diff options
Diffstat (limited to 'framework/src/audit/contrib')
| -rwxr-xr-x | framework/src/audit/contrib/avc_snap | 90 | ||||
| -rw-r--r-- | framework/src/audit/contrib/capp.rules | 302 | ||||
| -rw-r--r-- | framework/src/audit/contrib/lspp.rules | 343 | ||||
| -rw-r--r-- | framework/src/audit/contrib/nispom.rules | 148 | ||||
| -rw-r--r-- | framework/src/audit/contrib/plugin/Makefile | 7 | ||||
| -rw-r--r-- | framework/src/audit/contrib/plugin/audisp-example.c | 229 | ||||
| -rw-r--r-- | framework/src/audit/contrib/plugin/audisp-example.conf | 10 | ||||
| -rw-r--r-- | framework/src/audit/contrib/skeleton.c | 140 | ||||
| -rw-r--r-- | framework/src/audit/contrib/stig.rules | 193 |
9 files changed, 1462 insertions, 0 deletions
diff --git a/framework/src/audit/contrib/avc_snap b/framework/src/audit/contrib/avc_snap new file mode 100755 index 00000000..f4acba7d --- /dev/null +++ b/framework/src/audit/contrib/avc_snap @@ -0,0 +1,90 @@ +#! /usr/bin/env python +import os, string, select, struct, syslog +import audit, avc, traceback +import AuditMsg +from setroubleshoot.signature import * +from setroubleshoot.util import LoadPlugins + +class avc_snap: + def __init__(self): + self.audit_list = [] + self.cur_sig = "" + self.plugins = LoadPlugins() + syslog.syslog( "Number of Plugins = %d" % len(self.plugins)) + + def is_avc(self): + for i in self.audit_list: + if i[0] == audit.AUDIT_AVC: + return True + return False + + def out(self): + if self.is_avc(): + rules=avc.SERules() + l=[] + for ( type, data_list ) in self.audit_list: + l += data_list + + if "granted" in l: + self.audit_list = [] + return + + rules.translate(l) + myavc = AVC(rules.AVCS[0]) + for plugin in self.plugins: + try: + if plugin.analyze(myavc): + plugin.report() + break; + + except TypeError, e: + syslog.syslog("Type exception %s: %s " % ( plugin.analysisID, e.args)) + except: + syslog.syslog("Plugin Exception %s " % plugin.analysisID) + + self.audit_list = [] + + def process(self, type, data): + data_list=data.split() + new_sig=data_list[0] + + if len(self.audit_list) > 0 and new_sig != self.cur_sig: + self.out() + self.cur_sig = new_sig + + self.audit_list.append((type, data_list[1:])) + + def run(self): + while 1: + input,output, err = select.select([0],[], [], 5) + try: + if 0 in input: + msg = AuditMsg.AuditMsg() + if not msg.read_from_fd(0): + syslog.syslog("Connection closing") + return + self.process(msg.get_type(), msg.get_body()) + else: + self.out() + + except struct.error, e: + syslog.syslog("struct exception %s " % e.args) + return + except TypeError, e: + syslog.syslog("Type exception %s " % e.args) + +try: + syslog.openlog("avc_snap") + snap=avc_snap() + snap.run() + +except IOError,e: + syslog.syslog("IOError exception %s" % e.args) + +except Exception, e: + syslog.syslog("Unexpected exception %s " % e.args) + syslog.syslog(traceback.format_exc()) + +except: + syslog.syslog("Caught Exception") + syslog.syslog(traceback.format_exc()) diff --git a/framework/src/audit/contrib/capp.rules b/framework/src/audit/contrib/capp.rules new file mode 100644 index 00000000..5e38274f --- /dev/null +++ b/framework/src/audit/contrib/capp.rules @@ -0,0 +1,302 @@ +## +## This file contains a sample audit configuration. Combined with the +## system events that are audited by default, this set of rules causes +## audit to generate records for the auditable events specified by the +## Controlled Access Protection Profile (CAPP). +## +## It should be noted that this set of rules identifies directories by +## leaving a / at the end of the path. +## +## For audit 2.0.6 and higher +## + +## Remove any existing rules +-D + +## Increase buffer size to handle the increased number of messages. +## Feel free to increase this if the machine panic's +-b 8192 + +## Set failure mode to panic +-f 2 + +## +## FAU_SAR.1, FAU_SAR.2, FMT_MTD.1 +## successful and unsuccessful attempts to read information from the +## audit records; all modifications to the audit trail +## +-w /var/log/audit/ -k LOG_audit + +## +## FAU_SEL.1, FMT_MTD.1 +## modifications to audit configuration that occur while the audit +## collection functions are operating; all modications to the set of +## audited events +## +-w /etc/audit/ -p wa -k CFG_audit +-w /etc/sysconfig/auditd -p wa -k CFG_auditd.conf +-w /etc/libaudit.conf -p wa -k CFG_libaudit.conf +-w /etc/audisp/ -p wa -k CFG_audisp + +## +## FDP_ACF.1, FMT_MSA.1, FMT_MTD.1, FMT_REV.1 +## all requests to perform an operation on an object covered by the +## SFP; all modifications of the values of security attributes; +## modifications to TSF data; attempts to revoke security attributes +## + +## Objects covered by the Security Functional Policy (SFP) are: +## -File system objects (files, directories, special files, extended attributes) +## -IPC objects (SYSV shared memory, message queues, and semaphores) + +## Operations on file system objects - by default, only monitor +## files and directories covered by filesystem watches. + +## Changes in ownership and permissions +#-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat +#-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat +#-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown +#-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown +## Enable *32 rules if you are running on i386 or s390 +## Do not use for x86_64, ia64, ppc, ppc64, or s390x +#-a always,exit -F arch=b32 -S fchown32,chown32,lchown32 + +## File content modification. Permissions are checked at open time, +## monitoring individual read/write calls is not useful. +#-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate +#-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate +## Enable *64 rules if you are running on i386, ppc, ppc64, s390 +## Do not use for x86_64, ia64, or s390x +#-a always,exit -F arch=b32 -S truncate64,ftruncate64 + +## directory operations +#-a always,exit -F arch=b32 -S mkdir,mkdirat,rmdir +#-a always,exit -F arch=b64 -S mkdir,mkdirat,rmdir + +## moving, removing, and linking +#-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat +#-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat +#-a always,exit -F arch=b32 -S link,linkat,symlink,symlinkat +#-a always,exit -F arch=b64 -S link,linkat,symlink,symlinkat + +## Extended attribute operations +## Enable if you are interested in these events +#-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr +#-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr + +## special files +-a always,exit -F arch=b32 -S mknod,mknodat +-a always,exit -F arch=b64 -S mknod,mknodat + +## Other file system operations +## Enable if i386 +-a always,exit -F arch=b32 -S mount,umount,umount2 +## Enable if ppc, s390, or s390x +#-a always,exit -F arch=b32 -S mount,umount,umount2 +#-a always,exit -F arch=b64 -S mount,umount,umount2 +## Enable if ia64 +#-a always,exit -F arch=b64 -S mount,umount +## Enable if x86_64 +#-a always,exit -F arch=b64 -S mount,umount2 +#-a always,exit -F arch=b32 -S mount,umount,umount2 + +## IPC SYSV message queues +## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) +## msgctl +#-a always,exit -S ipc -F a0=14 +## msgget +#-a always,exit -S ipc -F a0=13 +## Enable if you are interested in these events (x86_64,ia64) +#-a always,exit -S msgctl +#-a always,exit -S msgget + +## IPC SYSV semaphores +## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) +## semctl +#-a always,exit -S ipc -F a0=3 +## semget +#-a always,exit -S ipc -F a0=2 +## semop +#-a always,exit -S ipc -F a0=1 +## semtimedop +#-a always,exit -S ipc -F a0=4 +## Enable if you are interested in these events (x86_64, ia64) +#-a always,exit -S semctl +#-a always,exit -S semget +#-a always,exit -S semop +#-a always,exit -S semtimedop + +## IPC SYSV shared memory +## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) +## shmctl +#-a always,exit -S ipc -F a0=24 +## shmget +#-a always,exit -S ipc -F a0=23 +## Enable if you are interested in these events (x86_64, ia64) +#-a always,exit -S shmctl +#-a always,exit -S shmget + +## +## FIA_USB.1 +## success and failure of binding user security attributes to a subject +## +## Enable if you are interested in these events +## +#-a always,exit -F arch=b32 -S clone +#-a always,exit -F arch=b64 -S clone +#-a always,exit -F arch=b32 -S fork,vfork +#-a always,exit -F arch=b64 -S fork,vfork +## For ia64 architecture, disable fork and vfork rules above, and +## enable the following: +#-a always,exit -S clone2 + +## +## FMT_MSA.3 +## modifications of the default setting of permissive or restrictive +## rules, all modifications of the initial value of security attributes +## +## Enable if you are interested in these events +## +#-a always,exit -F arch=b32 -S umask +#-a always,exit -F arch=b64 -S umask + +## +## FPT_STM.1 +## changes to the time +## +-a always,exit -F arch=b32 -S adjtimex,settimeofday -S stime +-a always,exit -F arch=b64 -S adjtimex,settimeofday +-a always,exit -F arch=b32 -S clock_settime -F a0=0 +-a always,exit -F arch=b64 -S clock_settime -F a0=0 +# Introduced in 2.6.39, commented out because it can make false positives +#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change +#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change + +## +## FTP_ITC.1 +## set-up of trusted channel +## +-w /usr/sbin/stunnel -p x + +## +## Security Databases +## + +## cron configuration & scheduled jobs +-w /etc/cron.allow -p wa -k CFG_cron.allow +-w /etc/cron.deny -p wa -k CFG_cron.deny +-w /etc/cron.d/ -p wa -k CFG_cron.d +-w /etc/cron.daily/ -p wa -k CFG_cron.daily +-w /etc/cron.hourly/ -p wa -k CFG_cron.hourly +-w /etc/cron.monthly/ -p wa -k CFG_cron.monthly +-w /etc/cron.weekly/ -p wa -k CFG_cron.weekly +-w /etc/crontab -p wa -k CFG_crontab +-w /var/spool/cron/root -k CFG_crontab_root + +## user, group, password databases +-w /etc/group -p wa -k CFG_group +-w /etc/passwd -p wa -k CFG_passwd +-w /etc/gshadow -k CFG_gshadow +-w /etc/shadow -k CFG_shadow +-w /etc/security/opasswd -k CFG_opasswd + +## login configuration and information +-w /etc/login.defs -p wa -k CFG_login.defs +-w /etc/securetty -p wa -k CFG_securetty +-w /var/run/faillock/ -p wa -k LOG_faillock +-w /var/log/lastlog -p wa -k LOG_lastlog +-w /var/log/tallylog -p wa -k LOG_tallylog + +## network configuration +-w /etc/hosts -p wa -k CFG_hosts +-w /etc/sysconfig/network-scripts/ -p wa -k CFG_network + +## system startup scripts +-w /etc/sysconfig/init -p wa -k CFG_init +-w /etc/init/ -p wa -k CFG_init +-w /etc/inittab -p wa -k CFG_inittab +-w /etc/rc.d/init.d/ -p wa -k CFG_initscripts + +## library search paths +-w /etc/ld.so.conf -p wa -k CFG_ld.so.conf + +## local time zone +-w /etc/localtime -p wa -k CFG_localtime + +## kernel parameters +-w /etc/sysctl.conf -p wa -k CFG_sysctl.conf + +## modprobe configuration +-w /etc/modprobe.d/ -p wa -k CFG_modprobe + +## pam configuration +-w /etc/pam.d/ -p wa -k CFG_pam +-w /etc/security/access.conf -p wa -k CFG_pam +-w /etc/security/limits.conf -p wa -k CFG_pam +-w /etc/security/pam_env.conf -p wa -k CFG_pam +-w /etc/security/namespace.conf -p wa -k CFG_pam +-w /etc/security/namespace.d/ -p wa -k CFG_pam +-w /etc/security/namespace.init -p wa -k CFG_pam +-w /etc/security/sepermit.conf -p wa -k CFG_pam +-w /etc/security/time.conf -p wa -k CFG_pam + +## postfix configuration +-w /etc/aliases -p wa -k CFG_aliases +-w /etc/postfix/ -p wa -k CFG_postfix + +## screen configuration +-w /etc/screenrc -p wa -k CFG_screen + +## ssh configuration +-w /etc/ssh/sshd_config -k CFG_sshd_config + +## stunnel configuration +-w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf +-w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem + +## sudo configuration +-w /etc/sudoers -k CFG_sudoers +-w /etc/sudoers.d/ -k CFG_sudoers + +## Not specifically required by CAPP; but common sense items +-a always,exit -F arch=b32 -S sethostname -S setdomainname +-a always,exit -F arch=b64 -S sethostname -S setdomainname +-w /etc/issue -p wa -k CFG_issue +-w /etc/issue.net -p wa -k CFG_issue.net + +## Optional - could indicate someone trying to do something bad or +## just debugging +#-a always,exit -F arch=b32 -S ptrace -F key=tracing +#-a always,exit -F arch=b64 -S ptrace -F key=tracing +#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection +#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection +#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection +#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection +#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection +#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection + +## Optional - might want to watch module insertion +#-w /sbin/insmod -p x -k modules +#-w /sbin/rmmod -p x -k modules +#-w /sbin/modprobe -p x -k modules +#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load +#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load +#-a always,exit -F arch=b32 -S delete_module -F key=module-unload +#-a always,exit -F arch=b64 -S delete_module -F key=module-unload + +## Optional - admin may be abusing power by looking in user's home dir +#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse + +## Optional - log container creation +#-a always,exit -F arch=b32 -S clone -F a0&2080505856 -F key=container-create +#-a always,exit -F arch=b64 -S clone -F a0&2080505856 -F key=container-create + +## Optional - watch for containers that may change their configuration +#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config +#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config + +## Put your own watches after this point +# -w /your-file -p rwxa -k mykey + +## Make the configuration immutable +#-e 2 diff --git a/framework/src/audit/contrib/lspp.rules b/framework/src/audit/contrib/lspp.rules new file mode 100644 index 00000000..e0919bd2 --- /dev/null +++ b/framework/src/audit/contrib/lspp.rules @@ -0,0 +1,343 @@ +## +## This file contains a sample audit configuration. Combined with the +## system events that are audited by default, this set of rules causes +## audit to generate records for the auditable events specified by the +## Labeled Security Protection Profile (LSPP). +## +## It should be noted that this set of rules identifies directories by +## leaving a / at the end of the path. +## +## For audit 2.0.6 and higher +## + +## Remove any existing rules +-D + +## Increase buffer size to handle the increased number of messages. +## Feel free to increase this if the machine panic's +-b 8192 + +## Set failure mode to panic +-f 2 + +## +## FAU_SAR.1, FAU_SAR.2, FMT_MTD.1 +## successful and unsuccessful attempts to read information from the +## audit records; all modifications to the audit trail +## +-w /var/log/audit/ -k LOG_audit + +## +## FAU_SEL.1, FMT_MTD.1 +## modifications to audit configuration that occur while the audit +## collection functions are operating; all modications to the set of +## audited events +## +-w /etc/audit/ -p wa -k CFG_audit +-w /etc/sysconfig/auditd -p wa -k CFG_auditd.conf +-w /etc/libaudit.conf -p wa -k CFG_libaudit.conf +-w /etc/audisp/ -p wa -k CFG_audisp + +## +## FDP_ACF.1, FMT_MSA.1, FMT_MTD.1, FMT_REV.1, FDP_ETC.1, FDP_ITC.2 +## all requests to perform an operation on an object covered by the +## SFP; all modifications of the values of security attributes; +## modifications to TSF data; attempts to revoke security attributes; +## all attempts to export information; all attempts to import user +## data, including any security attributes + +## Objects covered by the Security Functional Policy (SFP) are: +## -File system objects (files, directories, special files, extended attributes) +## -IPC objects (SYSV shared memory, message queues, and semaphores) + +## Operations on file system objects - by default, only monitor +## files and directories covered by filesystem watches. + +## Changes in ownership and permissions +#-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat +#-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat +#-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown +#-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown +## Enable *32 rules if you are running on i386 or s390 +## Do not use for x86_64, ia64, ppc, ppc64, or s390x +#-a always,exit -F arch=b32 -S fchown32,chown32,lchown32 + +## File content modification. Permissions are checked at open time, +## monitoring individual read/write calls is not useful. +#-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate +#-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate +## Enable *64 rules if you are running on i386, ppc, ppc64, s390 +## Do not use for x86_64, ia64, or s390x +#-a always,exit -F arch=b32 -S truncate64,ftruncate64 + +## directory operations +#-a always,exit -F arch=b32 -S mkdir,mkdirat,rmdir +#-a always,exit -F arch=b64 -S mkdir,mkdirat,rmdir + +## moving, removing, and linking +#-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat +#-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat +#-a always,exit -F arch=b32 -S link,linkat,symlink,symlinkat +#-a always,exit -F arch=b64 -S link,linkat,symlink,symlinkat + +## Extended attribute operations +## Enable if you are interested in these events +-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr +-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr + +## special files +-a always,exit -F arch=b32 -S mknod,mknodat +-a always,exit -F arch=b64 -S mknod,mknodat + +## Other file system operations +## Enable if i386 +-a always,exit -F arch=b32 -S mount,umount,umount2 +## Enable if ppc, s390, or s390x +#-a always,exit -F arch=b32 -S mount,umount,umount2 +#-a always,exit -F arch=b64 -S mount,umount,umount2 +## Enable if ia64 +#-a always,exit -F arch=b64 -S mount,umount +## Enable if x86_64 +#-a always,exit -F arch=b64 -S mount,umount2 +#-a always,exit -F arch=b32 -S mount,umount,umount2 + +## IPC SYSV message queues +## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) +## msgctl +#-a always,exit -S ipc -F a0=14 +## msgget +#-a always,exit -S ipc -F a0=13 +## Enable if you are interested in these events (x86_64,ia64) +#-a always,exit -S msgctl +#-a always,exit -S msgget + +## IPC SYSV semaphores +## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) +## semctl +#-a always,exit -S ipc -F a0=0x3 +## semget +#-a always,exit -S ipc -F a0=0x2 +## semop +#-a always,exit -S ipc -F a0=0x1 +## semtimedop +#-a always,exit -S ipc -F a0=0x4 +## Enable if you are interested in these events (x86_64, ia64) +#-a always,exit -S semctl +#-a always,exit -S semget +#-a always,exit -S semop +#-a always,exit -S semtimedop + +## IPC SYSV shared memory +## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) +## shmctl +#-a always,exit -S ipc -F a0=24 +## shmget +#-a always,exit -S ipc -F a0=23 +## Enable if you are interested in these events (x86_64, ia64) +#-a always,exit -S shmctl +#-a always,exit -S shmget + +## +## FIA_USB.1 +## success and failure of binding user security attributes to a subject +## +## Enable if you are interested in these events +## +#-a always,exit -F arch=b32 -S clone +#-a always,exit -F arch=b64 -S clone +#-a always,exit -F arch=b32 -S fork,vfork +#-a always,exit -F arch=b64 -S fork,vfork +## For ia64 architecture, disable fork and vfork rules above, and +## enable the following: +#-a always,exit -S clone2 + +## +## FDP_ETC.2 +## Export of Labeled User Data +## +## Printing +-w /etc/cups/ -p wa -k CFG_cups +-w /etc/init.d/cups -p wa -k CFG_initd_cups + +## +## FDP_ETC.2, FDP_ITC.2 +## Export/Import of Labeled User Data +## +## Networking +-w /etc/netlabel.rules -p wa -k CFG_netlabel.rules +-w /etc/ipsec.conf -p wa -k CFG_ipsec.conf +-w /etc/ipsec.d/ -p wa -k CFG_ipsec.conf +-w /etc/ipsec.secrets -p wa -k CFG_ipsec.secrets + +## +## FDP_IFC.1 +## Mandatory Access Control Policy +## +-w /etc/selinux/config -p wa -k CFG_selinux_config +-w /etc/selinux/mls/ -p wa -k CFG_MAC_policy +-w /usr/share/selinux/mls/ -p wa -k CFG_MAC_policy +-w /etc/selinux/semanage.conf -p wa -k CFG_MAC_policy + +## +## FMT_MSA.3 +## modifications of the default setting of permissive or restrictive +## rules, all modifications of the initial value of security attributes +## +## Enable if you are interested in these events +## +#-a always,exit -F arch=b32 -S umask +#-a always,exit -F arch=b64 -S umask + +## +## FPT_STM.1 +## changes to the time +## +-a always,exit -F arch=b32 -S stime,adjtimex,settimeofday +-a always,exit -F arch=b64 -S adjtimex,settimeofday +-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 +-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 +# Introduced in 2.6.39, commented out because it can make false positives +#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change +#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change + +## +## FTP_ITC.1 +## set-up of trusted channel +## +-w /usr/sbin/stunnel -p x + +## +## FPT_TST.1 Self Test +## aide is used to verify integrity of data and executables +## +-w /etc/aide.conf -p wa -k CFG_aide.conf +-w /var/lib/aide/aide.db.gz -k CFG_aide.db +-w /var/lib/aide/aide.db.new.gz -k CFG_aide.db +-w /var/log/aide/ -p wa -k CFG_aide.log + +## +## Security Databases +## + +## cron configuration & scheduled jobs +-w /etc/cron.allow -p wa -k CFG_cron.allow +-w /etc/cron.deny -p wa -k CFG_cron.deny +-w /etc/cron.d/ -p wa -k CFG_cron.d +-w /etc/cron.daily/ -p wa -k CFG_cron.daily +-w /etc/cron.hourly/ -p wa -k CFG_cron.hourly +-w /etc/cron.monthly/ -p wa -k CFG_cron.monthly +-w /etc/cron.weekly/ -p wa -k CFG_cron.weekly +-w /etc/crontab -p wa -k CFG_crontab +-w /var/spool/cron/root -k CFG_crontab_root + +## user, group, password databases +-w /etc/group -p wa -k CFG_group +-w /etc/passwd -p wa -k CFG_passwd +-w /etc/gshadow -k CFG_gshadow +-w /etc/shadow -k CFG_shadow +-w /etc/security/opasswd -k CFG_opasswd + +## login configuration and information +-w /etc/login.defs -p wa -k CFG_login.defs +-w /etc/securetty -p wa -k CFG_securetty +-w /var/run/faillock/ -p wa -k LOG_faillock +-w /var/log/lastlog -p wa -k LOG_lastlog +-w /var/log/tallylog -p wa -k LOG_tallylog + +## network configuration +-w /etc/hosts -p wa -k CFG_hosts +-w /etc/sysconfig/network-scripts/ -p wa -k CFG_network + +## system startup scripts +-w /etc/sysconfig/init -p wa -k CFG_init +-w /etc/init/ -p wa -k CFG_init +-w /etc/inittab -p wa -k CFG_inittab +-w /etc/rc.d/init.d/ -p wa -k CFG_initscripts + +## library search paths +-w /etc/ld.so.conf -p wa -k CFG_ld.so.conf + +## local time zone +-w /etc/localtime -p wa -k CFG_localtime + +## kernel parameters +-w /etc/sysctl.conf -p wa -k CFG_sysctl.conf + +## modprobe configuration +-w /etc/modprobe.d/ -p wa -k CFG_modprobe + +## pam configuration +-w /etc/pam.d/ -p wa -k CFG_pam +-w /etc/security/access.conf -p wa -k CFG_pam +-w /etc/security/limits.conf -p wa -k CFG_pam +-w /etc/security/pam_env.conf -p wa -k CFG_pam +-w /etc/security/namespace.conf -p wa -k CFG_pam +-w /etc/security/namespace.d/ -p wa -k CFG_pam +-w /etc/security/namespace.init -p wa -k CFG_pam +-w /etc/security/sepermit.conf -p wa -k CFG_pam +-w /etc/security/time.conf -p wa -k CFG_pam + +## postfix configuration +-w /etc/aliases -p wa -k CFG_aliases +-w /etc/postfix/ -p wa -k CFG_postfix + +## screen configuration +-w /etc/screenrc -p wa -k CFG_screen + +## ssh configuration +-w /etc/ssh/sshd_config -k CFG_sshd_config + +## stunnel configuration +-w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf +-w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem + +## sudo configuration +-w /etc/sudoers -k CFG_sudoers +-w /etc/sudoers.d/ -k CFG_sudoers + +## xinetd configuration +-w /etc/xinetd.d/ -k CFG_xinetd.d +-w /etc/xinetd.conf -k CFG_xinetd.conf + +## Not specifically required by LSPP; but common sense items +-a always,exit -F arch=b32 -S sethostname,setdomainname +-a always,exit -F arch=b64 -S sethostname,setdomainname +-w /etc/issue -p wa -k CFG_issue +-w /etc/issue.net -p wa -k CFG_issue.net + +## Optional - could indicate someone trying to do something bad or +## just debugging +#-a always,exit -F arch=b32 -S ptrace -F key=tracing +#-a always,exit -F arch=b64 -S ptrace -F key=tracing +#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection +#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection +#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection +#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection +#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection +#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection + +## Optional - might want to watch module insertion +#-w /sbin/insmod -p x -k modules +#-w /sbin/rmmod -p x -k modules +#-w /sbin/modprobe -p x -k modules +#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load +#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load +#-a always,exit -F arch=b32 -S delete_module -F key=module-unload +#-a always,exit -F arch=b64 -S delete_module -F key=module-unload + +## Optional - admin may be abusing power by looking in user's home dir +#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse + +## Optional - log container creation +#-a always,exit -F arch=b32 -S clone -F a0&0x2080505856 -F key=container-create +#-a always,exit -F arch=b64 -S clone -F a0&0x2080505856 -F key=container-create + +## Optional - watch for containers that may change their configuration +#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config +#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config + +## Put your own watches after this point +# -w /your-file -p rwxa -k mykey + +## Make the configuration immutable +#-e 2 diff --git a/framework/src/audit/contrib/nispom.rules b/framework/src/audit/contrib/nispom.rules new file mode 100644 index 00000000..6bcca086 --- /dev/null +++ b/framework/src/audit/contrib/nispom.rules @@ -0,0 +1,148 @@ +## +## This file contains the a sample audit configuration intended to +## meet the NISPOM Chapter 8 rules. +## +## This file should be saved as /etc/audit/audit.rules. +## +## For audit 1.6.5 and higher +## + +## Remove any existing rules +-D + +## Increase buffer size to handle the increased number of messages. +## Feel free to increase this if the machine panic's +-b 8192 + +## Set failure mode to panic +-f 2 + +## Make the loginuid immutable. This prevents tampering with the auid. +--loginuid-immutable + +## Audit 1, 1(a) Enough information to determine the date and time of +## action (e.g., common network time), the system locale of the action, +## the system entity that initiated or completed the action, the resources +## involved, and the action involved. + +## Things that could affect time +-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change +-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change +-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change +-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change +# Introduced in 2.6.39, commented out because it can make false positives +#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change +#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change +-w /etc/localtime -p wa -k time-change + +## Things that could affect system locale +-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale +-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/sysconfig/network -p wa -k system-locale +-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale + +## Audit 1, 1(b) Successful and unsuccessful logons and logoffs. +## This is covered by patches to login, gdm, and openssh +## Might also want to watch these files if needing extra information +#-w /var/log/tallylog -p wa -k logins +#-w /var/run/faillock/ -p wa -k logins +#-w /var/log/lastlog -p wa -k logins +#-w /var/log/btmp -p wa -k logins +#-w /var/run/utmp -p wa -k logins + +## Audit 1, 1(c) Successful and unsuccessful accesses to +## security-relevant objects and directories, including +## creation, open, close, modification, and deletion. + +## unsuccessful creation +-a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -F key=creation +-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -F key=creation +-a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -F key=creation +-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -F key=creation + +## unsuccessful open +-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F key=open +-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F key=open +-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F key=open +-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F key=open + +## unsuccessful close +-a always,exit -F arch=b32 -S close -F exit=-EIO -F key=close +-a always,exit -F arch=b64 -S close -F exit=-EIO -F key=close + +## unsuccessful modifications +-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -F key=mods +-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -F key=mods +-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -F key=mods +-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -F key=mods + +## unsuccessful deletion +-a always,exit -F arch=b32 -S unlink,rmdir,unlinkat -F exit=-EACCES -F key=delete +-a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F exit=-EACCES -F key=delete +-a always,exit -F arch=b32 -S unlink,rmdirunlinkat -F exit=-EPERM -F key=delete +-a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F exit=-EPERM -F key=delete + +## Audit 1, 1(d) Changes in user authenticators. +## Covered by patches to libpam, passwd, and shadow-utils +## Might also want to watch these files for changes +-w /etc/group -p wa -k auth +-w /etc/passwd -p wa -k auth +-w /etc/gshadow -p wa -k auth +-w /etc/shadow -p wa -k auth +-w /etc/security/opasswd -p wa -k auth + +## Audit 1, 1(e) The blocking or blacklisting of a user ID, +## terminal, or access port and the reason for the action. +## Covered by patches to pam_tally2 or pam_faillock and pam_limits + +## Audit 1, 1(f) Denial of access resulting from an excessive +## number of unsuccessful logon attempts. +## Covered by patches to pam_tally2 or pam_faillock + +## Audit 1, 2 Audit Trail Protection. The contents of audit trails +## shall be protected against unauthorized access, modification, +## or deletion. +## This should be covered by file permissions, but we can watch it +## to see any activity +-w /var/log/audit/ -k audit-logs + +## Not specifically required by NISPOM; but common sense items +## Optional - could indicate someone trying to do something bad or +## just debugging +#-a always,exit -F arch=b32 -S ptrace -F key=tracing +#-a always,exit -F arch=b64 -S ptrace -F key=tracing +#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection +#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection +#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection +#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection +#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection +#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection + +## Optional - might want to watch module insertion +#-w /sbin/insmod -p x -k modules +#-w /sbin/rmmod -p x -k modules +#-w /sbin/modprobe -p x -k modules +#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load +#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load +#-a always,exit -F arch=b32 -S delete_module -F key=module-unload +#-a always,exit -F arch=b64 -S delete_module -F key=module-unload + +## Optional - admin may be abusing power by looking in user's home dir +#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse + +## Optional - log container creation +#-a always,exit -F arch=b32 -S clone -F a0&0x2080505856 -F key=container-create +#-a always,exit -F arch=b64 -S clone -F a0&0x2080505856 -F key=container-create + +## Optional - watch for containers that may change their configuration +#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config +#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config + +## Put your own watches after this point +# -w /your-file -p rwxa -k mykey + +## Make the configuration immutable +#-e 2 diff --git a/framework/src/audit/contrib/plugin/Makefile b/framework/src/audit/contrib/plugin/Makefile new file mode 100644 index 00000000..4256c4d1 --- /dev/null +++ b/framework/src/audit/contrib/plugin/Makefile @@ -0,0 +1,7 @@ +CFLAGS=-g -W -Wall -Wundef +LIBS= -lauparse -laudit +all: + gcc $(CFLAGS) audisp-example.c -o audisp-example $(LIBS) + +clean: + rm -f audisp-example *.o diff --git a/framework/src/audit/contrib/plugin/audisp-example.c b/framework/src/audit/contrib/plugin/audisp-example.c new file mode 100644 index 00000000..6fcca1a1 --- /dev/null +++ b/framework/src/audit/contrib/plugin/audisp-example.c @@ -0,0 +1,229 @@ +/* audisp-example.c -- + * Copyright 2012 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * + * This is a sample program to demonstrate several concepts of how to + * write an audispd plugin using libauparse. It can be tested by using a + * file of raw audit records. You can generate the test file like: + * + * ausearch --start today --raw > test.log. + * + * Then you can test this app by: cat test.log | ./audisp-example + * + * It will print things to stdout. In a real program, you wouldn't + * do anything with stdout since that is likely to be pointing to /dev/null. + * + * Excluding some init/destroy items you might need to add to main, the + * event_handler function is the main place that you would modify to do + * things specific to your plugin. + * + */ + +#define _GNU_SOURCE +#include <stdio.h> +#include <signal.h> +#include <string.h> +#include <sys/select.h> +#include <errno.h> +#include "libaudit.h" +#include "auparse.h" + +/* Global Data */ +static volatile int stop = 0; +static volatile int hup = 0; +static auparse_state_t *au = NULL; + +/* Local declarations */ +static void handle_event(auparse_state_t *au, + auparse_cb_event_t cb_event_type, void *user_data); + +/* + * SIGTERM handler + */ +static void term_handler( int sig ) +{ + stop = 1; +} + +/* + * SIGHUP handler: re-read config + */ +static void hup_handler( int sig ) +{ + hup = 1; +} + +static void reload_config(void) +{ + hup = 0; +} + +int main(int argc, char *argv[]) +{ + char tmp[MAX_AUDIT_MESSAGE_LENGTH+1]; + struct sigaction sa; + + /* Register sighandlers */ + sa.sa_flags = 0; + sigemptyset(&sa.sa_mask); + /* Set handler for the ones we care about */ + sa.sa_handler = term_handler; + sigaction(SIGTERM, &sa, NULL); + sa.sa_handler = hup_handler; + sigaction(SIGHUP, &sa, NULL); + + /* Initialize the auparse library */ + au = auparse_init(AUSOURCE_FEED, 0); + if (au == NULL) { + printf("audisp-example is exiting due to auparse init errors"); + return -1; + } + auparse_add_callback(au, handle_event, NULL, NULL); + do { + fd_set read_mask; + struct timeval tv; + int retval; + + /* Load configuration */ + if (hup) { + reload_config(); + } + do { + tv.tv_sec = 5; + tv.tv_usec = 0; + FD_ZERO(&read_mask); + FD_SET(0, &read_mask); + if (auparse_feed_has_data(au)) + retval= select(1, &read_mask, NULL, NULL, &tv); + else + retval= select(1, &read_mask, NULL, NULL, NULL); + } while (retval == -1 && errno == EINTR && !hup && !stop); + + /* Now the event loop */ + if (!stop && !hup && retval > 0) { + if (fgets_unlocked(tmp, MAX_AUDIT_MESSAGE_LENGTH, + stdin)) { + auparse_feed(au, tmp, strnlen(tmp, + MAX_AUDIT_MESSAGE_LENGTH)); + } + } else if (retval == 0) + auparse_flush_feed(au); + if (feof(stdin)) + break; + } while (stop == 0); + + /* Flush any accumulated events from queue */ + auparse_flush_feed(au); + auparse_destroy(au); + if (stop) + printf("audisp-example is exiting on stop request\n"); + else + printf("audisp-example is exiting on stdin EOF\n"); + + return 0; +} + +/* This function shows how to dump a whole event by iterating over records */ +static void dump_whole_event(auparse_state_t *au) +{ + auparse_first_record(au); + do { + printf("%s\n", auparse_get_record_text(au)); + } while (auparse_next_record(au) > 0); + printf("\n"); +} + +/* This function shows how to dump a whole record's text */ +static void dump_whole_record(auparse_state_t *au) +{ + printf("%s: %s\n", audit_msg_type_to_name(auparse_get_type(au)), + auparse_get_record_text(au)); + printf("\n"); +} + +/* This function shows how to iterate through the fields of a record + * and print its name and raw value and interpretted value. */ +static void dump_fields_of_record(auparse_state_t *au) +{ + printf("record type %d(%s) has %d fields\n", auparse_get_type(au), + audit_msg_type_to_name(auparse_get_type(au)), + auparse_get_num_fields(au)); + + printf("line=%d file=%s\n", auparse_get_line_number(au), + auparse_get_filename(au) ? auparse_get_filename(au) : "stdin"); + + const au_event_t *e = auparse_get_timestamp(au); + if (e == NULL) { + printf("Error getting timestamp - aborting\n"); + return; + } + /* Note that e->sec can be treated as time_t data if you want + * something a little more readable */ + printf("event time: %u.%u:%lu, host=%s\n", (unsigned)e->sec, + e->milli, e->serial, e->host ? e->host : "?"); + auparse_first_field(au); + + do { + printf("field: %s=%s (%s)\n", + auparse_get_field_name(au), + auparse_get_field_str(au), + auparse_interpret_field(au)); + } while (auparse_next_field(au) > 0); + printf("\n"); +} + +/* This function receives a single complete event at a time from the auparse + * library. This is where the main analysis code would be added. */ +static void handle_event(auparse_state_t *au, + auparse_cb_event_t cb_event_type, void *user_data) +{ + int type, num=0; + + if (cb_event_type != AUPARSE_CB_EVENT_READY) + return; + + /* Loop through the records in the event looking for one to process. + We use physical record number because we may search around and + move the cursor accidentally skipping a record. */ + while (auparse_goto_record_num(au, num) > 0) { + type = auparse_get_type(au); + /* Now we can branch based on what record type we find. + This is just a few suggestions, but it could be anything. */ + switch (type) { + case AUDIT_AVC: + dump_fields_of_record(au); + break; + case AUDIT_SYSCALL: + dump_whole_record(au); + break; + case AUDIT_USER_LOGIN: + break; + case AUDIT_ANOM_ABEND: + break; + case AUDIT_MAC_STATUS: + dump_whole_event(au); + break; + default: + break; + } + num++; + } +} + diff --git a/framework/src/audit/contrib/plugin/audisp-example.conf b/framework/src/audit/contrib/plugin/audisp-example.conf new file mode 100644 index 00000000..e8a7b81e --- /dev/null +++ b/framework/src/audit/contrib/plugin/audisp-example.conf @@ -0,0 +1,10 @@ +# This file controls the configuration of the +# example syslog plugin. It simply takes events and writes +# them to syslog. + +active = no +direction = out +path = /sbin/audisp-example +type = always +args = 1 +format = string diff --git a/framework/src/audit/contrib/skeleton.c b/framework/src/audit/contrib/skeleton.c new file mode 100644 index 00000000..7e041042 --- /dev/null +++ b/framework/src/audit/contrib/skeleton.c @@ -0,0 +1,140 @@ +/* skeleton.c -- + * + * This is a sample program that you can customize to create your own audit + * event handler. It will be started by auditd via the dispatcher option in + * /etc/audit/auditd.conf. This program can be built as follows: + * + * gcc skeleton.c -o skeleton -laudit + */ + +#include <stdio.h> +#include <sys/types.h> +#include <sys/uio.h> +#include <unistd.h> +#include <stdlib.h> +#include <signal.h> +#include <fcntl.h> +#include <errno.h> +#include <string.h> +#include <locale.h> +#include "libaudit.h" + + +// Local data +static volatile int signaled = 0; +static int pipe_fd; +static const char *pgm = "skeleton"; + +// Local functions +static int event_loop(void); + +// SIGTERM handler +static void term_handler( int sig ) +{ + signaled = 1; +} + + +/* + * main is started by auditd. See dispatcher in auditd.conf + */ +int main(int argc, char *argv[]) +{ + struct sigaction sa; + + setlocale (LC_ALL, ""); + openlog(pgm, LOG_PID, LOG_DAEMON); + syslog(LOG_NOTICE, "starting..."); + +#ifndef DEBUG + // Make sure we are root + if (getuid() != 0) { + syslog(LOG_ERR, "You must be root to run this program."); + return 4; + } +#endif + + // register sighandlers + sa.sa_flags = 0 ; + sa.sa_handler = term_handler; + sigemptyset( &sa.sa_mask ) ; + sigaction( SIGTERM, &sa, NULL ); + sa.sa_handler = term_handler; + sigemptyset( &sa.sa_mask ) ; + sigaction( SIGCHLD, &sa, NULL ); + sa.sa_handler = SIG_IGN; + sigaction( SIGHUP, &sa, NULL ); + (void)chdir("/"); + + // change over to pipe_fd + pipe_fd = dup(0); + close(0); + open("/dev/null", O_RDONLY); + fcntl(pipe_fd, F_SETFD, FD_CLOEXEC); + + // Start the program + return event_loop(); +} + +static int event_loop(void) +{ + void *data; + struct iovec vec[2]; + struct audit_dispatcher_header hdr; + + // allocate data structures + data = malloc(MAX_AUDIT_MESSAGE_LENGTH); + if (data == NULL) { + syslog(LOG_ERR, "Cannot allocate buffer"); + return 1; + } + memset(data, 0, MAX_AUDIT_MESSAGE_LENGTH); + memset(&hdr, 0, sizeof(hdr)); + + do { + int rc; + struct timeval tv; + fd_set fd; + + tv.tv_sec = 1; + tv.tv_usec = 0; + FD_ZERO(&fd); + FD_SET(pipe_fd, &fd); + rc = select(pipe_fd+1, &fd, NULL, NULL, &tv); + if (rc == 0) + continue; + else if (rc == -1) + break; + + /* Get header first. it is fixed size */ + vec[0].iov_base = (void*)&hdr; + vec[0].iov_len = sizeof(hdr); + do { + rc = readv(fd, &vec[0], 1); + } while (rc < 0 && errno == EINTR); + + if (rc > 0) { + // Next payload + vec[1].iov_base = data; + vec[1].iov_len = hdr.size; + do { + rc = readv(fd, &vec[1], 1); + } while (rc < 0 && errno == EINTR); + } + if (rc <= 0) { + syslog(LOG_ERR, "rc == %d(%s)", rc, strerror(errno)); + continue; + } + + // Handle events here. Just for illustration, we print + // to syslog, but you will want to do something else. + syslog(LOG_NOTICE,"type=%d, payload size=%d", + hdr.type, hdr.size); + syslog(LOG_NOTICE,"data=\"%.*s\"", hdr.size, + (char *)data); + + } while(!signaled); + + return 0; +} + diff --git a/framework/src/audit/contrib/stig.rules b/framework/src/audit/contrib/stig.rules new file mode 100644 index 00000000..5a51d7f0 --- /dev/null +++ b/framework/src/audit/contrib/stig.rules @@ -0,0 +1,193 @@ +## This file contains the auditctl rules that are loaded +## whenever the audit daemon is started via the initscripts. +## The rules are simply the parameters that would be passed +## to auditctl. +## +## First rule - delete all +-D + +## Increase the buffers to survive stress events. +## Make this bigger for busy systems +-b 8192 + +## Set failure mode to panic +-f 2 + +## Make the loginuid immutable. This prevents tampering with the auid. +--loginuid-immutable + +## NOTE: +## 1) if this is being used on a 32 bit machine, comment out the b64 lines +## 2) These rules assume that login under the root account is not allowed. +## 3) It is also assumed that 500 represents the first usable user account. To +## be sure, look at UID_MIN in /etc/login.defs. +## 4) If these rules generate too much spurious data for your tastes, limit the +## the syscall file rules with a directory, like -F dir=/etc +## 5) You can search for the results on the key fields in the rules +## +## +## (GEN002880: CAT II) The IAO will ensure the auditing software can +## record the following for each audit event: +##- Date and time of the event +##- Userid that initiated the event +##- Type of event +##- Success or failure of the event +##- For I&A events, the origin of the request (e.g., terminal ID) +##- For events that introduce an object into a user’s address space, and +## for object deletion events, the name of the object, and in MLS +## systems, the object’s security level. +## +## Things that could affect time +-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change +-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change +-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change +-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change +# Introduced in 2.6.39, commented out because it can make false positives +#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change +#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change +-w /etc/localtime -p wa -k time-change + +## Things that affect identity +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +## Things that could affect system locale +-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale +-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/sysconfig/network -p wa -k system-locale +-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale + +## Things that could affect MAC policy +-a always,exit -F dir=/etc/selinux/ -F perm=wa -F key=MAC-policy + + +## (GEN002900: CAT III) The IAO will ensure audit files are retained at +## least one year; systems containing SAMI will be retained for five years. +## +## Site action - no action in config files + +## (GEN002920: CAT III) The IAO will ensure audit files are backed up +## no less than weekly onto a different system than the system being +## audited or backup media. +## +## Can be done with cron script + +## (GEN002700: CAT I) (Previously – G095) The SA will ensure audit data +## files have permissions of 640, or more restrictive. +## +## Done automatically by auditd + +## (GEN002720-GEN002840: CAT II) (Previously – G100-G106) The SA will +## configure the auditing system to audit the following events for all +## users and root: +## +## - Logon (unsuccessful and successful) and logout (successful) +## +## Handled by pam, sshd, login, and gdm +## Might also want to watch these files if needing extra information +#-w /var/log/tallylog -p wa -k logins +#-w /var/run/faillock/ -p wa -k logins +#-w /var/log/lastlog -p wa -k logins + + +##- Process and session initiation (unsuccessful and successful) +## +## The session initiation is audited by pam without any rules needed. +## Might also want to watch this file if needing extra information +#-w /var/run/utmp -p wa -k session +#-w /var/log/btmp -p wa -k session +#-w /var/log/wtmp -p wa -k session + +##- Discretionary access control permission modification (unsuccessful +## and successful use of chown/chmod) +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=4294967295 -F key=perm_mod +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=4294967295 -F key=perm_mod +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=500 -F auid!=4294967295 -F key=perm_mod +-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=500 -F auid!=4294967295 -F key=perm_mod +-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=4294967295 -F key=perm_mod +-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=4294967295 -F key=perm_mod + +##- Unauthorized access attempts to files (unsuccessful) +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -F key=access +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -F key=access +-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -F key=access +-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -F key=access + +##- Use of privileged commands (unsuccessful and successful) +## use find /bin -type f -perm -04000 2>/dev/null and put all those files in a rule like this +-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -F key=privileged + +##- Use of print command (unsuccessful and successful) + +##- Export to media (successful) +## You have to mount media before using it. You must disable all automounting +## so that its done manually in order to get the correct user requesting the +## export +-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -F key=export +-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -F key=export + +##- System startup and shutdown (unsuccessful and successful) + +##- Files and programs deleted by the user (successful and unsuccessful) +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=500 -F auid!=4294967295 -F key=delete +-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=500 -F auid!=4294967295 -F key=delete + +##- All system administration actions +##- All security personnel actions +## +## Look for pam_tty_audit and add it to your login entry point's pam configs. +## If that is not found, use sudo which should be patched to record its +## commands to the audit system. Do not allow unrestricted root shells or +## sudo cannot record the action. +-w /etc/sudoers -p wa -k actions +-w /etc/sudoers.d/ -p wa -k actions + +## (GEN002860: CAT II) (Previously – G674) The SA and/or IAO will +##ensure old audit logs are closed and new audit logs are started daily. +## +## Site action. Can be assisted by a cron job + +## Not specifically required by the STIG; but common sense items +## Optional - could indicate someone trying to do something bad or +## just debugging +#-a always,exit -F arch=b32 -S ptrace -F key=tracing +#-a always,exit -F arch=b64 -S ptrace -F key=tracing +#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection +#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection +#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection +#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection +#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection +#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection + +## Optional - might want to watch module insertion +#-w /sbin/insmod -p x -k modules +#-w /sbin/rmmod -p x -k modules +#-w /sbin/modprobe -p x -k modules +#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load +#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load +#-a always,exit -F arch=b32 -S delete_module -F key=module-unload +#-a always,exit -F arch=b64 -S delete_module -F key=module-unload + +## Optional - admin may be abusing power by looking in user's home dir +#-a always,exit -F dir=/home -F uid=0 -F auid>=500 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse + +## Optional - log container creation +#-a always,exit -F arch=b32 -S clone -F a0&0x7C020000 -F key=container-create +#-a always,exit -F arch=b64 -S clone -F a0&0x7C020000 -F key=container-create + +## Optional - watch for containers that may change their configuration +#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config +#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config + +## Put your own watches after this point +# -w /your-file -p rwxa -k mykey + +## Make the configuration immutable - reboot is required to change audit rules +-e 2 + |