_next_field(au) > 0);
+	printf("\n");
+}
+
+/* This function receives a single complete event at a time from the auparse
+ * library. This is where the main analysis code would be added. */
+static void handle_event(auparse_state_t *au,
+		auparse_cb_event_t cb_event_type, void *user_data)
+{
+	int type, num=0;
+
+	if (cb_event_type != AUPARSE_CB_EVENT_READY)
+		return;
+
+	/* Loop through the records in the event looking for one to process.
+	   We use physical record number because we may search around and
+	   move the cursor accidentally skipping a record. */
+	while (auparse_goto_record_num(au, num) > 0) {
+		type = auparse_get_type(au);
+		/* Now we can branch based on what record type we find.
+		   This is just a few suggestions, but it could be anything. */
+		switch (type) {
+			case AUDIT_AVC:
+				dump_fields_of_record(au);
+				break;
+			case AUDIT_SYSCALL:
+				dump_whole_record(au); 
+				break;
+			case AUDIT_USER_LOGIN:
+				break;
+			case AUDIT_ANOM_ABEND:
+				break;
+			case AUDIT_MAC_STATUS:
+				dump_whole_event(au); 
+				break;
+			default:
+				break;
+		}
+		num++;
+	}
+}
+
diff --git a/framework/src/audit/contrib/plugin/audisp-example.conf b/framework/src/audit/contrib/plugin/audisp-example.conf
new file mode 100644
index 00000000..e8a7b81e
--- /dev/null
+++ b/framework/src/audit/contrib/plugin/audisp-example.conf
@@ -0,0 +1,10 @@
+# This file controls the configuration of the
+# example syslog plugin. It simply takes events and writes
+# them to syslog.
+
+active = no
+direction = out
+path = /sbin/audisp-example
+type = always 
+args = 1
+format = string
diff --git a/framework/src/audit/contrib/skeleton.c b/framework/src/audit/contrib/skeleton.c
new file mode 100644
index 00000000..7e041042
--- /dev/null
+++ b/framework/src/audit/contrib/skeleton.c
@@ -0,0 +1,140 @@
+/* skeleton.c --
+ * 
+ * This is a sample program that you can customize to create your own audit
+ * event handler. It will be started by auditd via the dispatcher option in
+ * /etc/audit/auditd.conf. This program can be built as follows:
+ *
+ * gcc skeleton.c -o skeleton -laudit
+ */
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/uio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <string.h>
+#include <locale.h>
+#include "libaudit.h"
+
+
+// Local data
+static volatile int signaled = 0;
+static int pipe_fd;
+static const char *pgm = "skeleton";
+
+// Local functions
+static int event_loop(void);
+
+// SIGTERM handler
+static void term_handler( int sig )
+{
+	signaled = 1;
+}
+
+
+/*
+ * main is started by auditd. See dispatcher in auditd.conf
+ */
+int main(int argc, char *argv[])
+{
+	struct sigaction sa;
+
+	setlocale (LC_ALL, "");
+	openlog(pgm, LOG_PID, LOG_DAEMON);
+	syslog(LOG_NOTICE, "starting...");
+
+#ifndef DEBUG
+	// Make sure we are root
+	if (getuid() != 0) {
+		syslog(LOG_ERR, "You must be root to run this program.");
+		return 4;
+	}
+#endif
+
+	// register sighandlers
+	sa.sa_flags = 0 ;
+	sa.sa_handler = term_handler;
+	sigemptyset( &sa.sa_mask ) ;
+	sigaction( SIGTERM, &sa, NULL );
+	sa.sa_handler = term_handler;
+	sigemptyset( &sa.sa_mask ) ;
+	sigaction( SIGCHLD, &sa, NULL );
+	sa.sa_handler = SIG_IGN;
+	sigaction( SIGHUP, &sa, NULL );
+	(void)chdir("/");
+
+	// change over to pipe_fd
+	pipe_fd = dup(0);
+	close(0);
+	open("/dev/null", O_RDONLY);
+	fcntl(pipe_fd, F_SETFD, FD_CLOEXEC);
+
+	// Start the program
+	return event_loop();
+}
+
+static int event_loop(void)
+{
+	void *data;
+	struct iovec vec[2];
+	struct audit_dispatcher_header hdr;
+
+	// allocate data structures
+	data = malloc(MAX_AUDIT_MESSAGE_LENGTH);
+	if (data == NULL) {
+		syslog(LOG_ERR, "Cannot allocate buffer");
+		return 1;
+	}
+	memset(data, 0, MAX_AUDIT_MESSAGE_LENGTH);
+	memset(&hdr, 0, sizeof(hdr));
+
+	do {
+		int rc;
+		struct timeval tv;
+		fd_set fd;
+
+		tv.tv_sec = 1;
+		tv.tv_usec = 0;
+		FD_ZERO(&fd);
+		FD_SET(pipe_fd, &fd);
+		rc = select(pipe_fd+1, &fd, NULL, NULL, &tv);
+		if (rc == 0) 
+			continue;
+		 else if (rc == -1)
+			break;
+
+		/* Get header first. it is fixed size */
+		vec[0].iov_base = (void*)&hdr;
+		vec[0].iov_len = sizeof(hdr);
+		do {
+			rc = readv(fd, &vec[0], 1);
+		} while (rc < 0 && errno == EINTR);
+
+		if (rc > 0) {
+	        	// Next payload 
+			vec[1].iov_base = data;
+			vec[1].iov_len = hdr.size; 
+			do {
+				rc = readv(fd, &vec[1], 1);
+			} while (rc < 0 && errno == EINTR);
+		}
+		if (rc <= 0) {
+			syslog(LOG_ERR, "rc == %d(%s)", rc, strerror(errno));
+			continue;
+		}
+
+		// Handle events here. Just for illustration, we print
+		// to syslog, but you will want to do something else.
+		syslog(LOG_NOTICE,"type=%d, payload size=%d", 
+			hdr.type, hdr.size);
+		syslog(LOG_NOTICE,"data=\"%.*s\"", hdr.size,
+			(char *)data);
+
+	} while(!signaled);
+
+	return 0;
+}
+
diff --git a/framework/src/audit/contrib/stig.rules b/framework/src/audit/contrib/stig.rules
new file mode 100644
index 00000000..5a51d7f0
--- /dev/null
+++ b/framework/src/audit/contrib/stig.rules
@@ -0,0 +1,193 @@
+## This file contains the auditctl rules that are loaded
+## whenever the audit daemon is started via the initscripts.
+## The rules are simply the parameters that would be passed
+## to auditctl.
+##
+## First rule - delete all
+-D
+
+## Increase the buffers to survive stress events.
+## Make this bigger for busy systems
+-b 8192
+
+## Set failure mode to panic
+-f 2
+
+## Make the loginuid immutable. This prevents tampering with the auid.
+--loginuid-immutable
+
+## NOTE:
+## 1) if this is being used on a 32 bit machine, comment out the b64 lines
+## 2) These rules assume that login under the root account is not allowed.
+## 3) It is also assumed that 500 represents the first usable user account. To
+##    be sure, look at UID_MIN in /etc/login.defs.
+## 4) If these rules generate too much spurious data for your tastes, limit the
+## the syscall file rules with a directory, like -F dir=/etc
+## 5) You can search for the results on the key fields in the rules
+##
+##
+## (GEN002880: CAT II) The IAO will ensure the auditing software can
+## record the following for each audit event: 
+##- Date and time of the event 
+##- Userid that initiated the event 
+##- Type of event 
+##- Success or failure of the event 
+##- For I&A events, the origin of the request (e.g., terminal ID) 
+##- For events that introduce an object into a user’s address space, and
+##  for object deletion events, the name of the object, and in MLS
+##  systems, the object’s security level.
+##
+## Things that could affect time
+-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change
+-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
+-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
+-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
+# Introduced in 2.6.39, commented out because it can make false positives
+#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
+#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
+-w /etc/localtime -p wa -k time-change
+
+## Things that affect identity
+-w /etc/group -p wa -k identity
+-w /etc/passwd -p wa -k identity
+-w /etc/gshadow -p wa -k identity
+-w /etc/shadow -p wa -k identity
+-w /etc/security/opasswd -p wa -k identity
+
+## Things that could affect system locale
+-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
+-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
+-w /etc/issue -p wa -k system-locale
+-w /etc/issue.net -p wa -k system-locale
+-w /etc/hosts -p wa -k system-locale
+-w /etc/sysconfig/network -p wa -k system-locale
+-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale
+
+## Things that could affect MAC policy
+-a always,exit -F dir=/etc/selinux/ -F perm=wa -F key=MAC-policy
+
+
+## (GEN002900: CAT III) The IAO will ensure audit files are retained at
+## least one year; systems containing SAMI will be retained for five years.
+##
+## Site action - no action in config files
+
+## (GEN002920: CAT III) The IAO will ensure audit files are backed up
+## no less than weekly onto a different system than the system being
+## audited or backup media.  
+##
+## Can be done with cron script
+
+## (GEN002700: CAT I) (Previously – G095) The SA will ensure audit data
+## files have permissions of 640, or more restrictive.
+##
+## Done automatically by auditd
+
+## (GEN002720-GEN002840: CAT II) (Previously – G100-G106) The SA will
+## configure the auditing system to audit the following events for all
+## users and root:
+##
+## - Logon (unsuccessful and successful) and logout (successful)
+##
+## Handled by pam, sshd, login, and gdm
+## Might also want to watch these files if needing extra information
+#-w /var/log/tallylog -p wa -k logins
+#-w /var/run/faillock/ -p wa -k logins
+#-w /var/log/lastlog -p wa -k logins
+
+
+##- Process and session initiation (unsuccessful and successful)
+##
+## The session initiation is audited by pam without any rules needed.
+## Might also want to watch this file if needing extra information
+#-w /var/run/utmp -p wa -k session
+#-w /var/log/btmp -p wa -k session
+#-w /var/log/wtmp -p wa -k session
+
+##- Discretionary access control permission modification (unsuccessful
+## and successful use of chown/chmod)
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
+-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
+-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=4294967295 -F key=perm_mod
+-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=4294967295 -F key=perm_mod
+
+##- Unauthorized access attempts to files (unsuccessful) 
+-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -F key=access
+
+##- Use of privileged commands (unsuccessful and successful)
+## use find /bin -type f -perm -04000 2>/dev/null and put all those files in a rule like this
+-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -F key=privileged
+
+##- Use of print command (unsuccessful and successful) 
+
+##- Export to media (successful)
+## You have to mount media before using it. You must disable all automounting
+## so that its done manually in order to get the correct user requesting the
+## export
+-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -F key=export
+-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -F key=export
+
+##- System startup and shutdown (unsuccessful and successful)
+
+##- Files and programs deleted by the user (successful and unsuccessful)
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=500 -F auid!=4294967295 -F key=delete
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=500 -F auid!=4294967295 -F key=delete
+
+##- All system administration actions 
+##- All security personnel actions
+## 
+## Look for pam_tty_audit and add it to your login entry point's pam configs.
+## If that is not found, use sudo which should be patched to record its
+## commands to the audit system. Do not allow unrestricted root shells or
+## sudo cannot record the action.
+-w /etc/sudoers -p wa -k actions
+-w /etc/sudoers.d/ -p wa -k actions
+
+## (GEN002860: CAT II) (Previously – G674) The SA and/or IAO will
+##ensure old audit logs are closed and new audit logs are started daily.
+##
+## Site action. Can be assisted by a cron job
+
+## Not specifically required by the STIG; but common sense items
+## Optional - could indicate someone trying to do something bad or
+## just debugging
+#-a always,exit -F arch=b32 -S ptrace -F key=tracing
+#-a always,exit -F arch=b64 -S ptrace -F key=tracing
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection
+
+## Optional - might want to watch module insertion
+#-w /sbin/insmod -p x -k modules
+#-w /sbin/rmmod -p x -k modules
+#-w /sbin/modprobe -p x -k modules
+#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
+#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
+#-a always,exit -F arch=b32 -S delete_module -F key=module-unload
+#-a always,exit -F arch=b64 -S delete_module -F key=module-unload
+
+## Optional - admin may be abusing power by looking in user's home dir
+#-a always,exit -F dir=/home -F uid=0 -F auid>=500 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
+
+## Optional - log container creation  
+#-a always,exit -F arch=b32 -S clone -F a0&0x7C020000 -F key=container-create
+#-a always,exit -F arch=b64 -S clone -F a0&0x7C020000 -F key=container-create
+
+## Optional - watch for containers that may change their configuration 
+#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config
+#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config
+
+## Put your own watches after this point
+# -w /your-file -p rwxa -k mykey
+
+## Make the configuration immutable - reboot is required to change audit rules
+-e 2
+
author	Ashlee Young <ashlee@wildernessvoice.com>	2015-11-29 08:22:13 -0800
committer	Ashlee Young <ashlee@wildernessvoice.com>	2015-11-29 08:22:13 -0800
commit	df5afa4fcd9725380f94ca6476248d4cc24f889a (patch)
tree	65456f62397305febf7f40778c5a413a35d094ef /framework/src/audit/contrib
parent	76f6bf922552c00546e6e85ca471eab28f56986c (diff)