diff options
Diffstat (limited to 'framework/src/audit/contrib/capp.rules')
-rw-r--r-- | framework/src/audit/contrib/capp.rules | 302 |
1 files changed, 302 insertions, 0 deletions
diff --git a/framework/src/audit/contrib/capp.rules b/framework/src/audit/contrib/capp.rules new file mode 100644 index 00000000..5e38274f --- /dev/null +++ b/framework/src/audit/contrib/capp.rules @@ -0,0 +1,302 @@ +## +## This file contains a sample audit configuration. Combined with the +## system events that are audited by default, this set of rules causes +## audit to generate records for the auditable events specified by the +## Controlled Access Protection Profile (CAPP). +## +## It should be noted that this set of rules identifies directories by +## leaving a / at the end of the path. +## +## For audit 2.0.6 and higher +## + +## Remove any existing rules +-D + +## Increase buffer size to handle the increased number of messages. +## Feel free to increase this if the machine panic's +-b 8192 + +## Set failure mode to panic +-f 2 + +## +## FAU_SAR.1, FAU_SAR.2, FMT_MTD.1 +## successful and unsuccessful attempts to read information from the +## audit records; all modifications to the audit trail +## +-w /var/log/audit/ -k LOG_audit + +## +## FAU_SEL.1, FMT_MTD.1 +## modifications to audit configuration that occur while the audit +## collection functions are operating; all modications to the set of +## audited events +## +-w /etc/audit/ -p wa -k CFG_audit +-w /etc/sysconfig/auditd -p wa -k CFG_auditd.conf +-w /etc/libaudit.conf -p wa -k CFG_libaudit.conf +-w /etc/audisp/ -p wa -k CFG_audisp + +## +## FDP_ACF.1, FMT_MSA.1, FMT_MTD.1, FMT_REV.1 +## all requests to perform an operation on an object covered by the +## SFP; all modifications of the values of security attributes; +## modifications to TSF data; attempts to revoke security attributes +## + +## Objects covered by the Security Functional Policy (SFP) are: +## -File system objects (files, directories, special files, extended attributes) +## -IPC objects (SYSV shared memory, message queues, and semaphores) + +## Operations on file system objects - by default, only monitor +## files and directories covered by filesystem watches. + +## Changes in ownership and permissions +#-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat +#-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat +#-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown +#-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown +## Enable *32 rules if you are running on i386 or s390 +## Do not use for x86_64, ia64, ppc, ppc64, or s390x +#-a always,exit -F arch=b32 -S fchown32,chown32,lchown32 + +## File content modification. Permissions are checked at open time, +## monitoring individual read/write calls is not useful. +#-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate +#-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate +## Enable *64 rules if you are running on i386, ppc, ppc64, s390 +## Do not use for x86_64, ia64, or s390x +#-a always,exit -F arch=b32 -S truncate64,ftruncate64 + +## directory operations +#-a always,exit -F arch=b32 -S mkdir,mkdirat,rmdir +#-a always,exit -F arch=b64 -S mkdir,mkdirat,rmdir + +## moving, removing, and linking +#-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat +#-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat +#-a always,exit -F arch=b32 -S link,linkat,symlink,symlinkat +#-a always,exit -F arch=b64 -S link,linkat,symlink,symlinkat + +## Extended attribute operations +## Enable if you are interested in these events +#-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr +#-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr + +## special files +-a always,exit -F arch=b32 -S mknod,mknodat +-a always,exit -F arch=b64 -S mknod,mknodat + +## Other file system operations +## Enable if i386 +-a always,exit -F arch=b32 -S mount,umount,umount2 +## Enable if ppc, s390, or s390x +#-a always,exit -F arch=b32 -S mount,umount,umount2 +#-a always,exit -F arch=b64 -S mount,umount,umount2 +## Enable if ia64 +#-a always,exit -F arch=b64 -S mount,umount +## Enable if x86_64 +#-a always,exit -F arch=b64 -S mount,umount2 +#-a always,exit -F arch=b32 -S mount,umount,umount2 + +## IPC SYSV message queues +## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) +## msgctl +#-a always,exit -S ipc -F a0=14 +## msgget +#-a always,exit -S ipc -F a0=13 +## Enable if you are interested in these events (x86_64,ia64) +#-a always,exit -S msgctl +#-a always,exit -S msgget + +## IPC SYSV semaphores +## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) +## semctl +#-a always,exit -S ipc -F a0=3 +## semget +#-a always,exit -S ipc -F a0=2 +## semop +#-a always,exit -S ipc -F a0=1 +## semtimedop +#-a always,exit -S ipc -F a0=4 +## Enable if you are interested in these events (x86_64, ia64) +#-a always,exit -S semctl +#-a always,exit -S semget +#-a always,exit -S semop +#-a always,exit -S semtimedop + +## IPC SYSV shared memory +## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) +## shmctl +#-a always,exit -S ipc -F a0=24 +## shmget +#-a always,exit -S ipc -F a0=23 +## Enable if you are interested in these events (x86_64, ia64) +#-a always,exit -S shmctl +#-a always,exit -S shmget + +## +## FIA_USB.1 +## success and failure of binding user security attributes to a subject +## +## Enable if you are interested in these events +## +#-a always,exit -F arch=b32 -S clone +#-a always,exit -F arch=b64 -S clone +#-a always,exit -F arch=b32 -S fork,vfork +#-a always,exit -F arch=b64 -S fork,vfork +## For ia64 architecture, disable fork and vfork rules above, and +## enable the following: +#-a always,exit -S clone2 + +## +## FMT_MSA.3 +## modifications of the default setting of permissive or restrictive +## rules, all modifications of the initial value of security attributes +## +## Enable if you are interested in these events +## +#-a always,exit -F arch=b32 -S umask +#-a always,exit -F arch=b64 -S umask + +## +## FPT_STM.1 +## changes to the time +## +-a always,exit -F arch=b32 -S adjtimex,settimeofday -S stime +-a always,exit -F arch=b64 -S adjtimex,settimeofday +-a always,exit -F arch=b32 -S clock_settime -F a0=0 +-a always,exit -F arch=b64 -S clock_settime -F a0=0 +# Introduced in 2.6.39, commented out because it can make false positives +#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change +#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change + +## +## FTP_ITC.1 +## set-up of trusted channel +## +-w /usr/sbin/stunnel -p x + +## +## Security Databases +## + +## cron configuration & scheduled jobs +-w /etc/cron.allow -p wa -k CFG_cron.allow +-w /etc/cron.deny -p wa -k CFG_cron.deny +-w /etc/cron.d/ -p wa -k CFG_cron.d +-w /etc/cron.daily/ -p wa -k CFG_cron.daily +-w /etc/cron.hourly/ -p wa -k CFG_cron.hourly +-w /etc/cron.monthly/ -p wa -k CFG_cron.monthly +-w /etc/cron.weekly/ -p wa -k CFG_cron.weekly +-w /etc/crontab -p wa -k CFG_crontab +-w /var/spool/cron/root -k CFG_crontab_root + +## user, group, password databases +-w /etc/group -p wa -k CFG_group +-w /etc/passwd -p wa -k CFG_passwd +-w /etc/gshadow -k CFG_gshadow +-w /etc/shadow -k CFG_shadow +-w /etc/security/opasswd -k CFG_opasswd + +## login configuration and information +-w /etc/login.defs -p wa -k CFG_login.defs +-w /etc/securetty -p wa -k CFG_securetty +-w /var/run/faillock/ -p wa -k LOG_faillock +-w /var/log/lastlog -p wa -k LOG_lastlog +-w /var/log/tallylog -p wa -k LOG_tallylog + +## network configuration +-w /etc/hosts -p wa -k CFG_hosts +-w /etc/sysconfig/network-scripts/ -p wa -k CFG_network + +## system startup scripts +-w /etc/sysconfig/init -p wa -k CFG_init +-w /etc/init/ -p wa -k CFG_init +-w /etc/inittab -p wa -k CFG_inittab +-w /etc/rc.d/init.d/ -p wa -k CFG_initscripts + +## library search paths +-w /etc/ld.so.conf -p wa -k CFG_ld.so.conf + +## local time zone +-w /etc/localtime -p wa -k CFG_localtime + +## kernel parameters +-w /etc/sysctl.conf -p wa -k CFG_sysctl.conf + +## modprobe configuration +-w /etc/modprobe.d/ -p wa -k CFG_modprobe + +## pam configuration +-w /etc/pam.d/ -p wa -k CFG_pam +-w /etc/security/access.conf -p wa -k CFG_pam +-w /etc/security/limits.conf -p wa -k CFG_pam +-w /etc/security/pam_env.conf -p wa -k CFG_pam +-w /etc/security/namespace.conf -p wa -k CFG_pam +-w /etc/security/namespace.d/ -p wa -k CFG_pam +-w /etc/security/namespace.init -p wa -k CFG_pam +-w /etc/security/sepermit.conf -p wa -k CFG_pam +-w /etc/security/time.conf -p wa -k CFG_pam + +## postfix configuration +-w /etc/aliases -p wa -k CFG_aliases +-w /etc/postfix/ -p wa -k CFG_postfix + +## screen configuration +-w /etc/screenrc -p wa -k CFG_screen + +## ssh configuration +-w /etc/ssh/sshd_config -k CFG_sshd_config + +## stunnel configuration +-w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf +-w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem + +## sudo configuration +-w /etc/sudoers -k CFG_sudoers +-w /etc/sudoers.d/ -k CFG_sudoers + +## Not specifically required by CAPP; but common sense items +-a always,exit -F arch=b32 -S sethostname -S setdomainname +-a always,exit -F arch=b64 -S sethostname -S setdomainname +-w /etc/issue -p wa -k CFG_issue +-w /etc/issue.net -p wa -k CFG_issue.net + +## Optional - could indicate someone trying to do something bad or +## just debugging +#-a always,exit -F arch=b32 -S ptrace -F key=tracing +#-a always,exit -F arch=b64 -S ptrace -F key=tracing +#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection +#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection +#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection +#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection +#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection +#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection + +## Optional - might want to watch module insertion +#-w /sbin/insmod -p x -k modules +#-w /sbin/rmmod -p x -k modules +#-w /sbin/modprobe -p x -k modules +#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load +#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load +#-a always,exit -F arch=b32 -S delete_module -F key=module-unload +#-a always,exit -F arch=b64 -S delete_module -F key=module-unload + +## Optional - admin may be abusing power by looking in user's home dir +#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse + +## Optional - log container creation +#-a always,exit -F arch=b32 -S clone -F a0&2080505856 -F key=container-create +#-a always,exit -F arch=b64 -S clone -F a0&2080505856 -F key=container-create + +## Optional - watch for containers that may change their configuration +#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config +#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config + +## Put your own watches after this point +# -w /your-file -p rwxa -k mykey + +## Make the configuration immutable +#-e 2 |