diff options
Diffstat (limited to 'framework/src/audit/contrib')
| -rwxr-xr-x | framework/src/audit/contrib/avc_snap | 90 | ||||
| -rw-r--r-- | framework/src/audit/contrib/capp.rules | 302 | ||||
| -rw-r--r-- | framework/src/audit/contrib/lspp.rules | 343 | ||||
| -rw-r--r-- | framework/src/audit/contrib/nispom.rules | 148 | ||||
| -rw-r--r-- | framework/src/audit/contrib/plugin/Makefile | 7 | ||||
| -rw-r--r-- | framework/src/audit/contrib/plugin/audisp-example.c | 229 | ||||
| -rw-r--r-- | framework/src/audit/contrib/plugin/audisp-example.conf | 10 | ||||
| -rw-r--r-- | framework/src/audit/contrib/skeleton.c | 140 | ||||
| -rw-r--r-- | framework/src/audit/contrib/stig.rules | 193 |
9 files changed, 0 insertions, 1462 deletions
diff --git a/framework/src/audit/contrib/avc_snap b/framework/src/audit/contrib/avc_snap deleted file mode 100755 index f4acba7d..00000000 --- a/framework/src/audit/contrib/avc_snap +++ /dev/null @@ -1,90 +0,0 @@ -#! /usr/bin/env python -import os, string, select, struct, syslog -import audit, avc, traceback -import AuditMsg -from setroubleshoot.signature import * -from setroubleshoot.util import LoadPlugins - -class avc_snap: - def __init__(self): - self.audit_list = [] - self.cur_sig = "" - self.plugins = LoadPlugins() - syslog.syslog( "Number of Plugins = %d" % len(self.plugins)) - - def is_avc(self): - for i in self.audit_list: - if i[0] == audit.AUDIT_AVC: - return True - return False - - def out(self): - if self.is_avc(): - rules=avc.SERules() - l=[] - for ( type, data_list ) in self.audit_list: - l += data_list - - if "granted" in l: - self.audit_list = [] - return - - rules.translate(l) - myavc = AVC(rules.AVCS[0]) - for plugin in self.plugins: - try: - if plugin.analyze(myavc): - plugin.report() - break; - - except TypeError, e: - syslog.syslog("Type exception %s: %s " % ( plugin.analysisID, e.args)) - except: - syslog.syslog("Plugin Exception %s " % plugin.analysisID) - - self.audit_list = [] - - def process(self, type, data): - data_list=data.split() - new_sig=data_list[0] - - if len(self.audit_list) > 0 and new_sig != self.cur_sig: - self.out() - self.cur_sig = new_sig - - self.audit_list.append((type, data_list[1:])) - - def run(self): - while 1: - input,output, err = select.select([0],[], [], 5) - try: - if 0 in input: - msg = AuditMsg.AuditMsg() - if not msg.read_from_fd(0): - syslog.syslog("Connection closing") - return - self.process(msg.get_type(), msg.get_body()) - else: - self.out() - - except struct.error, e: - syslog.syslog("struct exception %s " % e.args) - return - except TypeError, e: - syslog.syslog("Type exception %s " % e.args) - -try: - syslog.openlog("avc_snap") - snap=avc_snap() - snap.run() - -except IOError,e: - syslog.syslog("IOError exception %s" % e.args) - -except Exception, e: - syslog.syslog("Unexpected exception %s " % e.args) - syslog.syslog(traceback.format_exc()) - -except: - syslog.syslog("Caught Exception") - syslog.syslog(traceback.format_exc()) diff --git a/framework/src/audit/contrib/capp.rules b/framework/src/audit/contrib/capp.rules deleted file mode 100644 index 5e38274f..00000000 --- a/framework/src/audit/contrib/capp.rules +++ /dev/null @@ -1,302 +0,0 @@ -## -## This file contains a sample audit configuration. Combined with the -## system events that are audited by default, this set of rules causes -## audit to generate records for the auditable events specified by the -## Controlled Access Protection Profile (CAPP). -## -## It should be noted that this set of rules identifies directories by -## leaving a / at the end of the path. -## -## For audit 2.0.6 and higher -## - -## Remove any existing rules --D - -## Increase buffer size to handle the increased number of messages. -## Feel free to increase this if the machine panic's --b 8192 - -## Set failure mode to panic --f 2 - -## -## FAU_SAR.1, FAU_SAR.2, FMT_MTD.1 -## successful and unsuccessful attempts to read information from the -## audit records; all modifications to the audit trail -## --w /var/log/audit/ -k LOG_audit - -## -## FAU_SEL.1, FMT_MTD.1 -## modifications to audit configuration that occur while the audit -## collection functions are operating; all modications to the set of -## audited events -## --w /etc/audit/ -p wa -k CFG_audit --w /etc/sysconfig/auditd -p wa -k CFG_auditd.conf --w /etc/libaudit.conf -p wa -k CFG_libaudit.conf --w /etc/audisp/ -p wa -k CFG_audisp - -## -## FDP_ACF.1, FMT_MSA.1, FMT_MTD.1, FMT_REV.1 -## all requests to perform an operation on an object covered by the -## SFP; all modifications of the values of security attributes; -## modifications to TSF data; attempts to revoke security attributes -## - -## Objects covered by the Security Functional Policy (SFP) are: -## -File system objects (files, directories, special files, extended attributes) -## -IPC objects (SYSV shared memory, message queues, and semaphores) - -## Operations on file system objects - by default, only monitor -## files and directories covered by filesystem watches. - -## Changes in ownership and permissions -#-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -#-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -#-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -#-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -## Enable *32 rules if you are running on i386 or s390 -## Do not use for x86_64, ia64, ppc, ppc64, or s390x -#-a always,exit -F arch=b32 -S fchown32,chown32,lchown32 - -## File content modification. Permissions are checked at open time, -## monitoring individual read/write calls is not useful. -#-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate -#-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate -## Enable *64 rules if you are running on i386, ppc, ppc64, s390 -## Do not use for x86_64, ia64, or s390x -#-a always,exit -F arch=b32 -S truncate64,ftruncate64 - -## directory operations -#-a always,exit -F arch=b32 -S mkdir,mkdirat,rmdir -#-a always,exit -F arch=b64 -S mkdir,mkdirat,rmdir - -## moving, removing, and linking -#-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -#-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -#-a always,exit -F arch=b32 -S link,linkat,symlink,symlinkat -#-a always,exit -F arch=b64 -S link,linkat,symlink,symlinkat - -## Extended attribute operations -## Enable if you are interested in these events -#-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -#-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr - -## special files --a always,exit -F arch=b32 -S mknod,mknodat --a always,exit -F arch=b64 -S mknod,mknodat - -## Other file system operations -## Enable if i386 --a always,exit -F arch=b32 -S mount,umount,umount2 -## Enable if ppc, s390, or s390x -#-a always,exit -F arch=b32 -S mount,umount,umount2 -#-a always,exit -F arch=b64 -S mount,umount,umount2 -## Enable if ia64 -#-a always,exit -F arch=b64 -S mount,umount -## Enable if x86_64 -#-a always,exit -F arch=b64 -S mount,umount2 -#-a always,exit -F arch=b32 -S mount,umount,umount2 - -## IPC SYSV message queues -## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) -## msgctl -#-a always,exit -S ipc -F a0=14 -## msgget -#-a always,exit -S ipc -F a0=13 -## Enable if you are interested in these events (x86_64,ia64) -#-a always,exit -S msgctl -#-a always,exit -S msgget - -## IPC SYSV semaphores -## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) -## semctl -#-a always,exit -S ipc -F a0=3 -## semget -#-a always,exit -S ipc -F a0=2 -## semop -#-a always,exit -S ipc -F a0=1 -## semtimedop -#-a always,exit -S ipc -F a0=4 -## Enable if you are interested in these events (x86_64, ia64) -#-a always,exit -S semctl -#-a always,exit -S semget -#-a always,exit -S semop -#-a always,exit -S semtimedop - -## IPC SYSV shared memory -## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) -## shmctl -#-a always,exit -S ipc -F a0=24 -## shmget -#-a always,exit -S ipc -F a0=23 -## Enable if you are interested in these events (x86_64, ia64) -#-a always,exit -S shmctl -#-a always,exit -S shmget - -## -## FIA_USB.1 -## success and failure of binding user security attributes to a subject -## -## Enable if you are interested in these events -## -#-a always,exit -F arch=b32 -S clone -#-a always,exit -F arch=b64 -S clone -#-a always,exit -F arch=b32 -S fork,vfork -#-a always,exit -F arch=b64 -S fork,vfork -## For ia64 architecture, disable fork and vfork rules above, and -## enable the following: -#-a always,exit -S clone2 - -## -## FMT_MSA.3 -## modifications of the default setting of permissive or restrictive -## rules, all modifications of the initial value of security attributes -## -## Enable if you are interested in these events -## -#-a always,exit -F arch=b32 -S umask -#-a always,exit -F arch=b64 -S umask - -## -## FPT_STM.1 -## changes to the time -## --a always,exit -F arch=b32 -S adjtimex,settimeofday -S stime --a always,exit -F arch=b64 -S adjtimex,settimeofday --a always,exit -F arch=b32 -S clock_settime -F a0=0 --a always,exit -F arch=b64 -S clock_settime -F a0=0 -# Introduced in 2.6.39, commented out because it can make false positives -#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change -#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change - -## -## FTP_ITC.1 -## set-up of trusted channel -## --w /usr/sbin/stunnel -p x - -## -## Security Databases -## - -## cron configuration & scheduled jobs --w /etc/cron.allow -p wa -k CFG_cron.allow --w /etc/cron.deny -p wa -k CFG_cron.deny --w /etc/cron.d/ -p wa -k CFG_cron.d --w /etc/cron.daily/ -p wa -k CFG_cron.daily --w /etc/cron.hourly/ -p wa -k CFG_cron.hourly --w /etc/cron.monthly/ -p wa -k CFG_cron.monthly --w /etc/cron.weekly/ -p wa -k CFG_cron.weekly --w /etc/crontab -p wa -k CFG_crontab --w /var/spool/cron/root -k CFG_crontab_root - -## user, group, password databases --w /etc/group -p wa -k CFG_group --w /etc/passwd -p wa -k CFG_passwd --w /etc/gshadow -k CFG_gshadow --w /etc/shadow -k CFG_shadow --w /etc/security/opasswd -k CFG_opasswd - -## login configuration and information --w /etc/login.defs -p wa -k CFG_login.defs --w /etc/securetty -p wa -k CFG_securetty --w /var/run/faillock/ -p wa -k LOG_faillock --w /var/log/lastlog -p wa -k LOG_lastlog --w /var/log/tallylog -p wa -k LOG_tallylog - -## network configuration --w /etc/hosts -p wa -k CFG_hosts --w /etc/sysconfig/network-scripts/ -p wa -k CFG_network - -## system startup scripts --w /etc/sysconfig/init -p wa -k CFG_init --w /etc/init/ -p wa -k CFG_init --w /etc/inittab -p wa -k CFG_inittab --w /etc/rc.d/init.d/ -p wa -k CFG_initscripts - -## library search paths --w /etc/ld.so.conf -p wa -k CFG_ld.so.conf - -## local time zone --w /etc/localtime -p wa -k CFG_localtime - -## kernel parameters --w /etc/sysctl.conf -p wa -k CFG_sysctl.conf - -## modprobe configuration --w /etc/modprobe.d/ -p wa -k CFG_modprobe - -## pam configuration --w /etc/pam.d/ -p wa -k CFG_pam --w /etc/security/access.conf -p wa -k CFG_pam --w /etc/security/limits.conf -p wa -k CFG_pam --w /etc/security/pam_env.conf -p wa -k CFG_pam --w /etc/security/namespace.conf -p wa -k CFG_pam --w /etc/security/namespace.d/ -p wa -k CFG_pam --w /etc/security/namespace.init -p wa -k CFG_pam --w /etc/security/sepermit.conf -p wa -k CFG_pam --w /etc/security/time.conf -p wa -k CFG_pam - -## postfix configuration --w /etc/aliases -p wa -k CFG_aliases --w /etc/postfix/ -p wa -k CFG_postfix - -## screen configuration --w /etc/screenrc -p wa -k CFG_screen - -## ssh configuration --w /etc/ssh/sshd_config -k CFG_sshd_config - -## stunnel configuration --w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf --w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem - -## sudo configuration --w /etc/sudoers -k CFG_sudoers --w /etc/sudoers.d/ -k CFG_sudoers - -## Not specifically required by CAPP; but common sense items --a always,exit -F arch=b32 -S sethostname -S setdomainname --a always,exit -F arch=b64 -S sethostname -S setdomainname --w /etc/issue -p wa -k CFG_issue --w /etc/issue.net -p wa -k CFG_issue.net - -## Optional - could indicate someone trying to do something bad or -## just debugging -#-a always,exit -F arch=b32 -S ptrace -F key=tracing -#-a always,exit -F arch=b64 -S ptrace -F key=tracing -#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection -#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection -#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection -#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection -#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection -#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection - -## Optional - might want to watch module insertion -#-w /sbin/insmod -p x -k modules -#-w /sbin/rmmod -p x -k modules -#-w /sbin/modprobe -p x -k modules -#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load -#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load -#-a always,exit -F arch=b32 -S delete_module -F key=module-unload -#-a always,exit -F arch=b64 -S delete_module -F key=module-unload - -## Optional - admin may be abusing power by looking in user's home dir -#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse - -## Optional - log container creation -#-a always,exit -F arch=b32 -S clone -F a0&2080505856 -F key=container-create -#-a always,exit -F arch=b64 -S clone -F a0&2080505856 -F key=container-create - -## Optional - watch for containers that may change their configuration -#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config -#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config - -## Put your own watches after this point -# -w /your-file -p rwxa -k mykey - -## Make the configuration immutable -#-e 2 diff --git a/framework/src/audit/contrib/lspp.rules b/framework/src/audit/contrib/lspp.rules deleted file mode 100644 index e0919bd2..00000000 --- a/framework/src/audit/contrib/lspp.rules +++ /dev/null @@ -1,343 +0,0 @@ -## -## This file contains a sample audit configuration. Combined with the -## system events that are audited by default, this set of rules causes -## audit to generate records for the auditable events specified by the -## Labeled Security Protection Profile (LSPP). -## -## It should be noted that this set of rules identifies directories by -## leaving a / at the end of the path. -## -## For audit 2.0.6 and higher -## - -## Remove any existing rules --D - -## Increase buffer size to handle the increased number of messages. -## Feel free to increase this if the machine panic's --b 8192 - -## Set failure mode to panic --f 2 - -## -## FAU_SAR.1, FAU_SAR.2, FMT_MTD.1 -## successful and unsuccessful attempts to read information from the -## audit records; all modifications to the audit trail -## --w /var/log/audit/ -k LOG_audit - -## -## FAU_SEL.1, FMT_MTD.1 -## modifications to audit configuration that occur while the audit -## collection functions are operating; all modications to the set of -## audited events -## --w /etc/audit/ -p wa -k CFG_audit --w /etc/sysconfig/auditd -p wa -k CFG_auditd.conf --w /etc/libaudit.conf -p wa -k CFG_libaudit.conf --w /etc/audisp/ -p wa -k CFG_audisp - -## -## FDP_ACF.1, FMT_MSA.1, FMT_MTD.1, FMT_REV.1, FDP_ETC.1, FDP_ITC.2 -## all requests to perform an operation on an object covered by the -## SFP; all modifications of the values of security attributes; -## modifications to TSF data; attempts to revoke security attributes; -## all attempts to export information; all attempts to import user -## data, including any security attributes - -## Objects covered by the Security Functional Policy (SFP) are: -## -File system objects (files, directories, special files, extended attributes) -## -IPC objects (SYSV shared memory, message queues, and semaphores) - -## Operations on file system objects - by default, only monitor -## files and directories covered by filesystem watches. - -## Changes in ownership and permissions -#-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -#-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -#-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -#-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -## Enable *32 rules if you are running on i386 or s390 -## Do not use for x86_64, ia64, ppc, ppc64, or s390x -#-a always,exit -F arch=b32 -S fchown32,chown32,lchown32 - -## File content modification. Permissions are checked at open time, -## monitoring individual read/write calls is not useful. -#-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate -#-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate -## Enable *64 rules if you are running on i386, ppc, ppc64, s390 -## Do not use for x86_64, ia64, or s390x -#-a always,exit -F arch=b32 -S truncate64,ftruncate64 - -## directory operations -#-a always,exit -F arch=b32 -S mkdir,mkdirat,rmdir -#-a always,exit -F arch=b64 -S mkdir,mkdirat,rmdir - -## moving, removing, and linking -#-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -#-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -#-a always,exit -F arch=b32 -S link,linkat,symlink,symlinkat -#-a always,exit -F arch=b64 -S link,linkat,symlink,symlinkat - -## Extended attribute operations -## Enable if you are interested in these events --a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr --a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr - -## special files --a always,exit -F arch=b32 -S mknod,mknodat --a always,exit -F arch=b64 -S mknod,mknodat - -## Other file system operations -## Enable if i386 --a always,exit -F arch=b32 -S mount,umount,umount2 -## Enable if ppc, s390, or s390x -#-a always,exit -F arch=b32 -S mount,umount,umount2 -#-a always,exit -F arch=b64 -S mount,umount,umount2 -## Enable if ia64 -#-a always,exit -F arch=b64 -S mount,umount -## Enable if x86_64 -#-a always,exit -F arch=b64 -S mount,umount2 -#-a always,exit -F arch=b32 -S mount,umount,umount2 - -## IPC SYSV message queues -## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) -## msgctl -#-a always,exit -S ipc -F a0=14 -## msgget -#-a always,exit -S ipc -F a0=13 -## Enable if you are interested in these events (x86_64,ia64) -#-a always,exit -S msgctl -#-a always,exit -S msgget - -## IPC SYSV semaphores -## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) -## semctl -#-a always,exit -S ipc -F a0=0x3 -## semget -#-a always,exit -S ipc -F a0=0x2 -## semop -#-a always,exit -S ipc -F a0=0x1 -## semtimedop -#-a always,exit -S ipc -F a0=0x4 -## Enable if you are interested in these events (x86_64, ia64) -#-a always,exit -S semctl -#-a always,exit -S semget -#-a always,exit -S semop -#-a always,exit -S semtimedop - -## IPC SYSV shared memory -## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) -## shmctl -#-a always,exit -S ipc -F a0=24 -## shmget -#-a always,exit -S ipc -F a0=23 -## Enable if you are interested in these events (x86_64, ia64) -#-a always,exit -S shmctl -#-a always,exit -S shmget - -## -## FIA_USB.1 -## success and failure of binding user security attributes to a subject -## -## Enable if you are interested in these events -## -#-a always,exit -F arch=b32 -S clone -#-a always,exit -F arch=b64 -S clone -#-a always,exit -F arch=b32 -S fork,vfork -#-a always,exit -F arch=b64 -S fork,vfork -## For ia64 architecture, disable fork and vfork rules above, and -## enable the following: -#-a always,exit -S clone2 - -## -## FDP_ETC.2 -## Export of Labeled User Data -## -## Printing --w /etc/cups/ -p wa -k CFG_cups --w /etc/init.d/cups -p wa -k CFG_initd_cups - -## -## FDP_ETC.2, FDP_ITC.2 -## Export/Import of Labeled User Data -## -## Networking --w /etc/netlabel.rules -p wa -k CFG_netlabel.rules --w /etc/ipsec.conf -p wa -k CFG_ipsec.conf --w /etc/ipsec.d/ -p wa -k CFG_ipsec.conf --w /etc/ipsec.secrets -p wa -k CFG_ipsec.secrets - -## -## FDP_IFC.1 -## Mandatory Access Control Policy -## --w /etc/selinux/config -p wa -k CFG_selinux_config --w /etc/selinux/mls/ -p wa -k CFG_MAC_policy --w /usr/share/selinux/mls/ -p wa -k CFG_MAC_policy --w /etc/selinux/semanage.conf -p wa -k CFG_MAC_policy - -## -## FMT_MSA.3 -## modifications of the default setting of permissive or restrictive -## rules, all modifications of the initial value of security attributes -## -## Enable if you are interested in these events -## -#-a always,exit -F arch=b32 -S umask -#-a always,exit -F arch=b64 -S umask - -## -## FPT_STM.1 -## changes to the time -## --a always,exit -F arch=b32 -S stime,adjtimex,settimeofday --a always,exit -F arch=b64 -S adjtimex,settimeofday --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -# Introduced in 2.6.39, commented out because it can make false positives -#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change -#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change - -## -## FTP_ITC.1 -## set-up of trusted channel -## --w /usr/sbin/stunnel -p x - -## -## FPT_TST.1 Self Test -## aide is used to verify integrity of data and executables -## --w /etc/aide.conf -p wa -k CFG_aide.conf --w /var/lib/aide/aide.db.gz -k CFG_aide.db --w /var/lib/aide/aide.db.new.gz -k CFG_aide.db --w /var/log/aide/ -p wa -k CFG_aide.log - -## -## Security Databases -## - -## cron configuration & scheduled jobs --w /etc/cron.allow -p wa -k CFG_cron.allow --w /etc/cron.deny -p wa -k CFG_cron.deny --w /etc/cron.d/ -p wa -k CFG_cron.d --w /etc/cron.daily/ -p wa -k CFG_cron.daily --w /etc/cron.hourly/ -p wa -k CFG_cron.hourly --w /etc/cron.monthly/ -p wa -k CFG_cron.monthly --w /etc/cron.weekly/ -p wa -k CFG_cron.weekly --w /etc/crontab -p wa -k CFG_crontab --w /var/spool/cron/root -k CFG_crontab_root - -## user, group, password databases --w /etc/group -p wa -k CFG_group --w /etc/passwd -p wa -k CFG_passwd --w /etc/gshadow -k CFG_gshadow --w /etc/shadow -k CFG_shadow --w /etc/security/opasswd -k CFG_opasswd - -## login configuration and information --w /etc/login.defs -p wa -k CFG_login.defs --w /etc/securetty -p wa -k CFG_securetty --w /var/run/faillock/ -p wa -k LOG_faillock --w /var/log/lastlog -p wa -k LOG_lastlog --w /var/log/tallylog -p wa -k LOG_tallylog - -## network configuration --w /etc/hosts -p wa -k CFG_hosts --w /etc/sysconfig/network-scripts/ -p wa -k CFG_network - -## system startup scripts --w /etc/sysconfig/init -p wa -k CFG_init --w /etc/init/ -p wa -k CFG_init --w /etc/inittab -p wa -k CFG_inittab --w /etc/rc.d/init.d/ -p wa -k CFG_initscripts - -## library search paths --w /etc/ld.so.conf -p wa -k CFG_ld.so.conf - -## local time zone --w /etc/localtime -p wa -k CFG_localtime - -## kernel parameters --w /etc/sysctl.conf -p wa -k CFG_sysctl.conf - -## modprobe configuration --w /etc/modprobe.d/ -p wa -k CFG_modprobe - -## pam configuration --w /etc/pam.d/ -p wa -k CFG_pam --w /etc/security/access.conf -p wa -k CFG_pam --w /etc/security/limits.conf -p wa -k CFG_pam --w /etc/security/pam_env.conf -p wa -k CFG_pam --w /etc/security/namespace.conf -p wa -k CFG_pam --w /etc/security/namespace.d/ -p wa -k CFG_pam --w /etc/security/namespace.init -p wa -k CFG_pam --w /etc/security/sepermit.conf -p wa -k CFG_pam --w /etc/security/time.conf -p wa -k CFG_pam - -## postfix configuration --w /etc/aliases -p wa -k CFG_aliases --w /etc/postfix/ -p wa -k CFG_postfix - -## screen configuration --w /etc/screenrc -p wa -k CFG_screen - -## ssh configuration --w /etc/ssh/sshd_config -k CFG_sshd_config - -## stunnel configuration --w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf --w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem - -## sudo configuration --w /etc/sudoers -k CFG_sudoers --w /etc/sudoers.d/ -k CFG_sudoers - -## xinetd configuration --w /etc/xinetd.d/ -k CFG_xinetd.d --w /etc/xinetd.conf -k CFG_xinetd.conf - -## Not specifically required by LSPP; but common sense items --a always,exit -F arch=b32 -S sethostname,setdomainname --a always,exit -F arch=b64 -S sethostname,setdomainname --w /etc/issue -p wa -k CFG_issue --w /etc/issue.net -p wa -k CFG_issue.net - -## Optional - could indicate someone trying to do something bad or -## just debugging -#-a always,exit -F arch=b32 -S ptrace -F key=tracing -#-a always,exit -F arch=b64 -S ptrace -F key=tracing -#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection -#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection -#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection -#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection -#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection -#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection - -## Optional - might want to watch module insertion -#-w /sbin/insmod -p x -k modules -#-w /sbin/rmmod -p x -k modules -#-w /sbin/modprobe -p x -k modules -#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load -#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load -#-a always,exit -F arch=b32 -S delete_module -F key=module-unload -#-a always,exit -F arch=b64 -S delete_module -F key=module-unload - -## Optional - admin may be abusing power by looking in user's home dir -#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse - -## Optional - log container creation -#-a always,exit -F arch=b32 -S clone -F a0&0x2080505856 -F key=container-create -#-a always,exit -F arch=b64 -S clone -F a0&0x2080505856 -F key=container-create - -## Optional - watch for containers that may change their configuration -#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config -#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config - -## Put your own watches after this point -# -w /your-file -p rwxa -k mykey - -## Make the configuration immutable -#-e 2 diff --git a/framework/src/audit/contrib/nispom.rules b/framework/src/audit/contrib/nispom.rules deleted file mode 100644 index 6bcca086..00000000 --- a/framework/src/audit/contrib/nispom.rules +++ /dev/null @@ -1,148 +0,0 @@ -## -## This file contains the a sample audit configuration intended to -## meet the NISPOM Chapter 8 rules. -## -## This file should be saved as /etc/audit/audit.rules. -## -## For audit 1.6.5 and higher -## - -## Remove any existing rules --D - -## Increase buffer size to handle the increased number of messages. -## Feel free to increase this if the machine panic's --b 8192 - -## Set failure mode to panic --f 2 - -## Make the loginuid immutable. This prevents tampering with the auid. ---loginuid-immutable - -## Audit 1, 1(a) Enough information to determine the date and time of -## action (e.g., common network time), the system locale of the action, -## the system entity that initiated or completed the action, the resources -## involved, and the action involved. - -## Things that could affect time --a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change --a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change -# Introduced in 2.6.39, commented out because it can make false positives -#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change -#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change --w /etc/localtime -p wa -k time-change - -## Things that could affect system locale --a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale --a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale --w /etc/issue -p wa -k system-locale --w /etc/issue.net -p wa -k system-locale --w /etc/hosts -p wa -k system-locale --w /etc/sysconfig/network -p wa -k system-locale --a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale - -## Audit 1, 1(b) Successful and unsuccessful logons and logoffs. -## This is covered by patches to login, gdm, and openssh -## Might also want to watch these files if needing extra information -#-w /var/log/tallylog -p wa -k logins -#-w /var/run/faillock/ -p wa -k logins -#-w /var/log/lastlog -p wa -k logins -#-w /var/log/btmp -p wa -k logins -#-w /var/run/utmp -p wa -k logins - -## Audit 1, 1(c) Successful and unsuccessful accesses to -## security-relevant objects and directories, including -## creation, open, close, modification, and deletion. - -## unsuccessful creation --a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -F key=creation --a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -F key=creation --a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -F key=creation --a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -F key=creation - -## unsuccessful open --a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F key=open --a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F key=open --a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F key=open --a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F key=open - -## unsuccessful close --a always,exit -F arch=b32 -S close -F exit=-EIO -F key=close --a always,exit -F arch=b64 -S close -F exit=-EIO -F key=close - -## unsuccessful modifications --a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -F key=mods --a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -F key=mods --a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -F key=mods --a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -F key=mods - -## unsuccessful deletion --a always,exit -F arch=b32 -S unlink,rmdir,unlinkat -F exit=-EACCES -F key=delete --a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F exit=-EACCES -F key=delete --a always,exit -F arch=b32 -S unlink,rmdirunlinkat -F exit=-EPERM -F key=delete --a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F exit=-EPERM -F key=delete - -## Audit 1, 1(d) Changes in user authenticators. -## Covered by patches to libpam, passwd, and shadow-utils -## Might also want to watch these files for changes --w /etc/group -p wa -k auth --w /etc/passwd -p wa -k auth --w /etc/gshadow -p wa -k auth --w /etc/shadow -p wa -k auth --w /etc/security/opasswd -p wa -k auth - -## Audit 1, 1(e) The blocking or blacklisting of a user ID, -## terminal, or access port and the reason for the action. -## Covered by patches to pam_tally2 or pam_faillock and pam_limits - -## Audit 1, 1(f) Denial of access resulting from an excessive -## number of unsuccessful logon attempts. -## Covered by patches to pam_tally2 or pam_faillock - -## Audit 1, 2 Audit Trail Protection. The contents of audit trails -## shall be protected against unauthorized access, modification, -## or deletion. -## This should be covered by file permissions, but we can watch it -## to see any activity --w /var/log/audit/ -k audit-logs - -## Not specifically required by NISPOM; but common sense items -## Optional - could indicate someone trying to do something bad or -## just debugging -#-a always,exit -F arch=b32 -S ptrace -F key=tracing -#-a always,exit -F arch=b64 -S ptrace -F key=tracing -#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection -#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection -#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection -#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection -#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection -#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection - -## Optional - might want to watch module insertion -#-w /sbin/insmod -p x -k modules -#-w /sbin/rmmod -p x -k modules -#-w /sbin/modprobe -p x -k modules -#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load -#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load -#-a always,exit -F arch=b32 -S delete_module -F key=module-unload -#-a always,exit -F arch=b64 -S delete_module -F key=module-unload - -## Optional - admin may be abusing power by looking in user's home dir -#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse - -## Optional - log container creation -#-a always,exit -F arch=b32 -S clone -F a0&0x2080505856 -F key=container-create -#-a always,exit -F arch=b64 -S clone -F a0&0x2080505856 -F key=container-create - -## Optional - watch for containers that may change their configuration -#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config -#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config - -## Put your own watches after this point -# -w /your-file -p rwxa -k mykey - -## Make the configuration immutable -#-e 2 diff --git a/framework/src/audit/contrib/plugin/Makefile b/framework/src/audit/contrib/plugin/Makefile deleted file mode 100644 index 4256c4d1..00000000 --- a/framework/src/audit/contrib/plugin/Makefile +++ /dev/null @@ -1,7 +0,0 @@ -CFLAGS=-g -W -Wall -Wundef -LIBS= -lauparse -laudit -all: - gcc $(CFLAGS) audisp-example.c -o audisp-example $(LIBS) - -clean: - rm -f audisp-example *.o diff --git a/framework/src/audit/contrib/plugin/audisp-example.c b/framework/src/audit/contrib/plugin/audisp-example.c deleted file mode 100644 index 6fcca1a1..00000000 --- a/framework/src/audit/contrib/plugin/audisp-example.c +++ /dev/null @@ -1,229 +0,0 @@ -/* audisp-example.c -- - * Copyright 2012 Red Hat Inc., Durham, North Carolina. - * All Rights Reserved. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - * - * Authors: - * Steve Grubb <sgrubb@redhat.com> - * - * This is a sample program to demonstrate several concepts of how to - * write an audispd plugin using libauparse. It can be tested by using a - * file of raw audit records. You can generate the test file like: - * - * ausearch --start today --raw > test.log. - * - * Then you can test this app by: cat test.log | ./audisp-example - * - * It will print things to stdout. In a real program, you wouldn't - * do anything with stdout since that is likely to be pointing to /dev/null. - * - * Excluding some init/destroy items you might need to add to main, the - * event_handler function is the main place that you would modify to do - * things specific to your plugin. - * - */ - -#define _GNU_SOURCE -#include <stdio.h> -#include <signal.h> -#include <string.h> -#include <sys/select.h> -#include <errno.h> -#include "libaudit.h" -#include "auparse.h" - -/* Global Data */ -static volatile int stop = 0; -static volatile int hup = 0; -static auparse_state_t *au = NULL; - -/* Local declarations */ -static void handle_event(auparse_state_t *au, - auparse_cb_event_t cb_event_type, void *user_data); - -/* - * SIGTERM handler - */ -static void term_handler( int sig ) -{ - stop = 1; -} - -/* - * SIGHUP handler: re-read config - */ -static void hup_handler( int sig ) -{ - hup = 1; -} - -static void reload_config(void) -{ - hup = 0; -} - -int main(int argc, char *argv[]) -{ - char tmp[MAX_AUDIT_MESSAGE_LENGTH+1]; - struct sigaction sa; - - /* Register sighandlers */ - sa.sa_flags = 0; - sigemptyset(&sa.sa_mask); - /* Set handler for the ones we care about */ - sa.sa_handler = term_handler; - sigaction(SIGTERM, &sa, NULL); - sa.sa_handler = hup_handler; - sigaction(SIGHUP, &sa, NULL); - - /* Initialize the auparse library */ - au = auparse_init(AUSOURCE_FEED, 0); - if (au == NULL) { - printf("audisp-example is exiting due to auparse init errors"); - return -1; - } - auparse_add_callback(au, handle_event, NULL, NULL); - do { - fd_set read_mask; - struct timeval tv; - int retval; - - /* Load configuration */ - if (hup) { - reload_config(); - } - do { - tv.tv_sec = 5; - tv.tv_usec = 0; - FD_ZERO(&read_mask); - FD_SET(0, &read_mask); - if (auparse_feed_has_data(au)) - retval= select(1, &read_mask, NULL, NULL, &tv); - else - retval= select(1, &read_mask, NULL, NULL, NULL); - } while (retval == -1 && errno == EINTR && !hup && !stop); - - /* Now the event loop */ - if (!stop && !hup && retval > 0) { - if (fgets_unlocked(tmp, MAX_AUDIT_MESSAGE_LENGTH, - stdin)) { - auparse_feed(au, tmp, strnlen(tmp, - MAX_AUDIT_MESSAGE_LENGTH)); - } - } else if (retval == 0) - auparse_flush_feed(au); - if (feof(stdin)) - break; - } while (stop == 0); - - /* Flush any accumulated events from queue */ - auparse_flush_feed(au); - auparse_destroy(au); - if (stop) - printf("audisp-example is exiting on stop request\n"); - else - printf("audisp-example is exiting on stdin EOF\n"); - - return 0; -} - -/* This function shows how to dump a whole event by iterating over records */ -static void dump_whole_event(auparse_state_t *au) -{ - auparse_first_record(au); - do { - printf("%s\n", auparse_get_record_text(au)); - } while (auparse_next_record(au) > 0); - printf("\n"); -} - -/* This function shows how to dump a whole record's text */ -static void dump_whole_record(auparse_state_t *au) -{ - printf("%s: %s\n", audit_msg_type_to_name(auparse_get_type(au)), - auparse_get_record_text(au)); - printf("\n"); -} - -/* This function shows how to iterate through the fields of a record - * and print its name and raw value and interpretted value. */ -static void dump_fields_of_record(auparse_state_t *au) -{ - printf("record type %d(%s) has %d fields\n", auparse_get_type(au), - audit_msg_type_to_name(auparse_get_type(au)), - auparse_get_num_fields(au)); - - printf("line=%d file=%s\n", auparse_get_line_number(au), - auparse_get_filename(au) ? auparse_get_filename(au) : "stdin"); - - const au_event_t *e = auparse_get_timestamp(au); - if (e == NULL) { - printf("Error getting timestamp - aborting\n"); - return; - } - /* Note that e->sec can be treated as time_t data if you want - * something a little more readable */ - printf("event time: %u.%u:%lu, host=%s\n", (unsigned)e->sec, - e->milli, e->serial, e->host ? e->host : "?"); - auparse_first_field(au); - - do { - printf("field: %s=%s (%s)\n", - auparse_get_field_name(au), - auparse_get_field_str(au), - auparse_interpret_field(au)); - } while (auparse_next_field(au) > 0); - printf("\n"); -} - -/* This function receives a single complete event at a time from the auparse - * library. This is where the main analysis code would be added. */ -static void handle_event(auparse_state_t *au, - auparse_cb_event_t cb_event_type, void *user_data) -{ - int type, num=0; - - if (cb_event_type != AUPARSE_CB_EVENT_READY) - return; - - /* Loop through the records in the event looking for one to process. - We use physical record number because we may search around and - move the cursor accidentally skipping a record. */ - while (auparse_goto_record_num(au, num) > 0) { - type = auparse_get_type(au); - /* Now we can branch based on what record type we find. - This is just a few suggestions, but it could be anything. */ - switch (type) { - case AUDIT_AVC: - dump_fields_of_record(au); - break; - case AUDIT_SYSCALL: - dump_whole_record(au); - break; - case AUDIT_USER_LOGIN: - break; - case AUDIT_ANOM_ABEND: - break; - case AUDIT_MAC_STATUS: - dump_whole_event(au); - break; - default: - break; - } - num++; - } -} - diff --git a/framework/src/audit/contrib/plugin/audisp-example.conf b/framework/src/audit/contrib/plugin/audisp-example.conf deleted file mode 100644 index e8a7b81e..00000000 --- a/framework/src/audit/contrib/plugin/audisp-example.conf +++ /dev/null @@ -1,10 +0,0 @@ -# This file controls the configuration of the -# example syslog plugin. It simply takes events and writes -# them to syslog. - -active = no -direction = out -path = /sbin/audisp-example -type = always -args = 1 -format = string diff --git a/framework/src/audit/contrib/skeleton.c b/framework/src/audit/contrib/skeleton.c deleted file mode 100644 index 7e041042..00000000 --- a/framework/src/audit/contrib/skeleton.c +++ /dev/null @@ -1,140 +0,0 @@ -/* skeleton.c -- - * - * This is a sample program that you can customize to create your own audit - * event handler. It will be started by auditd via the dispatcher option in - * /etc/audit/auditd.conf. This program can be built as follows: - * - * gcc skeleton.c -o skeleton -laudit - */ - -#include <stdio.h> -#include <sys/types.h> -#include <sys/uio.h> -#include <unistd.h> -#include <stdlib.h> -#include <signal.h> -#include <fcntl.h> -#include <errno.h> -#include <string.h> -#include <locale.h> -#include "libaudit.h" - - -// Local data -static volatile int signaled = 0; -static int pipe_fd; -static const char *pgm = "skeleton"; - -// Local functions -static int event_loop(void); - -// SIGTERM handler -static void term_handler( int sig ) -{ - signaled = 1; -} - - -/* - * main is started by auditd. See dispatcher in auditd.conf - */ -int main(int argc, char *argv[]) -{ - struct sigaction sa; - - setlocale (LC_ALL, ""); - openlog(pgm, LOG_PID, LOG_DAEMON); - syslog(LOG_NOTICE, "starting..."); - -#ifndef DEBUG - // Make sure we are root - if (getuid() != 0) { - syslog(LOG_ERR, "You must be root to run this program."); - return 4; - } -#endif - - // register sighandlers - sa.sa_flags = 0 ; - sa.sa_handler = term_handler; - sigemptyset( &sa.sa_mask ) ; - sigaction( SIGTERM, &sa, NULL ); - sa.sa_handler = term_handler; - sigemptyset( &sa.sa_mask ) ; - sigaction( SIGCHLD, &sa, NULL ); - sa.sa_handler = SIG_IGN; - sigaction( SIGHUP, &sa, NULL ); - (void)chdir("/"); - - // change over to pipe_fd - pipe_fd = dup(0); - close(0); - open("/dev/null", O_RDONLY); - fcntl(pipe_fd, F_SETFD, FD_CLOEXEC); - - // Start the program - return event_loop(); -} - -static int event_loop(void) -{ - void *data; - struct iovec vec[2]; - struct audit_dispatcher_header hdr; - - // allocate data structures - data = malloc(MAX_AUDIT_MESSAGE_LENGTH); - if (data == NULL) { - syslog(LOG_ERR, "Cannot allocate buffer"); - return 1; - } - memset(data, 0, MAX_AUDIT_MESSAGE_LENGTH); - memset(&hdr, 0, sizeof(hdr)); - - do { - int rc; - struct timeval tv; - fd_set fd; - - tv.tv_sec = 1; - tv.tv_usec = 0; - FD_ZERO(&fd); - FD_SET(pipe_fd, &fd); - rc = select(pipe_fd+1, &fd, NULL, NULL, &tv); - if (rc == 0) - continue; - else if (rc == -1) - break; - - /* Get header first. it is fixed size */ - vec[0].iov_base = (void*)&hdr; - vec[0].iov_len = sizeof(hdr); - do { - rc = readv(fd, &vec[0], 1); - } while (rc < 0 && errno == EINTR); - - if (rc > 0) { - // Next payload - vec[1].iov_base = data; - vec[1].iov_len = hdr.size; - do { - rc = readv(fd, &vec[1], 1); - } while (rc < 0 && errno == EINTR); - } - if (rc <= 0) { - syslog(LOG_ERR, "rc == %d(%s)", rc, strerror(errno)); - continue; - } - - // Handle events here. Just for illustration, we print - // to syslog, but you will want to do something else. - syslog(LOG_NOTICE,"type=%d, payload size=%d", - hdr.type, hdr.size); - syslog(LOG_NOTICE,"data=\"%.*s\"", hdr.size, - (char *)data); - - } while(!signaled); - - return 0; -} - diff --git a/framework/src/audit/contrib/stig.rules b/framework/src/audit/contrib/stig.rules deleted file mode 100644 index 5a51d7f0..00000000 --- a/framework/src/audit/contrib/stig.rules +++ /dev/null @@ -1,193 +0,0 @@ -## This file contains the auditctl rules that are loaded -## whenever the audit daemon is started via the initscripts. -## The rules are simply the parameters that would be passed -## to auditctl. -## -## First rule - delete all --D - -## Increase the buffers to survive stress events. -## Make this bigger for busy systems --b 8192 - -## Set failure mode to panic --f 2 - -## Make the loginuid immutable. This prevents tampering with the auid. ---loginuid-immutable - -## NOTE: -## 1) if this is being used on a 32 bit machine, comment out the b64 lines -## 2) These rules assume that login under the root account is not allowed. -## 3) It is also assumed that 500 represents the first usable user account. To -## be sure, look at UID_MIN in /etc/login.defs. -## 4) If these rules generate too much spurious data for your tastes, limit the -## the syscall file rules with a directory, like -F dir=/etc -## 5) You can search for the results on the key fields in the rules -## -## -## (GEN002880: CAT II) The IAO will ensure the auditing software can -## record the following for each audit event: -##- Date and time of the event -##- Userid that initiated the event -##- Type of event -##- Success or failure of the event -##- For I&A events, the origin of the request (e.g., terminal ID) -##- For events that introduce an object into a user’s address space, and -## for object deletion events, the name of the object, and in MLS -## systems, the object’s security level. -## -## Things that could affect time --a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change --a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change -# Introduced in 2.6.39, commented out because it can make false positives -#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change -#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change --w /etc/localtime -p wa -k time-change - -## Things that affect identity --w /etc/group -p wa -k identity --w /etc/passwd -p wa -k identity --w /etc/gshadow -p wa -k identity --w /etc/shadow -p wa -k identity --w /etc/security/opasswd -p wa -k identity - -## Things that could affect system locale --a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale --a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale --w /etc/issue -p wa -k system-locale --w /etc/issue.net -p wa -k system-locale --w /etc/hosts -p wa -k system-locale --w /etc/sysconfig/network -p wa -k system-locale --a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale - -## Things that could affect MAC policy --a always,exit -F dir=/etc/selinux/ -F perm=wa -F key=MAC-policy - - -## (GEN002900: CAT III) The IAO will ensure audit files are retained at -## least one year; systems containing SAMI will be retained for five years. -## -## Site action - no action in config files - -## (GEN002920: CAT III) The IAO will ensure audit files are backed up -## no less than weekly onto a different system than the system being -## audited or backup media. -## -## Can be done with cron script - -## (GEN002700: CAT I) (Previously – G095) The SA will ensure audit data -## files have permissions of 640, or more restrictive. -## -## Done automatically by auditd - -## (GEN002720-GEN002840: CAT II) (Previously – G100-G106) The SA will -## configure the auditing system to audit the following events for all -## users and root: -## -## - Logon (unsuccessful and successful) and logout (successful) -## -## Handled by pam, sshd, login, and gdm -## Might also want to watch these files if needing extra information -#-w /var/log/tallylog -p wa -k logins -#-w /var/run/faillock/ -p wa -k logins -#-w /var/log/lastlog -p wa -k logins - - -##- Process and session initiation (unsuccessful and successful) -## -## The session initiation is audited by pam without any rules needed. -## Might also want to watch this file if needing extra information -#-w /var/run/utmp -p wa -k session -#-w /var/log/btmp -p wa -k session -#-w /var/log/wtmp -p wa -k session - -##- Discretionary access control permission modification (unsuccessful -## and successful use of chown/chmod) --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=4294967295 -F key=perm_mod --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=4294967295 -F key=perm_mod --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=500 -F auid!=4294967295 -F key=perm_mod --a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=500 -F auid!=4294967295 -F key=perm_mod --a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=4294967295 -F key=perm_mod --a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=4294967295 -F key=perm_mod - -##- Unauthorized access attempts to files (unsuccessful) --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -F key=access --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -F key=access --a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -F key=access --a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -F key=access - -##- Use of privileged commands (unsuccessful and successful) -## use find /bin -type f -perm -04000 2>/dev/null and put all those files in a rule like this --a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -F key=privileged - -##- Use of print command (unsuccessful and successful) - -##- Export to media (successful) -## You have to mount media before using it. You must disable all automounting -## so that its done manually in order to get the correct user requesting the -## export --a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -F key=export --a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -F key=export - -##- System startup and shutdown (unsuccessful and successful) - -##- Files and programs deleted by the user (successful and unsuccessful) --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=500 -F auid!=4294967295 -F key=delete --a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=500 -F auid!=4294967295 -F key=delete - -##- All system administration actions -##- All security personnel actions -## -## Look for pam_tty_audit and add it to your login entry point's pam configs. -## If that is not found, use sudo which should be patched to record its -## commands to the audit system. Do not allow unrestricted root shells or -## sudo cannot record the action. --w /etc/sudoers -p wa -k actions --w /etc/sudoers.d/ -p wa -k actions - -## (GEN002860: CAT II) (Previously – G674) The SA and/or IAO will -##ensure old audit logs are closed and new audit logs are started daily. -## -## Site action. Can be assisted by a cron job - -## Not specifically required by the STIG; but common sense items -## Optional - could indicate someone trying to do something bad or -## just debugging -#-a always,exit -F arch=b32 -S ptrace -F key=tracing -#-a always,exit -F arch=b64 -S ptrace -F key=tracing -#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection -#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection -#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection -#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection -#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection -#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection - -## Optional - might want to watch module insertion -#-w /sbin/insmod -p x -k modules -#-w /sbin/rmmod -p x -k modules -#-w /sbin/modprobe -p x -k modules -#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load -#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load -#-a always,exit -F arch=b32 -S delete_module -F key=module-unload -#-a always,exit -F arch=b64 -S delete_module -F key=module-unload - -## Optional - admin may be abusing power by looking in user's home dir -#-a always,exit -F dir=/home -F uid=0 -F auid>=500 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse - -## Optional - log container creation -#-a always,exit -F arch=b32 -S clone -F a0&0x7C020000 -F key=container-create -#-a always,exit -F arch=b64 -S clone -F a0&0x7C020000 -F key=container-create - -## Optional - watch for containers that may change their configuration -#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config -#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config - -## Put your own watches after this point -# -w /your-file -p rwxa -k mykey - -## Make the configuration immutable - reboot is required to change audit rules --e 2 - |