aboutsummaryrefslogtreecommitdiffstats
path: root/framework/src/audit/contrib/nispom.rules
diff options
context:
space:
mode:
Diffstat (limited to 'framework/src/audit/contrib/nispom.rules')
-rw-r--r--framework/src/audit/contrib/nispom.rules148
1 files changed, 0 insertions, 148 deletions
diff --git a/framework/src/audit/contrib/nispom.rules b/framework/src/audit/contrib/nispom.rules
deleted file mode 100644
index 6bcca086..00000000
--- a/framework/src/audit/contrib/nispom.rules
+++ /dev/null
@@ -1,148 +0,0 @@
-##
-## This file contains the a sample audit configuration intended to
-## meet the NISPOM Chapter 8 rules.
-##
-## This file should be saved as /etc/audit/audit.rules.
-##
-## For audit 1.6.5 and higher
-##
-
-## Remove any existing rules
--D
-
-## Increase buffer size to handle the increased number of messages.
-## Feel free to increase this if the machine panic's
--b 8192
-
-## Set failure mode to panic
--f 2
-
-## Make the loginuid immutable. This prevents tampering with the auid.
---loginuid-immutable
-
-## Audit 1, 1(a) Enough information to determine the date and time of
-## action (e.g., common network time), the system locale of the action,
-## the system entity that initiated or completed the action, the resources
-## involved, and the action involved.
-
-## Things that could affect time
--a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change
--a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
--a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
--a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
-# Introduced in 2.6.39, commented out because it can make false positives
-#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
-#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
--w /etc/localtime -p wa -k time-change
-
-## Things that could affect system locale
--a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
--a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
--w /etc/issue -p wa -k system-locale
--w /etc/issue.net -p wa -k system-locale
--w /etc/hosts -p wa -k system-locale
--w /etc/sysconfig/network -p wa -k system-locale
--a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale
-
-## Audit 1, 1(b) Successful and unsuccessful logons and logoffs.
-## This is covered by patches to login, gdm, and openssh
-## Might also want to watch these files if needing extra information
-#-w /var/log/tallylog -p wa -k logins
-#-w /var/run/faillock/ -p wa -k logins
-#-w /var/log/lastlog -p wa -k logins
-#-w /var/log/btmp -p wa -k logins
-#-w /var/run/utmp -p wa -k logins
-
-## Audit 1, 1(c) Successful and unsuccessful accesses to
-## security-relevant objects and directories, including
-## creation, open, close, modification, and deletion.
-
-## unsuccessful creation
--a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -F key=creation
--a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -F key=creation
--a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -F key=creation
--a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -F key=creation
-
-## unsuccessful open
--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F key=open
--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F key=open
--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F key=open
--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F key=open
-
-## unsuccessful close
--a always,exit -F arch=b32 -S close -F exit=-EIO -F key=close
--a always,exit -F arch=b64 -S close -F exit=-EIO -F key=close
-
-## unsuccessful modifications
--a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -F key=mods
--a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -F key=mods
--a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -F key=mods
--a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -F key=mods
-
-## unsuccessful deletion
--a always,exit -F arch=b32 -S unlink,rmdir,unlinkat -F exit=-EACCES -F key=delete
--a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F exit=-EACCES -F key=delete
--a always,exit -F arch=b32 -S unlink,rmdirunlinkat -F exit=-EPERM -F key=delete
--a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F exit=-EPERM -F key=delete
-
-## Audit 1, 1(d) Changes in user authenticators.
-## Covered by patches to libpam, passwd, and shadow-utils
-## Might also want to watch these files for changes
--w /etc/group -p wa -k auth
--w /etc/passwd -p wa -k auth
--w /etc/gshadow -p wa -k auth
--w /etc/shadow -p wa -k auth
--w /etc/security/opasswd -p wa -k auth
-
-## Audit 1, 1(e) The blocking or blacklisting of a user ID,
-## terminal, or access port and the reason for the action.
-## Covered by patches to pam_tally2 or pam_faillock and pam_limits
-
-## Audit 1, 1(f) Denial of access resulting from an excessive
-## number of unsuccessful logon attempts.
-## Covered by patches to pam_tally2 or pam_faillock
-
-## Audit 1, 2 Audit Trail Protection. The contents of audit trails
-## shall be protected against unauthorized access, modification,
-## or deletion.
-## This should be covered by file permissions, but we can watch it
-## to see any activity
--w /var/log/audit/ -k audit-logs
-
-## Not specifically required by NISPOM; but common sense items
-## Optional - could indicate someone trying to do something bad or
-## just debugging
-#-a always,exit -F arch=b32 -S ptrace -F key=tracing
-#-a always,exit -F arch=b64 -S ptrace -F key=tracing
-#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection
-#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection
-#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection
-#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection
-#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection
-#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection
-
-## Optional - might want to watch module insertion
-#-w /sbin/insmod -p x -k modules
-#-w /sbin/rmmod -p x -k modules
-#-w /sbin/modprobe -p x -k modules
-#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
-#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
-#-a always,exit -F arch=b32 -S delete_module -F key=module-unload
-#-a always,exit -F arch=b64 -S delete_module -F key=module-unload
-
-## Optional - admin may be abusing power by looking in user's home dir
-#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
-
-## Optional - log container creation
-#-a always,exit -F arch=b32 -S clone -F a0&0x2080505856 -F key=container-create
-#-a always,exit -F arch=b64 -S clone -F a0&0x2080505856 -F key=container-create
-
-## Optional - watch for containers that may change their configuration
-#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config
-#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config
-
-## Put your own watches after this point
-# -w /your-file -p rwxa -k mykey
-
-## Make the configuration immutable
-#-e 2