aboutsummaryrefslogtreecommitdiffstats
path: root/framework/src/audit/contrib/stig.rules
diff options
context:
space:
mode:
Diffstat (limited to 'framework/src/audit/contrib/stig.rules')
-rw-r--r--framework/src/audit/contrib/stig.rules193
1 files changed, 0 insertions, 193 deletions
diff --git a/framework/src/audit/contrib/stig.rules b/framework/src/audit/contrib/stig.rules
deleted file mode 100644
index 5a51d7f0..00000000
--- a/framework/src/audit/contrib/stig.rules
+++ /dev/null
@@ -1,193 +0,0 @@
-## This file contains the auditctl rules that are loaded
-## whenever the audit daemon is started via the initscripts.
-## The rules are simply the parameters that would be passed
-## to auditctl.
-##
-## First rule - delete all
--D
-
-## Increase the buffers to survive stress events.
-## Make this bigger for busy systems
--b 8192
-
-## Set failure mode to panic
--f 2
-
-## Make the loginuid immutable. This prevents tampering with the auid.
---loginuid-immutable
-
-## NOTE:
-## 1) if this is being used on a 32 bit machine, comment out the b64 lines
-## 2) These rules assume that login under the root account is not allowed.
-## 3) It is also assumed that 500 represents the first usable user account. To
-## be sure, look at UID_MIN in /etc/login.defs.
-## 4) If these rules generate too much spurious data for your tastes, limit the
-## the syscall file rules with a directory, like -F dir=/etc
-## 5) You can search for the results on the key fields in the rules
-##
-##
-## (GEN002880: CAT II) The IAO will ensure the auditing software can
-## record the following for each audit event:
-##- Date and time of the event
-##- Userid that initiated the event
-##- Type of event
-##- Success or failure of the event
-##- For I&A events, the origin of the request (e.g., terminal ID)
-##- For events that introduce an object into a user’s address space, and
-## for object deletion events, the name of the object, and in MLS
-## systems, the object’s security level.
-##
-## Things that could affect time
--a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change
--a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
--a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
--a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
-# Introduced in 2.6.39, commented out because it can make false positives
-#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
-#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
--w /etc/localtime -p wa -k time-change
-
-## Things that affect identity
--w /etc/group -p wa -k identity
--w /etc/passwd -p wa -k identity
--w /etc/gshadow -p wa -k identity
--w /etc/shadow -p wa -k identity
--w /etc/security/opasswd -p wa -k identity
-
-## Things that could affect system locale
--a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
--a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
--w /etc/issue -p wa -k system-locale
--w /etc/issue.net -p wa -k system-locale
--w /etc/hosts -p wa -k system-locale
--w /etc/sysconfig/network -p wa -k system-locale
--a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale
-
-## Things that could affect MAC policy
--a always,exit -F dir=/etc/selinux/ -F perm=wa -F key=MAC-policy
-
-
-## (GEN002900: CAT III) The IAO will ensure audit files are retained at
-## least one year; systems containing SAMI will be retained for five years.
-##
-## Site action - no action in config files
-
-## (GEN002920: CAT III) The IAO will ensure audit files are backed up
-## no less than weekly onto a different system than the system being
-## audited or backup media.
-##
-## Can be done with cron script
-
-## (GEN002700: CAT I) (Previously – G095) The SA will ensure audit data
-## files have permissions of 640, or more restrictive.
-##
-## Done automatically by auditd
-
-## (GEN002720-GEN002840: CAT II) (Previously – G100-G106) The SA will
-## configure the auditing system to audit the following events for all
-## users and root:
-##
-## - Logon (unsuccessful and successful) and logout (successful)
-##
-## Handled by pam, sshd, login, and gdm
-## Might also want to watch these files if needing extra information
-#-w /var/log/tallylog -p wa -k logins
-#-w /var/run/faillock/ -p wa -k logins
-#-w /var/log/lastlog -p wa -k logins
-
-
-##- Process and session initiation (unsuccessful and successful)
-##
-## The session initiation is audited by pam without any rules needed.
-## Might also want to watch this file if needing extra information
-#-w /var/run/utmp -p wa -k session
-#-w /var/log/btmp -p wa -k session
-#-w /var/log/wtmp -p wa -k session
-
-##- Discretionary access control permission modification (unsuccessful
-## and successful use of chown/chmod)
--a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
--a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
--a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
--a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=4294967295 -F key=perm_mod
--a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=4294967295 -F key=perm_mod
-
-##- Unauthorized access attempts to files (unsuccessful)
--a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -F key=access
--a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -F key=access
--a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -F key=access
--a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -F key=access
-
-##- Use of privileged commands (unsuccessful and successful)
-## use find /bin -type f -perm -04000 2>/dev/null and put all those files in a rule like this
--a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -F key=privileged
-
-##- Use of print command (unsuccessful and successful)
-
-##- Export to media (successful)
-## You have to mount media before using it. You must disable all automounting
-## so that its done manually in order to get the correct user requesting the
-## export
--a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -F key=export
--a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -F key=export
-
-##- System startup and shutdown (unsuccessful and successful)
-
-##- Files and programs deleted by the user (successful and unsuccessful)
--a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=500 -F auid!=4294967295 -F key=delete
--a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=500 -F auid!=4294967295 -F key=delete
-
-##- All system administration actions
-##- All security personnel actions
-##
-## Look for pam_tty_audit and add it to your login entry point's pam configs.
-## If that is not found, use sudo which should be patched to record its
-## commands to the audit system. Do not allow unrestricted root shells or
-## sudo cannot record the action.
--w /etc/sudoers -p wa -k actions
--w /etc/sudoers.d/ -p wa -k actions
-
-## (GEN002860: CAT II) (Previously – G674) The SA and/or IAO will
-##ensure old audit logs are closed and new audit logs are started daily.
-##
-## Site action. Can be assisted by a cron job
-
-## Not specifically required by the STIG; but common sense items
-## Optional - could indicate someone trying to do something bad or
-## just debugging
-#-a always,exit -F arch=b32 -S ptrace -F key=tracing
-#-a always,exit -F arch=b64 -S ptrace -F key=tracing
-#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection
-#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection
-#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection
-#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection
-#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection
-#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection
-
-## Optional - might want to watch module insertion
-#-w /sbin/insmod -p x -k modules
-#-w /sbin/rmmod -p x -k modules
-#-w /sbin/modprobe -p x -k modules
-#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
-#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
-#-a always,exit -F arch=b32 -S delete_module -F key=module-unload
-#-a always,exit -F arch=b64 -S delete_module -F key=module-unload
-
-## Optional - admin may be abusing power by looking in user's home dir
-#-a always,exit -F dir=/home -F uid=0 -F auid>=500 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
-
-## Optional - log container creation
-#-a always,exit -F arch=b32 -S clone -F a0&0x7C020000 -F key=container-create
-#-a always,exit -F arch=b64 -S clone -F a0&0x7C020000 -F key=container-create
-
-## Optional - watch for containers that may change their configuration
-#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config
-#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config
-
-## Put your own watches after this point
-# -w /your-file -p rwxa -k mykey
-
-## Make the configuration immutable - reboot is required to change audit rules
--e 2
-