diff options
Diffstat (limited to 'framework/src/audit/contrib/lspp.rules')
| -rw-r--r-- | framework/src/audit/contrib/lspp.rules | 343 |
1 files changed, 0 insertions, 343 deletions
diff --git a/framework/src/audit/contrib/lspp.rules b/framework/src/audit/contrib/lspp.rules deleted file mode 100644 index e0919bd2..00000000 --- a/framework/src/audit/contrib/lspp.rules +++ /dev/null @@ -1,343 +0,0 @@ -## -## This file contains a sample audit configuration. Combined with the -## system events that are audited by default, this set of rules causes -## audit to generate records for the auditable events specified by the -## Labeled Security Protection Profile (LSPP). -## -## It should be noted that this set of rules identifies directories by -## leaving a / at the end of the path. -## -## For audit 2.0.6 and higher -## - -## Remove any existing rules --D - -## Increase buffer size to handle the increased number of messages. -## Feel free to increase this if the machine panic's --b 8192 - -## Set failure mode to panic --f 2 - -## -## FAU_SAR.1, FAU_SAR.2, FMT_MTD.1 -## successful and unsuccessful attempts to read information from the -## audit records; all modifications to the audit trail -## --w /var/log/audit/ -k LOG_audit - -## -## FAU_SEL.1, FMT_MTD.1 -## modifications to audit configuration that occur while the audit -## collection functions are operating; all modications to the set of -## audited events -## --w /etc/audit/ -p wa -k CFG_audit --w /etc/sysconfig/auditd -p wa -k CFG_auditd.conf --w /etc/libaudit.conf -p wa -k CFG_libaudit.conf --w /etc/audisp/ -p wa -k CFG_audisp - -## -## FDP_ACF.1, FMT_MSA.1, FMT_MTD.1, FMT_REV.1, FDP_ETC.1, FDP_ITC.2 -## all requests to perform an operation on an object covered by the -## SFP; all modifications of the values of security attributes; -## modifications to TSF data; attempts to revoke security attributes; -## all attempts to export information; all attempts to import user -## data, including any security attributes - -## Objects covered by the Security Functional Policy (SFP) are: -## -File system objects (files, directories, special files, extended attributes) -## -IPC objects (SYSV shared memory, message queues, and semaphores) - -## Operations on file system objects - by default, only monitor -## files and directories covered by filesystem watches. - -## Changes in ownership and permissions -#-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -#-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -#-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -#-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -## Enable *32 rules if you are running on i386 or s390 -## Do not use for x86_64, ia64, ppc, ppc64, or s390x -#-a always,exit -F arch=b32 -S fchown32,chown32,lchown32 - -## File content modification. Permissions are checked at open time, -## monitoring individual read/write calls is not useful. -#-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate -#-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate -## Enable *64 rules if you are running on i386, ppc, ppc64, s390 -## Do not use for x86_64, ia64, or s390x -#-a always,exit -F arch=b32 -S truncate64,ftruncate64 - -## directory operations -#-a always,exit -F arch=b32 -S mkdir,mkdirat,rmdir -#-a always,exit -F arch=b64 -S mkdir,mkdirat,rmdir - -## moving, removing, and linking -#-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -#-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -#-a always,exit -F arch=b32 -S link,linkat,symlink,symlinkat -#-a always,exit -F arch=b64 -S link,linkat,symlink,symlinkat - -## Extended attribute operations -## Enable if you are interested in these events --a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr --a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr - -## special files --a always,exit -F arch=b32 -S mknod,mknodat --a always,exit -F arch=b64 -S mknod,mknodat - -## Other file system operations -## Enable if i386 --a always,exit -F arch=b32 -S mount,umount,umount2 -## Enable if ppc, s390, or s390x -#-a always,exit -F arch=b32 -S mount,umount,umount2 -#-a always,exit -F arch=b64 -S mount,umount,umount2 -## Enable if ia64 -#-a always,exit -F arch=b64 -S mount,umount -## Enable if x86_64 -#-a always,exit -F arch=b64 -S mount,umount2 -#-a always,exit -F arch=b32 -S mount,umount,umount2 - -## IPC SYSV message queues -## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) -## msgctl -#-a always,exit -S ipc -F a0=14 -## msgget -#-a always,exit -S ipc -F a0=13 -## Enable if you are interested in these events (x86_64,ia64) -#-a always,exit -S msgctl -#-a always,exit -S msgget - -## IPC SYSV semaphores -## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) -## semctl -#-a always,exit -S ipc -F a0=0x3 -## semget -#-a always,exit -S ipc -F a0=0x2 -## semop -#-a always,exit -S ipc -F a0=0x1 -## semtimedop -#-a always,exit -S ipc -F a0=0x4 -## Enable if you are interested in these events (x86_64, ia64) -#-a always,exit -S semctl -#-a always,exit -S semget -#-a always,exit -S semop -#-a always,exit -S semtimedop - -## IPC SYSV shared memory -## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) -## shmctl -#-a always,exit -S ipc -F a0=24 -## shmget -#-a always,exit -S ipc -F a0=23 -## Enable if you are interested in these events (x86_64, ia64) -#-a always,exit -S shmctl -#-a always,exit -S shmget - -## -## FIA_USB.1 -## success and failure of binding user security attributes to a subject -## -## Enable if you are interested in these events -## -#-a always,exit -F arch=b32 -S clone -#-a always,exit -F arch=b64 -S clone -#-a always,exit -F arch=b32 -S fork,vfork -#-a always,exit -F arch=b64 -S fork,vfork -## For ia64 architecture, disable fork and vfork rules above, and -## enable the following: -#-a always,exit -S clone2 - -## -## FDP_ETC.2 -## Export of Labeled User Data -## -## Printing --w /etc/cups/ -p wa -k CFG_cups --w /etc/init.d/cups -p wa -k CFG_initd_cups - -## -## FDP_ETC.2, FDP_ITC.2 -## Export/Import of Labeled User Data -## -## Networking --w /etc/netlabel.rules -p wa -k CFG_netlabel.rules --w /etc/ipsec.conf -p wa -k CFG_ipsec.conf --w /etc/ipsec.d/ -p wa -k CFG_ipsec.conf --w /etc/ipsec.secrets -p wa -k CFG_ipsec.secrets - -## -## FDP_IFC.1 -## Mandatory Access Control Policy -## --w /etc/selinux/config -p wa -k CFG_selinux_config --w /etc/selinux/mls/ -p wa -k CFG_MAC_policy --w /usr/share/selinux/mls/ -p wa -k CFG_MAC_policy --w /etc/selinux/semanage.conf -p wa -k CFG_MAC_policy - -## -## FMT_MSA.3 -## modifications of the default setting of permissive or restrictive -## rules, all modifications of the initial value of security attributes -## -## Enable if you are interested in these events -## -#-a always,exit -F arch=b32 -S umask -#-a always,exit -F arch=b64 -S umask - -## -## FPT_STM.1 -## changes to the time -## --a always,exit -F arch=b32 -S stime,adjtimex,settimeofday --a always,exit -F arch=b64 -S adjtimex,settimeofday --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -# Introduced in 2.6.39, commented out because it can make false positives -#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change -#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change - -## -## FTP_ITC.1 -## set-up of trusted channel -## --w /usr/sbin/stunnel -p x - -## -## FPT_TST.1 Self Test -## aide is used to verify integrity of data and executables -## --w /etc/aide.conf -p wa -k CFG_aide.conf --w /var/lib/aide/aide.db.gz -k CFG_aide.db --w /var/lib/aide/aide.db.new.gz -k CFG_aide.db --w /var/log/aide/ -p wa -k CFG_aide.log - -## -## Security Databases -## - -## cron configuration & scheduled jobs --w /etc/cron.allow -p wa -k CFG_cron.allow --w /etc/cron.deny -p wa -k CFG_cron.deny --w /etc/cron.d/ -p wa -k CFG_cron.d --w /etc/cron.daily/ -p wa -k CFG_cron.daily --w /etc/cron.hourly/ -p wa -k CFG_cron.hourly --w /etc/cron.monthly/ -p wa -k CFG_cron.monthly --w /etc/cron.weekly/ -p wa -k CFG_cron.weekly --w /etc/crontab -p wa -k CFG_crontab --w /var/spool/cron/root -k CFG_crontab_root - -## user, group, password databases --w /etc/group -p wa -k CFG_group --w /etc/passwd -p wa -k CFG_passwd --w /etc/gshadow -k CFG_gshadow --w /etc/shadow -k CFG_shadow --w /etc/security/opasswd -k CFG_opasswd - -## login configuration and information --w /etc/login.defs -p wa -k CFG_login.defs --w /etc/securetty -p wa -k CFG_securetty --w /var/run/faillock/ -p wa -k LOG_faillock --w /var/log/lastlog -p wa -k LOG_lastlog --w /var/log/tallylog -p wa -k LOG_tallylog - -## network configuration --w /etc/hosts -p wa -k CFG_hosts --w /etc/sysconfig/network-scripts/ -p wa -k CFG_network - -## system startup scripts --w /etc/sysconfig/init -p wa -k CFG_init --w /etc/init/ -p wa -k CFG_init --w /etc/inittab -p wa -k CFG_inittab --w /etc/rc.d/init.d/ -p wa -k CFG_initscripts - -## library search paths --w /etc/ld.so.conf -p wa -k CFG_ld.so.conf - -## local time zone --w /etc/localtime -p wa -k CFG_localtime - -## kernel parameters --w /etc/sysctl.conf -p wa -k CFG_sysctl.conf - -## modprobe configuration --w /etc/modprobe.d/ -p wa -k CFG_modprobe - -## pam configuration --w /etc/pam.d/ -p wa -k CFG_pam --w /etc/security/access.conf -p wa -k CFG_pam --w /etc/security/limits.conf -p wa -k CFG_pam --w /etc/security/pam_env.conf -p wa -k CFG_pam --w /etc/security/namespace.conf -p wa -k CFG_pam --w /etc/security/namespace.d/ -p wa -k CFG_pam --w /etc/security/namespace.init -p wa -k CFG_pam --w /etc/security/sepermit.conf -p wa -k CFG_pam --w /etc/security/time.conf -p wa -k CFG_pam - -## postfix configuration --w /etc/aliases -p wa -k CFG_aliases --w /etc/postfix/ -p wa -k CFG_postfix - -## screen configuration --w /etc/screenrc -p wa -k CFG_screen - -## ssh configuration --w /etc/ssh/sshd_config -k CFG_sshd_config - -## stunnel configuration --w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf --w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem - -## sudo configuration --w /etc/sudoers -k CFG_sudoers --w /etc/sudoers.d/ -k CFG_sudoers - -## xinetd configuration --w /etc/xinetd.d/ -k CFG_xinetd.d --w /etc/xinetd.conf -k CFG_xinetd.conf - -## Not specifically required by LSPP; but common sense items --a always,exit -F arch=b32 -S sethostname,setdomainname --a always,exit -F arch=b64 -S sethostname,setdomainname --w /etc/issue -p wa -k CFG_issue --w /etc/issue.net -p wa -k CFG_issue.net - -## Optional - could indicate someone trying to do something bad or -## just debugging -#-a always,exit -F arch=b32 -S ptrace -F key=tracing -#-a always,exit -F arch=b64 -S ptrace -F key=tracing -#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection -#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection -#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection -#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection -#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection -#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection - -## Optional - might want to watch module insertion -#-w /sbin/insmod -p x -k modules -#-w /sbin/rmmod -p x -k modules -#-w /sbin/modprobe -p x -k modules -#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load -#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load -#-a always,exit -F arch=b32 -S delete_module -F key=module-unload -#-a always,exit -F arch=b64 -S delete_module -F key=module-unload - -## Optional - admin may be abusing power by looking in user's home dir -#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse - -## Optional - log container creation -#-a always,exit -F arch=b32 -S clone -F a0&0x2080505856 -F key=container-create -#-a always,exit -F arch=b64 -S clone -F a0&0x2080505856 -F key=container-create - -## Optional - watch for containers that may change their configuration -#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config -#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config - -## Put your own watches after this point -# -w /your-file -p rwxa -k mykey - -## Make the configuration immutable -#-e 2 |