diff options
Diffstat (limited to 'framework/src/audit/contrib/nispom.rules')
-rw-r--r-- | framework/src/audit/contrib/nispom.rules | 148 |
1 files changed, 0 insertions, 148 deletions
diff --git a/framework/src/audit/contrib/nispom.rules b/framework/src/audit/contrib/nispom.rules deleted file mode 100644 index 6bcca086..00000000 --- a/framework/src/audit/contrib/nispom.rules +++ /dev/null @@ -1,148 +0,0 @@ -## -## This file contains the a sample audit configuration intended to -## meet the NISPOM Chapter 8 rules. -## -## This file should be saved as /etc/audit/audit.rules. -## -## For audit 1.6.5 and higher -## - -## Remove any existing rules --D - -## Increase buffer size to handle the increased number of messages. -## Feel free to increase this if the machine panic's --b 8192 - -## Set failure mode to panic --f 2 - -## Make the loginuid immutable. This prevents tampering with the auid. ---loginuid-immutable - -## Audit 1, 1(a) Enough information to determine the date and time of -## action (e.g., common network time), the system locale of the action, -## the system entity that initiated or completed the action, the resources -## involved, and the action involved. - -## Things that could affect time --a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change --a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change -# Introduced in 2.6.39, commented out because it can make false positives -#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change -#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change --w /etc/localtime -p wa -k time-change - -## Things that could affect system locale --a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale --a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale --w /etc/issue -p wa -k system-locale --w /etc/issue.net -p wa -k system-locale --w /etc/hosts -p wa -k system-locale --w /etc/sysconfig/network -p wa -k system-locale --a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale - -## Audit 1, 1(b) Successful and unsuccessful logons and logoffs. -## This is covered by patches to login, gdm, and openssh -## Might also want to watch these files if needing extra information -#-w /var/log/tallylog -p wa -k logins -#-w /var/run/faillock/ -p wa -k logins -#-w /var/log/lastlog -p wa -k logins -#-w /var/log/btmp -p wa -k logins -#-w /var/run/utmp -p wa -k logins - -## Audit 1, 1(c) Successful and unsuccessful accesses to -## security-relevant objects and directories, including -## creation, open, close, modification, and deletion. - -## unsuccessful creation --a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -F key=creation --a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -F key=creation --a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -F key=creation --a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -F key=creation - -## unsuccessful open --a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F key=open --a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F key=open --a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F key=open --a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F key=open - -## unsuccessful close --a always,exit -F arch=b32 -S close -F exit=-EIO -F key=close --a always,exit -F arch=b64 -S close -F exit=-EIO -F key=close - -## unsuccessful modifications --a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -F key=mods --a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -F key=mods --a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -F key=mods --a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -F key=mods - -## unsuccessful deletion --a always,exit -F arch=b32 -S unlink,rmdir,unlinkat -F exit=-EACCES -F key=delete --a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F exit=-EACCES -F key=delete --a always,exit -F arch=b32 -S unlink,rmdirunlinkat -F exit=-EPERM -F key=delete --a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F exit=-EPERM -F key=delete - -## Audit 1, 1(d) Changes in user authenticators. -## Covered by patches to libpam, passwd, and shadow-utils -## Might also want to watch these files for changes --w /etc/group -p wa -k auth --w /etc/passwd -p wa -k auth --w /etc/gshadow -p wa -k auth --w /etc/shadow -p wa -k auth --w /etc/security/opasswd -p wa -k auth - -## Audit 1, 1(e) The blocking or blacklisting of a user ID, -## terminal, or access port and the reason for the action. -## Covered by patches to pam_tally2 or pam_faillock and pam_limits - -## Audit 1, 1(f) Denial of access resulting from an excessive -## number of unsuccessful logon attempts. -## Covered by patches to pam_tally2 or pam_faillock - -## Audit 1, 2 Audit Trail Protection. The contents of audit trails -## shall be protected against unauthorized access, modification, -## or deletion. -## This should be covered by file permissions, but we can watch it -## to see any activity --w /var/log/audit/ -k audit-logs - -## Not specifically required by NISPOM; but common sense items -## Optional - could indicate someone trying to do something bad or -## just debugging -#-a always,exit -F arch=b32 -S ptrace -F key=tracing -#-a always,exit -F arch=b64 -S ptrace -F key=tracing -#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection -#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection -#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection -#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection -#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection -#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection - -## Optional - might want to watch module insertion -#-w /sbin/insmod -p x -k modules -#-w /sbin/rmmod -p x -k modules -#-w /sbin/modprobe -p x -k modules -#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load -#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load -#-a always,exit -F arch=b32 -S delete_module -F key=module-unload -#-a always,exit -F arch=b64 -S delete_module -F key=module-unload - -## Optional - admin may be abusing power by looking in user's home dir -#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse - -## Optional - log container creation -#-a always,exit -F arch=b32 -S clone -F a0&0x2080505856 -F key=container-create -#-a always,exit -F arch=b64 -S clone -F a0&0x2080505856 -F key=container-create - -## Optional - watch for containers that may change their configuration -#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config -#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config - -## Put your own watches after this point -# -w /your-file -p rwxa -k mykey - -## Make the configuration immutable -#-e 2 |