aboutsummaryrefslogtreecommitdiffstats
path: root/framework/src/audit/contrib/capp.rules
diff options
context:
space:
mode:
Diffstat (limited to 'framework/src/audit/contrib/capp.rules')
-rw-r--r--framework/src/audit/contrib/capp.rules302
1 files changed, 302 insertions, 0 deletions
diff --git a/framework/src/audit/contrib/capp.rules b/framework/src/audit/contrib/capp.rules
new file mode 100644
index 00000000..5e38274f
--- /dev/null
+++ b/framework/src/audit/contrib/capp.rules
@@ -0,0 +1,302 @@
+##
+## This file contains a sample audit configuration. Combined with the
+## system events that are audited by default, this set of rules causes
+## audit to generate records for the auditable events specified by the
+## Controlled Access Protection Profile (CAPP).
+##
+## It should be noted that this set of rules identifies directories by
+## leaving a / at the end of the path.
+##
+## For audit 2.0.6 and higher
+##
+
+## Remove any existing rules
+-D
+
+## Increase buffer size to handle the increased number of messages.
+## Feel free to increase this if the machine panic's
+-b 8192
+
+## Set failure mode to panic
+-f 2
+
+##
+## FAU_SAR.1, FAU_SAR.2, FMT_MTD.1
+## successful and unsuccessful attempts to read information from the
+## audit records; all modifications to the audit trail
+##
+-w /var/log/audit/ -k LOG_audit
+
+##
+## FAU_SEL.1, FMT_MTD.1
+## modifications to audit configuration that occur while the audit
+## collection functions are operating; all modications to the set of
+## audited events
+##
+-w /etc/audit/ -p wa -k CFG_audit
+-w /etc/sysconfig/auditd -p wa -k CFG_auditd.conf
+-w /etc/libaudit.conf -p wa -k CFG_libaudit.conf
+-w /etc/audisp/ -p wa -k CFG_audisp
+
+##
+## FDP_ACF.1, FMT_MSA.1, FMT_MTD.1, FMT_REV.1
+## all requests to perform an operation on an object covered by the
+## SFP; all modifications of the values of security attributes;
+## modifications to TSF data; attempts to revoke security attributes
+##
+
+## Objects covered by the Security Functional Policy (SFP) are:
+## -File system objects (files, directories, special files, extended attributes)
+## -IPC objects (SYSV shared memory, message queues, and semaphores)
+
+## Operations on file system objects - by default, only monitor
+## files and directories covered by filesystem watches.
+
+## Changes in ownership and permissions
+#-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat
+#-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat
+#-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown
+#-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown
+## Enable *32 rules if you are running on i386 or s390
+## Do not use for x86_64, ia64, ppc, ppc64, or s390x
+#-a always,exit -F arch=b32 -S fchown32,chown32,lchown32
+
+## File content modification. Permissions are checked at open time,
+## monitoring individual read/write calls is not useful.
+#-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate
+#-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate
+## Enable *64 rules if you are running on i386, ppc, ppc64, s390
+## Do not use for x86_64, ia64, or s390x
+#-a always,exit -F arch=b32 -S truncate64,ftruncate64
+
+## directory operations
+#-a always,exit -F arch=b32 -S mkdir,mkdirat,rmdir
+#-a always,exit -F arch=b64 -S mkdir,mkdirat,rmdir
+
+## moving, removing, and linking
+#-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat
+#-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat
+#-a always,exit -F arch=b32 -S link,linkat,symlink,symlinkat
+#-a always,exit -F arch=b64 -S link,linkat,symlink,symlinkat
+
+## Extended attribute operations
+## Enable if you are interested in these events
+#-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
+#-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
+
+## special files
+-a always,exit -F arch=b32 -S mknod,mknodat
+-a always,exit -F arch=b64 -S mknod,mknodat
+
+## Other file system operations
+## Enable if i386
+-a always,exit -F arch=b32 -S mount,umount,umount2
+## Enable if ppc, s390, or s390x
+#-a always,exit -F arch=b32 -S mount,umount,umount2
+#-a always,exit -F arch=b64 -S mount,umount,umount2
+## Enable if ia64
+#-a always,exit -F arch=b64 -S mount,umount
+## Enable if x86_64
+#-a always,exit -F arch=b64 -S mount,umount2
+#-a always,exit -F arch=b32 -S mount,umount,umount2
+
+## IPC SYSV message queues
+## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
+## msgctl
+#-a always,exit -S ipc -F a0=14
+## msgget
+#-a always,exit -S ipc -F a0=13
+## Enable if you are interested in these events (x86_64,ia64)
+#-a always,exit -S msgctl
+#-a always,exit -S msgget
+
+## IPC SYSV semaphores
+## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
+## semctl
+#-a always,exit -S ipc -F a0=3
+## semget
+#-a always,exit -S ipc -F a0=2
+## semop
+#-a always,exit -S ipc -F a0=1
+## semtimedop
+#-a always,exit -S ipc -F a0=4
+## Enable if you are interested in these events (x86_64, ia64)
+#-a always,exit -S semctl
+#-a always,exit -S semget
+#-a always,exit -S semop
+#-a always,exit -S semtimedop
+
+## IPC SYSV shared memory
+## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
+## shmctl
+#-a always,exit -S ipc -F a0=24
+## shmget
+#-a always,exit -S ipc -F a0=23
+## Enable if you are interested in these events (x86_64, ia64)
+#-a always,exit -S shmctl
+#-a always,exit -S shmget
+
+##
+## FIA_USB.1
+## success and failure of binding user security attributes to a subject
+##
+## Enable if you are interested in these events
+##
+#-a always,exit -F arch=b32 -S clone
+#-a always,exit -F arch=b64 -S clone
+#-a always,exit -F arch=b32 -S fork,vfork
+#-a always,exit -F arch=b64 -S fork,vfork
+## For ia64 architecture, disable fork and vfork rules above, and
+## enable the following:
+#-a always,exit -S clone2
+
+##
+## FMT_MSA.3
+## modifications of the default setting of permissive or restrictive
+## rules, all modifications of the initial value of security attributes
+##
+## Enable if you are interested in these events
+##
+#-a always,exit -F arch=b32 -S umask
+#-a always,exit -F arch=b64 -S umask
+
+##
+## FPT_STM.1
+## changes to the time
+##
+-a always,exit -F arch=b32 -S adjtimex,settimeofday -S stime
+-a always,exit -F arch=b64 -S adjtimex,settimeofday
+-a always,exit -F arch=b32 -S clock_settime -F a0=0
+-a always,exit -F arch=b64 -S clock_settime -F a0=0
+# Introduced in 2.6.39, commented out because it can make false positives
+#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
+#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
+
+##
+## FTP_ITC.1
+## set-up of trusted channel
+##
+-w /usr/sbin/stunnel -p x
+
+##
+## Security Databases
+##
+
+## cron configuration & scheduled jobs
+-w /etc/cron.allow -p wa -k CFG_cron.allow
+-w /etc/cron.deny -p wa -k CFG_cron.deny
+-w /etc/cron.d/ -p wa -k CFG_cron.d
+-w /etc/cron.daily/ -p wa -k CFG_cron.daily
+-w /etc/cron.hourly/ -p wa -k CFG_cron.hourly
+-w /etc/cron.monthly/ -p wa -k CFG_cron.monthly
+-w /etc/cron.weekly/ -p wa -k CFG_cron.weekly
+-w /etc/crontab -p wa -k CFG_crontab
+-w /var/spool/cron/root -k CFG_crontab_root
+
+## user, group, password databases
+-w /etc/group -p wa -k CFG_group
+-w /etc/passwd -p wa -k CFG_passwd
+-w /etc/gshadow -k CFG_gshadow
+-w /etc/shadow -k CFG_shadow
+-w /etc/security/opasswd -k CFG_opasswd
+
+## login configuration and information
+-w /etc/login.defs -p wa -k CFG_login.defs
+-w /etc/securetty -p wa -k CFG_securetty
+-w /var/run/faillock/ -p wa -k LOG_faillock
+-w /var/log/lastlog -p wa -k LOG_lastlog
+-w /var/log/tallylog -p wa -k LOG_tallylog
+
+## network configuration
+-w /etc/hosts -p wa -k CFG_hosts
+-w /etc/sysconfig/network-scripts/ -p wa -k CFG_network
+
+## system startup scripts
+-w /etc/sysconfig/init -p wa -k CFG_init
+-w /etc/init/ -p wa -k CFG_init
+-w /etc/inittab -p wa -k CFG_inittab
+-w /etc/rc.d/init.d/ -p wa -k CFG_initscripts
+
+## library search paths
+-w /etc/ld.so.conf -p wa -k CFG_ld.so.conf
+
+## local time zone
+-w /etc/localtime -p wa -k CFG_localtime
+
+## kernel parameters
+-w /etc/sysctl.conf -p wa -k CFG_sysctl.conf
+
+## modprobe configuration
+-w /etc/modprobe.d/ -p wa -k CFG_modprobe
+
+## pam configuration
+-w /etc/pam.d/ -p wa -k CFG_pam
+-w /etc/security/access.conf -p wa -k CFG_pam
+-w /etc/security/limits.conf -p wa -k CFG_pam
+-w /etc/security/pam_env.conf -p wa -k CFG_pam
+-w /etc/security/namespace.conf -p wa -k CFG_pam
+-w /etc/security/namespace.d/ -p wa -k CFG_pam
+-w /etc/security/namespace.init -p wa -k CFG_pam
+-w /etc/security/sepermit.conf -p wa -k CFG_pam
+-w /etc/security/time.conf -p wa -k CFG_pam
+
+## postfix configuration
+-w /etc/aliases -p wa -k CFG_aliases
+-w /etc/postfix/ -p wa -k CFG_postfix
+
+## screen configuration
+-w /etc/screenrc -p wa -k CFG_screen
+
+## ssh configuration
+-w /etc/ssh/sshd_config -k CFG_sshd_config
+
+## stunnel configuration
+-w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf
+-w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem
+
+## sudo configuration
+-w /etc/sudoers -k CFG_sudoers
+-w /etc/sudoers.d/ -k CFG_sudoers
+
+## Not specifically required by CAPP; but common sense items
+-a always,exit -F arch=b32 -S sethostname -S setdomainname
+-a always,exit -F arch=b64 -S sethostname -S setdomainname
+-w /etc/issue -p wa -k CFG_issue
+-w /etc/issue.net -p wa -k CFG_issue.net
+
+## Optional - could indicate someone trying to do something bad or
+## just debugging
+#-a always,exit -F arch=b32 -S ptrace -F key=tracing
+#-a always,exit -F arch=b64 -S ptrace -F key=tracing
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection
+
+## Optional - might want to watch module insertion
+#-w /sbin/insmod -p x -k modules
+#-w /sbin/rmmod -p x -k modules
+#-w /sbin/modprobe -p x -k modules
+#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
+#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
+#-a always,exit -F arch=b32 -S delete_module -F key=module-unload
+#-a always,exit -F arch=b64 -S delete_module -F key=module-unload
+
+## Optional - admin may be abusing power by looking in user's home dir
+#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
+
+## Optional - log container creation
+#-a always,exit -F arch=b32 -S clone -F a0&2080505856 -F key=container-create
+#-a always,exit -F arch=b64 -S clone -F a0&2080505856 -F key=container-create
+
+## Optional - watch for containers that may change their configuration
+#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config
+#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config
+
+## Put your own watches after this point
+# -w /your-file -p rwxa -k mykey
+
+## Make the configuration immutable
+#-e 2