aboutsummaryrefslogtreecommitdiffstats
path: root/framework/src/audit/contrib
diff options
context:
space:
mode:
Diffstat (limited to 'framework/src/audit/contrib')
-rwxr-xr-xframework/src/audit/contrib/avc_snap90
-rw-r--r--framework/src/audit/contrib/capp.rules302
-rw-r--r--framework/src/audit/contrib/lspp.rules343
-rw-r--r--framework/src/audit/contrib/nispom.rules148
-rw-r--r--framework/src/audit/contrib/plugin/Makefile7
-rw-r--r--framework/src/audit/contrib/plugin/audisp-example.c229
-rw-r--r--framework/src/audit/contrib/plugin/audisp-example.conf10
-rw-r--r--framework/src/audit/contrib/skeleton.c140
-rw-r--r--framework/src/audit/contrib/stig.rules193
9 files changed, 1462 insertions, 0 deletions
diff --git a/framework/src/audit/contrib/avc_snap b/framework/src/audit/contrib/avc_snap
new file mode 100755
index 00000000..f4acba7d
--- /dev/null
+++ b/framework/src/audit/contrib/avc_snap
@@ -0,0 +1,90 @@
+#! /usr/bin/env python
+import os, string, select, struct, syslog
+import audit, avc, traceback
+import AuditMsg
+from setroubleshoot.signature import *
+from setroubleshoot.util import LoadPlugins
+
+class avc_snap:
+ def __init__(self):
+ self.audit_list = []
+ self.cur_sig = ""
+ self.plugins = LoadPlugins()
+ syslog.syslog( "Number of Plugins = %d" % len(self.plugins))
+
+ def is_avc(self):
+ for i in self.audit_list:
+ if i[0] == audit.AUDIT_AVC:
+ return True
+ return False
+
+ def out(self):
+ if self.is_avc():
+ rules=avc.SERules()
+ l=[]
+ for ( type, data_list ) in self.audit_list:
+ l += data_list
+
+ if "granted" in l:
+ self.audit_list = []
+ return
+
+ rules.translate(l)
+ myavc = AVC(rules.AVCS[0])
+ for plugin in self.plugins:
+ try:
+ if plugin.analyze(myavc):
+ plugin.report()
+ break;
+
+ except TypeError, e:
+ syslog.syslog("Type exception %s: %s " % ( plugin.analysisID, e.args))
+ except:
+ syslog.syslog("Plugin Exception %s " % plugin.analysisID)
+
+ self.audit_list = []
+
+ def process(self, type, data):
+ data_list=data.split()
+ new_sig=data_list[0]
+
+ if len(self.audit_list) > 0 and new_sig != self.cur_sig:
+ self.out()
+ self.cur_sig = new_sig
+
+ self.audit_list.append((type, data_list[1:]))
+
+ def run(self):
+ while 1:
+ input,output, err = select.select([0],[], [], 5)
+ try:
+ if 0 in input:
+ msg = AuditMsg.AuditMsg()
+ if not msg.read_from_fd(0):
+ syslog.syslog("Connection closing")
+ return
+ self.process(msg.get_type(), msg.get_body())
+ else:
+ self.out()
+
+ except struct.error, e:
+ syslog.syslog("struct exception %s " % e.args)
+ return
+ except TypeError, e:
+ syslog.syslog("Type exception %s " % e.args)
+
+try:
+ syslog.openlog("avc_snap")
+ snap=avc_snap()
+ snap.run()
+
+except IOError,e:
+ syslog.syslog("IOError exception %s" % e.args)
+
+except Exception, e:
+ syslog.syslog("Unexpected exception %s " % e.args)
+ syslog.syslog(traceback.format_exc())
+
+except:
+ syslog.syslog("Caught Exception")
+ syslog.syslog(traceback.format_exc())
diff --git a/framework/src/audit/contrib/capp.rules b/framework/src/audit/contrib/capp.rules
new file mode 100644
index 00000000..5e38274f
--- /dev/null
+++ b/framework/src/audit/contrib/capp.rules
@@ -0,0 +1,302 @@
+##
+## This file contains a sample audit configuration. Combined with the
+## system events that are audited by default, this set of rules causes
+## audit to generate records for the auditable events specified by the
+## Controlled Access Protection Profile (CAPP).
+##
+## It should be noted that this set of rules identifies directories by
+## leaving a / at the end of the path.
+##
+## For audit 2.0.6 and higher
+##
+
+## Remove any existing rules
+-D
+
+## Increase buffer size to handle the increased number of messages.
+## Feel free to increase this if the machine panic's
+-b 8192
+
+## Set failure mode to panic
+-f 2
+
+##
+## FAU_SAR.1, FAU_SAR.2, FMT_MTD.1
+## successful and unsuccessful attempts to read information from the
+## audit records; all modifications to the audit trail
+##
+-w /var/log/audit/ -k LOG_audit
+
+##
+## FAU_SEL.1, FMT_MTD.1
+## modifications to audit configuration that occur while the audit
+## collection functions are operating; all modications to the set of
+## audited events
+##
+-w /etc/audit/ -p wa -k CFG_audit
+-w /etc/sysconfig/auditd -p wa -k CFG_auditd.conf
+-w /etc/libaudit.conf -p wa -k CFG_libaudit.conf
+-w /etc/audisp/ -p wa -k CFG_audisp
+
+##
+## FDP_ACF.1, FMT_MSA.1, FMT_MTD.1, FMT_REV.1
+## all requests to perform an operation on an object covered by the
+## SFP; all modifications of the values of security attributes;
+## modifications to TSF data; attempts to revoke security attributes
+##
+
+## Objects covered by the Security Functional Policy (SFP) are:
+## -File system objects (files, directories, special files, extended attributes)
+## -IPC objects (SYSV shared memory, message queues, and semaphores)
+
+## Operations on file system objects - by default, only monitor
+## files and directories covered by filesystem watches.
+
+## Changes in ownership and permissions
+#-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat
+#-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat
+#-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown
+#-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown
+## Enable *32 rules if you are running on i386 or s390
+## Do not use for x86_64, ia64, ppc, ppc64, or s390x
+#-a always,exit -F arch=b32 -S fchown32,chown32,lchown32
+
+## File content modification. Permissions are checked at open time,
+## monitoring individual read/write calls is not useful.
+#-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate
+#-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate
+## Enable *64 rules if you are running on i386, ppc, ppc64, s390
+## Do not use for x86_64, ia64, or s390x
+#-a always,exit -F arch=b32 -S truncate64,ftruncate64
+
+## directory operations
+#-a always,exit -F arch=b32 -S mkdir,mkdirat,rmdir
+#-a always,exit -F arch=b64 -S mkdir,mkdirat,rmdir
+
+## moving, removing, and linking
+#-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat
+#-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat
+#-a always,exit -F arch=b32 -S link,linkat,symlink,symlinkat
+#-a always,exit -F arch=b64 -S link,linkat,symlink,symlinkat
+
+## Extended attribute operations
+## Enable if you are interested in these events
+#-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
+#-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
+
+## special files
+-a always,exit -F arch=b32 -S mknod,mknodat
+-a always,exit -F arch=b64 -S mknod,mknodat
+
+## Other file system operations
+## Enable if i386
+-a always,exit -F arch=b32 -S mount,umount,umount2
+## Enable if ppc, s390, or s390x
+#-a always,exit -F arch=b32 -S mount,umount,umount2
+#-a always,exit -F arch=b64 -S mount,umount,umount2
+## Enable if ia64
+#-a always,exit -F arch=b64 -S mount,umount
+## Enable if x86_64
+#-a always,exit -F arch=b64 -S mount,umount2
+#-a always,exit -F arch=b32 -S mount,umount,umount2
+
+## IPC SYSV message queues
+## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
+## msgctl
+#-a always,exit -S ipc -F a0=14
+## msgget
+#-a always,exit -S ipc -F a0=13
+## Enable if you are interested in these events (x86_64,ia64)
+#-a always,exit -S msgctl
+#-a always,exit -S msgget
+
+## IPC SYSV semaphores
+## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
+## semctl
+#-a always,exit -S ipc -F a0=3
+## semget
+#-a always,exit -S ipc -F a0=2
+## semop
+#-a always,exit -S ipc -F a0=1
+## semtimedop
+#-a always,exit -S ipc -F a0=4
+## Enable if you are interested in these events (x86_64, ia64)
+#-a always,exit -S semctl
+#-a always,exit -S semget
+#-a always,exit -S semop
+#-a always,exit -S semtimedop
+
+## IPC SYSV shared memory
+## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
+## shmctl
+#-a always,exit -S ipc -F a0=24
+## shmget
+#-a always,exit -S ipc -F a0=23
+## Enable if you are interested in these events (x86_64, ia64)
+#-a always,exit -S shmctl
+#-a always,exit -S shmget
+
+##
+## FIA_USB.1
+## success and failure of binding user security attributes to a subject
+##
+## Enable if you are interested in these events
+##
+#-a always,exit -F arch=b32 -S clone
+#-a always,exit -F arch=b64 -S clone
+#-a always,exit -F arch=b32 -S fork,vfork
+#-a always,exit -F arch=b64 -S fork,vfork
+## For ia64 architecture, disable fork and vfork rules above, and
+## enable the following:
+#-a always,exit -S clone2
+
+##
+## FMT_MSA.3
+## modifications of the default setting of permissive or restrictive
+## rules, all modifications of the initial value of security attributes
+##
+## Enable if you are interested in these events
+##
+#-a always,exit -F arch=b32 -S umask
+#-a always,exit -F arch=b64 -S umask
+
+##
+## FPT_STM.1
+## changes to the time
+##
+-a always,exit -F arch=b32 -S adjtimex,settimeofday -S stime
+-a always,exit -F arch=b64 -S adjtimex,settimeofday
+-a always,exit -F arch=b32 -S clock_settime -F a0=0
+-a always,exit -F arch=b64 -S clock_settime -F a0=0
+# Introduced in 2.6.39, commented out because it can make false positives
+#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
+#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
+
+##
+## FTP_ITC.1
+## set-up of trusted channel
+##
+-w /usr/sbin/stunnel -p x
+
+##
+## Security Databases
+##
+
+## cron configuration & scheduled jobs
+-w /etc/cron.allow -p wa -k CFG_cron.allow
+-w /etc/cron.deny -p wa -k CFG_cron.deny
+-w /etc/cron.d/ -p wa -k CFG_cron.d
+-w /etc/cron.daily/ -p wa -k CFG_cron.daily
+-w /etc/cron.hourly/ -p wa -k CFG_cron.hourly
+-w /etc/cron.monthly/ -p wa -k CFG_cron.monthly
+-w /etc/cron.weekly/ -p wa -k CFG_cron.weekly
+-w /etc/crontab -p wa -k CFG_crontab
+-w /var/spool/cron/root -k CFG_crontab_root
+
+## user, group, password databases
+-w /etc/group -p wa -k CFG_group
+-w /etc/passwd -p wa -k CFG_passwd
+-w /etc/gshadow -k CFG_gshadow
+-w /etc/shadow -k CFG_shadow
+-w /etc/security/opasswd -k CFG_opasswd
+
+## login configuration and information
+-w /etc/login.defs -p wa -k CFG_login.defs
+-w /etc/securetty -p wa -k CFG_securetty
+-w /var/run/faillock/ -p wa -k LOG_faillock
+-w /var/log/lastlog -p wa -k LOG_lastlog
+-w /var/log/tallylog -p wa -k LOG_tallylog
+
+## network configuration
+-w /etc/hosts -p wa -k CFG_hosts
+-w /etc/sysconfig/network-scripts/ -p wa -k CFG_network
+
+## system startup scripts
+-w /etc/sysconfig/init -p wa -k CFG_init
+-w /etc/init/ -p wa -k CFG_init
+-w /etc/inittab -p wa -k CFG_inittab
+-w /etc/rc.d/init.d/ -p wa -k CFG_initscripts
+
+## library search paths
+-w /etc/ld.so.conf -p wa -k CFG_ld.so.conf
+
+## local time zone
+-w /etc/localtime -p wa -k CFG_localtime
+
+## kernel parameters
+-w /etc/sysctl.conf -p wa -k CFG_sysctl.conf
+
+## modprobe configuration
+-w /etc/modprobe.d/ -p wa -k CFG_modprobe
+
+## pam configuration
+-w /etc/pam.d/ -p wa -k CFG_pam
+-w /etc/security/access.conf -p wa -k CFG_pam
+-w /etc/security/limits.conf -p wa -k CFG_pam
+-w /etc/security/pam_env.conf -p wa -k CFG_pam
+-w /etc/security/namespace.conf -p wa -k CFG_pam
+-w /etc/security/namespace.d/ -p wa -k CFG_pam
+-w /etc/security/namespace.init -p wa -k CFG_pam
+-w /etc/security/sepermit.conf -p wa -k CFG_pam
+-w /etc/security/time.conf -p wa -k CFG_pam
+
+## postfix configuration
+-w /etc/aliases -p wa -k CFG_aliases
+-w /etc/postfix/ -p wa -k CFG_postfix
+
+## screen configuration
+-w /etc/screenrc -p wa -k CFG_screen
+
+## ssh configuration
+-w /etc/ssh/sshd_config -k CFG_sshd_config
+
+## stunnel configuration
+-w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf
+-w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem
+
+## sudo configuration
+-w /etc/sudoers -k CFG_sudoers
+-w /etc/sudoers.d/ -k CFG_sudoers
+
+## Not specifically required by CAPP; but common sense items
+-a always,exit -F arch=b32 -S sethostname -S setdomainname
+-a always,exit -F arch=b64 -S sethostname -S setdomainname
+-w /etc/issue -p wa -k CFG_issue
+-w /etc/issue.net -p wa -k CFG_issue.net
+
+## Optional - could indicate someone trying to do something bad or
+## just debugging
+#-a always,exit -F arch=b32 -S ptrace -F key=tracing
+#-a always,exit -F arch=b64 -S ptrace -F key=tracing
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection
+
+## Optional - might want to watch module insertion
+#-w /sbin/insmod -p x -k modules
+#-w /sbin/rmmod -p x -k modules
+#-w /sbin/modprobe -p x -k modules
+#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
+#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
+#-a always,exit -F arch=b32 -S delete_module -F key=module-unload
+#-a always,exit -F arch=b64 -S delete_module -F key=module-unload
+
+## Optional - admin may be abusing power by looking in user's home dir
+#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
+
+## Optional - log container creation
+#-a always,exit -F arch=b32 -S clone -F a0&2080505856 -F key=container-create
+#-a always,exit -F arch=b64 -S clone -F a0&2080505856 -F key=container-create
+
+## Optional - watch for containers that may change their configuration
+#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config
+#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config
+
+## Put your own watches after this point
+# -w /your-file -p rwxa -k mykey
+
+## Make the configuration immutable
+#-e 2
diff --git a/framework/src/audit/contrib/lspp.rules b/framework/src/audit/contrib/lspp.rules
new file mode 100644
index 00000000..e0919bd2
--- /dev/null
+++ b/framework/src/audit/contrib/lspp.rules
@@ -0,0 +1,343 @@
+##
+## This file contains a sample audit configuration. Combined with the
+## system events that are audited by default, this set of rules causes
+## audit to generate records for the auditable events specified by the
+## Labeled Security Protection Profile (LSPP).
+##
+## It should be noted that this set of rules identifies directories by
+## leaving a / at the end of the path.
+##
+## For audit 2.0.6 and higher
+##
+
+## Remove any existing rules
+-D
+
+## Increase buffer size to handle the increased number of messages.
+## Feel free to increase this if the machine panic's
+-b 8192
+
+## Set failure mode to panic
+-f 2
+
+##
+## FAU_SAR.1, FAU_SAR.2, FMT_MTD.1
+## successful and unsuccessful attempts to read information from the
+## audit records; all modifications to the audit trail
+##
+-w /var/log/audit/ -k LOG_audit
+
+##
+## FAU_SEL.1, FMT_MTD.1
+## modifications to audit configuration that occur while the audit
+## collection functions are operating; all modications to the set of
+## audited events
+##
+-w /etc/audit/ -p wa -k CFG_audit
+-w /etc/sysconfig/auditd -p wa -k CFG_auditd.conf
+-w /etc/libaudit.conf -p wa -k CFG_libaudit.conf
+-w /etc/audisp/ -p wa -k CFG_audisp
+
+##
+## FDP_ACF.1, FMT_MSA.1, FMT_MTD.1, FMT_REV.1, FDP_ETC.1, FDP_ITC.2
+## all requests to perform an operation on an object covered by the
+## SFP; all modifications of the values of security attributes;
+## modifications to TSF data; attempts to revoke security attributes;
+## all attempts to export information; all attempts to import user
+## data, including any security attributes
+
+## Objects covered by the Security Functional Policy (SFP) are:
+## -File system objects (files, directories, special files, extended attributes)
+## -IPC objects (SYSV shared memory, message queues, and semaphores)
+
+## Operations on file system objects - by default, only monitor
+## files and directories covered by filesystem watches.
+
+## Changes in ownership and permissions
+#-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat
+#-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat
+#-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown
+#-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown
+## Enable *32 rules if you are running on i386 or s390
+## Do not use for x86_64, ia64, ppc, ppc64, or s390x
+#-a always,exit -F arch=b32 -S fchown32,chown32,lchown32
+
+## File content modification. Permissions are checked at open time,
+## monitoring individual read/write calls is not useful.
+#-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate
+#-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate
+## Enable *64 rules if you are running on i386, ppc, ppc64, s390
+## Do not use for x86_64, ia64, or s390x
+#-a always,exit -F arch=b32 -S truncate64,ftruncate64
+
+## directory operations
+#-a always,exit -F arch=b32 -S mkdir,mkdirat,rmdir
+#-a always,exit -F arch=b64 -S mkdir,mkdirat,rmdir
+
+## moving, removing, and linking
+#-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat
+#-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat
+#-a always,exit -F arch=b32 -S link,linkat,symlink,symlinkat
+#-a always,exit -F arch=b64 -S link,linkat,symlink,symlinkat
+
+## Extended attribute operations
+## Enable if you are interested in these events
+-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
+-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
+
+## special files
+-a always,exit -F arch=b32 -S mknod,mknodat
+-a always,exit -F arch=b64 -S mknod,mknodat
+
+## Other file system operations
+## Enable if i386
+-a always,exit -F arch=b32 -S mount,umount,umount2
+## Enable if ppc, s390, or s390x
+#-a always,exit -F arch=b32 -S mount,umount,umount2
+#-a always,exit -F arch=b64 -S mount,umount,umount2
+## Enable if ia64
+#-a always,exit -F arch=b64 -S mount,umount
+## Enable if x86_64
+#-a always,exit -F arch=b64 -S mount,umount2
+#-a always,exit -F arch=b32 -S mount,umount,umount2
+
+## IPC SYSV message queues
+## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
+## msgctl
+#-a always,exit -S ipc -F a0=14
+## msgget
+#-a always,exit -S ipc -F a0=13
+## Enable if you are interested in these events (x86_64,ia64)
+#-a always,exit -S msgctl
+#-a always,exit -S msgget
+
+## IPC SYSV semaphores
+## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
+## semctl
+#-a always,exit -S ipc -F a0=0x3
+## semget
+#-a always,exit -S ipc -F a0=0x2
+## semop
+#-a always,exit -S ipc -F a0=0x1
+## semtimedop
+#-a always,exit -S ipc -F a0=0x4
+## Enable if you are interested in these events (x86_64, ia64)
+#-a always,exit -S semctl
+#-a always,exit -S semget
+#-a always,exit -S semop
+#-a always,exit -S semtimedop
+
+## IPC SYSV shared memory
+## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
+## shmctl
+#-a always,exit -S ipc -F a0=24
+## shmget
+#-a always,exit -S ipc -F a0=23
+## Enable if you are interested in these events (x86_64, ia64)
+#-a always,exit -S shmctl
+#-a always,exit -S shmget
+
+##
+## FIA_USB.1
+## success and failure of binding user security attributes to a subject
+##
+## Enable if you are interested in these events
+##
+#-a always,exit -F arch=b32 -S clone
+#-a always,exit -F arch=b64 -S clone
+#-a always,exit -F arch=b32 -S fork,vfork
+#-a always,exit -F arch=b64 -S fork,vfork
+## For ia64 architecture, disable fork and vfork rules above, and
+## enable the following:
+#-a always,exit -S clone2
+
+##
+## FDP_ETC.2
+## Export of Labeled User Data
+##
+## Printing
+-w /etc/cups/ -p wa -k CFG_cups
+-w /etc/init.d/cups -p wa -k CFG_initd_cups
+
+##
+## FDP_ETC.2, FDP_ITC.2
+## Export/Import of Labeled User Data
+##
+## Networking
+-w /etc/netlabel.rules -p wa -k CFG_netlabel.rules
+-w /etc/ipsec.conf -p wa -k CFG_ipsec.conf
+-w /etc/ipsec.d/ -p wa -k CFG_ipsec.conf
+-w /etc/ipsec.secrets -p wa -k CFG_ipsec.secrets
+
+##
+## FDP_IFC.1
+## Mandatory Access Control Policy
+##
+-w /etc/selinux/config -p wa -k CFG_selinux_config
+-w /etc/selinux/mls/ -p wa -k CFG_MAC_policy
+-w /usr/share/selinux/mls/ -p wa -k CFG_MAC_policy
+-w /etc/selinux/semanage.conf -p wa -k CFG_MAC_policy
+
+##
+## FMT_MSA.3
+## modifications of the default setting of permissive or restrictive
+## rules, all modifications of the initial value of security attributes
+##
+## Enable if you are interested in these events
+##
+#-a always,exit -F arch=b32 -S umask
+#-a always,exit -F arch=b64 -S umask
+
+##
+## FPT_STM.1
+## changes to the time
+##
+-a always,exit -F arch=b32 -S stime,adjtimex,settimeofday
+-a always,exit -F arch=b64 -S adjtimex,settimeofday
+-a always,exit -F arch=b32 -S clock_settime -F a0=0x0
+-a always,exit -F arch=b64 -S clock_settime -F a0=0x0
+# Introduced in 2.6.39, commented out because it can make false positives
+#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
+#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
+
+##
+## FTP_ITC.1
+## set-up of trusted channel
+##
+-w /usr/sbin/stunnel -p x
+
+##
+## FPT_TST.1 Self Test
+## aide is used to verify integrity of data and executables
+##
+-w /etc/aide.conf -p wa -k CFG_aide.conf
+-w /var/lib/aide/aide.db.gz -k CFG_aide.db
+-w /var/lib/aide/aide.db.new.gz -k CFG_aide.db
+-w /var/log/aide/ -p wa -k CFG_aide.log
+
+##
+## Security Databases
+##
+
+## cron configuration & scheduled jobs
+-w /etc/cron.allow -p wa -k CFG_cron.allow
+-w /etc/cron.deny -p wa -k CFG_cron.deny
+-w /etc/cron.d/ -p wa -k CFG_cron.d
+-w /etc/cron.daily/ -p wa -k CFG_cron.daily
+-w /etc/cron.hourly/ -p wa -k CFG_cron.hourly
+-w /etc/cron.monthly/ -p wa -k CFG_cron.monthly
+-w /etc/cron.weekly/ -p wa -k CFG_cron.weekly
+-w /etc/crontab -p wa -k CFG_crontab
+-w /var/spool/cron/root -k CFG_crontab_root
+
+## user, group, password databases
+-w /etc/group -p wa -k CFG_group
+-w /etc/passwd -p wa -k CFG_passwd
+-w /etc/gshadow -k CFG_gshadow
+-w /etc/shadow -k CFG_shadow
+-w /etc/security/opasswd -k CFG_opasswd
+
+## login configuration and information
+-w /etc/login.defs -p wa -k CFG_login.defs
+-w /etc/securetty -p wa -k CFG_securetty
+-w /var/run/faillock/ -p wa -k LOG_faillock
+-w /var/log/lastlog -p wa -k LOG_lastlog
+-w /var/log/tallylog -p wa -k LOG_tallylog
+
+## network configuration
+-w /etc/hosts -p wa -k CFG_hosts
+-w /etc/sysconfig/network-scripts/ -p wa -k CFG_network
+
+## system startup scripts
+-w /etc/sysconfig/init -p wa -k CFG_init
+-w /etc/init/ -p wa -k CFG_init
+-w /etc/inittab -p wa -k CFG_inittab
+-w /etc/rc.d/init.d/ -p wa -k CFG_initscripts
+
+## library search paths
+-w /etc/ld.so.conf -p wa -k CFG_ld.so.conf
+
+## local time zone
+-w /etc/localtime -p wa -k CFG_localtime
+
+## kernel parameters
+-w /etc/sysctl.conf -p wa -k CFG_sysctl.conf
+
+## modprobe configuration
+-w /etc/modprobe.d/ -p wa -k CFG_modprobe
+
+## pam configuration
+-w /etc/pam.d/ -p wa -k CFG_pam
+-w /etc/security/access.conf -p wa -k CFG_pam
+-w /etc/security/limits.conf -p wa -k CFG_pam
+-w /etc/security/pam_env.conf -p wa -k CFG_pam
+-w /etc/security/namespace.conf -p wa -k CFG_pam
+-w /etc/security/namespace.d/ -p wa -k CFG_pam
+-w /etc/security/namespace.init -p wa -k CFG_pam
+-w /etc/security/sepermit.conf -p wa -k CFG_pam
+-w /etc/security/time.conf -p wa -k CFG_pam
+
+## postfix configuration
+-w /etc/aliases -p wa -k CFG_aliases
+-w /etc/postfix/ -p wa -k CFG_postfix
+
+## screen configuration
+-w /etc/screenrc -p wa -k CFG_screen
+
+## ssh configuration
+-w /etc/ssh/sshd_config -k CFG_sshd_config
+
+## stunnel configuration
+-w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf
+-w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem
+
+## sudo configuration
+-w /etc/sudoers -k CFG_sudoers
+-w /etc/sudoers.d/ -k CFG_sudoers
+
+## xinetd configuration
+-w /etc/xinetd.d/ -k CFG_xinetd.d
+-w /etc/xinetd.conf -k CFG_xinetd.conf
+
+## Not specifically required by LSPP; but common sense items
+-a always,exit -F arch=b32 -S sethostname,setdomainname
+-a always,exit -F arch=b64 -S sethostname,setdomainname
+-w /etc/issue -p wa -k CFG_issue
+-w /etc/issue.net -p wa -k CFG_issue.net
+
+## Optional - could indicate someone trying to do something bad or
+## just debugging
+#-a always,exit -F arch=b32 -S ptrace -F key=tracing
+#-a always,exit -F arch=b64 -S ptrace -F key=tracing
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection
+
+## Optional - might want to watch module insertion
+#-w /sbin/insmod -p x -k modules
+#-w /sbin/rmmod -p x -k modules
+#-w /sbin/modprobe -p x -k modules
+#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
+#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
+#-a always,exit -F arch=b32 -S delete_module -F key=module-unload
+#-a always,exit -F arch=b64 -S delete_module -F key=module-unload
+
+## Optional - admin may be abusing power by looking in user's home dir
+#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
+
+## Optional - log container creation
+#-a always,exit -F arch=b32 -S clone -F a0&0x2080505856 -F key=container-create
+#-a always,exit -F arch=b64 -S clone -F a0&0x2080505856 -F key=container-create
+
+## Optional - watch for containers that may change their configuration
+#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config
+#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config
+
+## Put your own watches after this point
+# -w /your-file -p rwxa -k mykey
+
+## Make the configuration immutable
+#-e 2
diff --git a/framework/src/audit/contrib/nispom.rules b/framework/src/audit/contrib/nispom.rules
new file mode 100644
index 00000000..6bcca086
--- /dev/null
+++ b/framework/src/audit/contrib/nispom.rules
@@ -0,0 +1,148 @@
+##
+## This file contains the a sample audit configuration intended to
+## meet the NISPOM Chapter 8 rules.
+##
+## This file should be saved as /etc/audit/audit.rules.
+##
+## For audit 1.6.5 and higher
+##
+
+## Remove any existing rules
+-D
+
+## Increase buffer size to handle the increased number of messages.
+## Feel free to increase this if the machine panic's
+-b 8192
+
+## Set failure mode to panic
+-f 2
+
+## Make the loginuid immutable. This prevents tampering with the auid.
+--loginuid-immutable
+
+## Audit 1, 1(a) Enough information to determine the date and time of
+## action (e.g., common network time), the system locale of the action,
+## the system entity that initiated or completed the action, the resources
+## involved, and the action involved.
+
+## Things that could affect time
+-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change
+-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
+-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
+-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
+# Introduced in 2.6.39, commented out because it can make false positives
+#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
+#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
+-w /etc/localtime -p wa -k time-change
+
+## Things that could affect system locale
+-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
+-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
+-w /etc/issue -p wa -k system-locale
+-w /etc/issue.net -p wa -k system-locale
+-w /etc/hosts -p wa -k system-locale
+-w /etc/sysconfig/network -p wa -k system-locale
+-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale
+
+## Audit 1, 1(b) Successful and unsuccessful logons and logoffs.
+## This is covered by patches to login, gdm, and openssh
+## Might also want to watch these files if needing extra information
+#-w /var/log/tallylog -p wa -k logins
+#-w /var/run/faillock/ -p wa -k logins
+#-w /var/log/lastlog -p wa -k logins
+#-w /var/log/btmp -p wa -k logins
+#-w /var/run/utmp -p wa -k logins
+
+## Audit 1, 1(c) Successful and unsuccessful accesses to
+## security-relevant objects and directories, including
+## creation, open, close, modification, and deletion.
+
+## unsuccessful creation
+-a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -F key=creation
+-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -F key=creation
+-a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -F key=creation
+-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -F key=creation
+
+## unsuccessful open
+-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F key=open
+-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F key=open
+-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F key=open
+-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F key=open
+
+## unsuccessful close
+-a always,exit -F arch=b32 -S close -F exit=-EIO -F key=close
+-a always,exit -F arch=b64 -S close -F exit=-EIO -F key=close
+
+## unsuccessful modifications
+-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -F key=mods
+-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -F key=mods
+-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -F key=mods
+-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -F key=mods
+
+## unsuccessful deletion
+-a always,exit -F arch=b32 -S unlink,rmdir,unlinkat -F exit=-EACCES -F key=delete
+-a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F exit=-EACCES -F key=delete
+-a always,exit -F arch=b32 -S unlink,rmdirunlinkat -F exit=-EPERM -F key=delete
+-a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F exit=-EPERM -F key=delete
+
+## Audit 1, 1(d) Changes in user authenticators.
+## Covered by patches to libpam, passwd, and shadow-utils
+## Might also want to watch these files for changes
+-w /etc/group -p wa -k auth
+-w /etc/passwd -p wa -k auth
+-w /etc/gshadow -p wa -k auth
+-w /etc/shadow -p wa -k auth
+-w /etc/security/opasswd -p wa -k auth
+
+## Audit 1, 1(e) The blocking or blacklisting of a user ID,
+## terminal, or access port and the reason for the action.
+## Covered by patches to pam_tally2 or pam_faillock and pam_limits
+
+## Audit 1, 1(f) Denial of access resulting from an excessive
+## number of unsuccessful logon attempts.
+## Covered by patches to pam_tally2 or pam_faillock
+
+## Audit 1, 2 Audit Trail Protection. The contents of audit trails
+## shall be protected against unauthorized access, modification,
+## or deletion.
+## This should be covered by file permissions, but we can watch it
+## to see any activity
+-w /var/log/audit/ -k audit-logs
+
+## Not specifically required by NISPOM; but common sense items
+## Optional - could indicate someone trying to do something bad or
+## just debugging
+#-a always,exit -F arch=b32 -S ptrace -F key=tracing
+#-a always,exit -F arch=b64 -S ptrace -F key=tracing
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection
+
+## Optional - might want to watch module insertion
+#-w /sbin/insmod -p x -k modules
+#-w /sbin/rmmod -p x -k modules
+#-w /sbin/modprobe -p x -k modules
+#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
+#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
+#-a always,exit -F arch=b32 -S delete_module -F key=module-unload
+#-a always,exit -F arch=b64 -S delete_module -F key=module-unload
+
+## Optional - admin may be abusing power by looking in user's home dir
+#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
+
+## Optional - log container creation
+#-a always,exit -F arch=b32 -S clone -F a0&0x2080505856 -F key=container-create
+#-a always,exit -F arch=b64 -S clone -F a0&0x2080505856 -F key=container-create
+
+## Optional - watch for containers that may change their configuration
+#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config
+#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config
+
+## Put your own watches after this point
+# -w /your-file -p rwxa -k mykey
+
+## Make the configuration immutable
+#-e 2
diff --git a/framework/src/audit/contrib/plugin/Makefile b/framework/src/audit/contrib/plugin/Makefile
new file mode 100644
index 00000000..4256c4d1
--- /dev/null
+++ b/framework/src/audit/contrib/plugin/Makefile
@@ -0,0 +1,7 @@
+CFLAGS=-g -W -Wall -Wundef
+LIBS= -lauparse -laudit
+all:
+ gcc $(CFLAGS) audisp-example.c -o audisp-example $(LIBS)
+
+clean:
+ rm -f audisp-example *.o
diff --git a/framework/src/audit/contrib/plugin/audisp-example.c b/framework/src/audit/contrib/plugin/audisp-example.c
new file mode 100644
index 00000000..6fcca1a1
--- /dev/null
+++ b/framework/src/audit/contrib/plugin/audisp-example.c
@@ -0,0 +1,229 @@
+/* audisp-example.c --
+ * Copyright 2012 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ *
+ * This is a sample program to demonstrate several concepts of how to
+ * write an audispd plugin using libauparse. It can be tested by using a
+ * file of raw audit records. You can generate the test file like:
+ *
+ * ausearch --start today --raw > test.log.
+ *
+ * Then you can test this app by: cat test.log | ./audisp-example
+ *
+ * It will print things to stdout. In a real program, you wouldn't
+ * do anything with stdout since that is likely to be pointing to /dev/null.
+ *
+ * Excluding some init/destroy items you might need to add to main, the
+ * event_handler function is the main place that you would modify to do
+ * things specific to your plugin.
+ *
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <signal.h>
+#include <string.h>
+#include <sys/select.h>
+#include <errno.h>
+#include "libaudit.h"
+#include "auparse.h"
+
+/* Global Data */
+static volatile int stop = 0;
+static volatile int hup = 0;
+static auparse_state_t *au = NULL;
+
+/* Local declarations */
+static void handle_event(auparse_state_t *au,
+ auparse_cb_event_t cb_event_type, void *user_data);
+
+/*
+ * SIGTERM handler
+ */
+static void term_handler( int sig )
+{
+ stop = 1;
+}
+
+/*
+ * SIGHUP handler: re-read config
+ */
+static void hup_handler( int sig )
+{
+ hup = 1;
+}
+
+static void reload_config(void)
+{
+ hup = 0;
+}
+
+int main(int argc, char *argv[])
+{
+ char tmp[MAX_AUDIT_MESSAGE_LENGTH+1];
+ struct sigaction sa;
+
+ /* Register sighandlers */
+ sa.sa_flags = 0;
+ sigemptyset(&sa.sa_mask);
+ /* Set handler for the ones we care about */
+ sa.sa_handler = term_handler;
+ sigaction(SIGTERM, &sa, NULL);
+ sa.sa_handler = hup_handler;
+ sigaction(SIGHUP, &sa, NULL);
+
+ /* Initialize the auparse library */
+ au = auparse_init(AUSOURCE_FEED, 0);
+ if (au == NULL) {
+ printf("audisp-example is exiting due to auparse init errors");
+ return -1;
+ }
+ auparse_add_callback(au, handle_event, NULL, NULL);
+ do {
+ fd_set read_mask;
+ struct timeval tv;
+ int retval;
+
+ /* Load configuration */
+ if (hup) {
+ reload_config();
+ }
+ do {
+ tv.tv_sec = 5;
+ tv.tv_usec = 0;
+ FD_ZERO(&read_mask);
+ FD_SET(0, &read_mask);
+ if (auparse_feed_has_data(au))
+ retval= select(1, &read_mask, NULL, NULL, &tv);
+ else
+ retval= select(1, &read_mask, NULL, NULL, NULL);
+ } while (retval == -1 && errno == EINTR && !hup && !stop);
+
+ /* Now the event loop */
+ if (!stop && !hup && retval > 0) {
+ if (fgets_unlocked(tmp, MAX_AUDIT_MESSAGE_LENGTH,
+ stdin)) {
+ auparse_feed(au, tmp, strnlen(tmp,
+ MAX_AUDIT_MESSAGE_LENGTH));
+ }
+ } else if (retval == 0)
+ auparse_flush_feed(au);
+ if (feof(stdin))
+ break;
+ } while (stop == 0);
+
+ /* Flush any accumulated events from queue */
+ auparse_flush_feed(au);
+ auparse_destroy(au);
+ if (stop)
+ printf("audisp-example is exiting on stop request\n");
+ else
+ printf("audisp-example is exiting on stdin EOF\n");
+
+ return 0;
+}
+
+/* This function shows how to dump a whole event by iterating over records */
+static void dump_whole_event(auparse_state_t *au)
+{
+ auparse_first_record(au);
+ do {
+ printf("%s\n", auparse_get_record_text(au));
+ } while (auparse_next_record(au) > 0);
+ printf("\n");
+}
+
+/* This function shows how to dump a whole record's text */
+static void dump_whole_record(auparse_state_t *au)
+{
+ printf("%s: %s\n", audit_msg_type_to_name(auparse_get_type(au)),
+ auparse_get_record_text(au));
+ printf("\n");
+}
+
+/* This function shows how to iterate through the fields of a record
+ * and print its name and raw value and interpretted value. */
+static void dump_fields_of_record(auparse_state_t *au)
+{
+ printf("record type %d(%s) has %d fields\n", auparse_get_type(au),
+ audit_msg_type_to_name(auparse_get_type(au)),
+ auparse_get_num_fields(au));
+
+ printf("line=%d file=%s\n", auparse_get_line_number(au),
+ auparse_get_filename(au) ? auparse_get_filename(au) : "stdin");
+
+ const au_event_t *e = auparse_get_timestamp(au);
+ if (e == NULL) {
+ printf("Error getting timestamp - aborting\n");
+ return;
+ }
+ /* Note that e->sec can be treated as time_t data if you want
+ * something a little more readable */
+ printf("event time: %u.%u:%lu, host=%s\n", (unsigned)e->sec,
+ e->milli, e->serial, e->host ? e->host : "?");
+ auparse_first_field(au);
+
+ do {
+ printf("field: %s=%s (%s)\n",
+ auparse_get_field_name(au),
+ auparse_get_field_str(au),
+ auparse_interpret_field(au));
+ } while (auparse_next_field(au) > 0);
+ printf("\n");
+}
+
+/* This function receives a single complete event at a time from the auparse
+ * library. This is where the main analysis code would be added. */
+static void handle_event(auparse_state_t *au,
+ auparse_cb_event_t cb_event_type, void *user_data)
+{
+ int type, num=0;
+
+ if (cb_event_type != AUPARSE_CB_EVENT_READY)
+ return;
+
+ /* Loop through the records in the event looking for one to process.
+ We use physical record number because we may search around and
+ move the cursor accidentally skipping a record. */
+ while (auparse_goto_record_num(au, num) > 0) {
+ type = auparse_get_type(au);
+ /* Now we can branch based on what record type we find.
+ This is just a few suggestions, but it could be anything. */
+ switch (type) {
+ case AUDIT_AVC:
+ dump_fields_of_record(au);
+ break;
+ case AUDIT_SYSCALL:
+ dump_whole_record(au);
+ break;
+ case AUDIT_USER_LOGIN:
+ break;
+ case AUDIT_ANOM_ABEND:
+ break;
+ case AUDIT_MAC_STATUS:
+ dump_whole_event(au);
+ break;
+ default:
+ break;
+ }
+ num++;
+ }
+}
+
diff --git a/framework/src/audit/contrib/plugin/audisp-example.conf b/framework/src/audit/contrib/plugin/audisp-example.conf
new file mode 100644
index 00000000..e8a7b81e
--- /dev/null
+++ b/framework/src/audit/contrib/plugin/audisp-example.conf
@@ -0,0 +1,10 @@
+# This file controls the configuration of the
+# example syslog plugin. It simply takes events and writes
+# them to syslog.
+
+active = no
+direction = out
+path = /sbin/audisp-example
+type = always
+args = 1
+format = string
diff --git a/framework/src/audit/contrib/skeleton.c b/framework/src/audit/contrib/skeleton.c
new file mode 100644
index 00000000..7e041042
--- /dev/null
+++ b/framework/src/audit/contrib/skeleton.c
@@ -0,0 +1,140 @@
+/* skeleton.c --
+ *
+ * This is a sample program that you can customize to create your own audit
+ * event handler. It will be started by auditd via the dispatcher option in
+ * /etc/audit/auditd.conf. This program can be built as follows:
+ *
+ * gcc skeleton.c -o skeleton -laudit
+ */
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/uio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <string.h>
+#include <locale.h>
+#include "libaudit.h"
+
+
+// Local data
+static volatile int signaled = 0;
+static int pipe_fd;
+static const char *pgm = "skeleton";
+
+// Local functions
+static int event_loop(void);
+
+// SIGTERM handler
+static void term_handler( int sig )
+{
+ signaled = 1;
+}
+
+
+/*
+ * main is started by auditd. See dispatcher in auditd.conf
+ */
+int main(int argc, char *argv[])
+{
+ struct sigaction sa;
+
+ setlocale (LC_ALL, "");
+ openlog(pgm, LOG_PID, LOG_DAEMON);
+ syslog(LOG_NOTICE, "starting...");
+
+#ifndef DEBUG
+ // Make sure we are root
+ if (getuid() != 0) {
+ syslog(LOG_ERR, "You must be root to run this program.");
+ return 4;
+ }
+#endif
+
+ // register sighandlers
+ sa.sa_flags = 0 ;
+ sa.sa_handler = term_handler;
+ sigemptyset( &sa.sa_mask ) ;
+ sigaction( SIGTERM, &sa, NULL );
+ sa.sa_handler = term_handler;
+ sigemptyset( &sa.sa_mask ) ;
+ sigaction( SIGCHLD, &sa, NULL );
+ sa.sa_handler = SIG_IGN;
+ sigaction( SIGHUP, &sa, NULL );
+ (void)chdir("/");
+
+ // change over to pipe_fd
+ pipe_fd = dup(0);
+ close(0);
+ open("/dev/null", O_RDONLY);
+ fcntl(pipe_fd, F_SETFD, FD_CLOEXEC);
+
+ // Start the program
+ return event_loop();
+}
+
+static int event_loop(void)
+{
+ void *data;
+ struct iovec vec[2];
+ struct audit_dispatcher_header hdr;
+
+ // allocate data structures
+ data = malloc(MAX_AUDIT_MESSAGE_LENGTH);
+ if (data == NULL) {
+ syslog(LOG_ERR, "Cannot allocate buffer");
+ return 1;
+ }
+ memset(data, 0, MAX_AUDIT_MESSAGE_LENGTH);
+ memset(&hdr, 0, sizeof(hdr));
+
+ do {
+ int rc;
+ struct timeval tv;
+ fd_set fd;
+
+ tv.tv_sec = 1;
+ tv.tv_usec = 0;
+ FD_ZERO(&fd);
+ FD_SET(pipe_fd, &fd);
+ rc = select(pipe_fd+1, &fd, NULL, NULL, &tv);
+ if (rc == 0)
+ continue;
+ else if (rc == -1)
+ break;
+
+ /* Get header first. it is fixed size */
+ vec[0].iov_base = (void*)&hdr;
+ vec[0].iov_len = sizeof(hdr);
+ do {
+ rc = readv(fd, &vec[0], 1);
+ } while (rc < 0 && errno == EINTR);
+
+ if (rc > 0) {
+ // Next payload
+ vec[1].iov_base = data;
+ vec[1].iov_len = hdr.size;
+ do {
+ rc = readv(fd, &vec[1], 1);
+ } while (rc < 0 && errno == EINTR);
+ }
+ if (rc <= 0) {
+ syslog(LOG_ERR, "rc == %d(%s)", rc, strerror(errno));
+ continue;
+ }
+
+ // Handle events here. Just for illustration, we print
+ // to syslog, but you will want to do something else.
+ syslog(LOG_NOTICE,"type=%d, payload size=%d",
+ hdr.type, hdr.size);
+ syslog(LOG_NOTICE,"data=\"%.*s\"", hdr.size,
+ (char *)data);
+
+ } while(!signaled);
+
+ return 0;
+}
+
diff --git a/framework/src/audit/contrib/stig.rules b/framework/src/audit/contrib/stig.rules
new file mode 100644
index 00000000..5a51d7f0
--- /dev/null
+++ b/framework/src/audit/contrib/stig.rules
@@ -0,0 +1,193 @@
+## This file contains the auditctl rules that are loaded
+## whenever the audit daemon is started via the initscripts.
+## The rules are simply the parameters that would be passed
+## to auditctl.
+##
+## First rule - delete all
+-D
+
+## Increase the buffers to survive stress events.
+## Make this bigger for busy systems
+-b 8192
+
+## Set failure mode to panic
+-f 2
+
+## Make the loginuid immutable. This prevents tampering with the auid.
+--loginuid-immutable
+
+## NOTE:
+## 1) if this is being used on a 32 bit machine, comment out the b64 lines
+## 2) These rules assume that login under the root account is not allowed.
+## 3) It is also assumed that 500 represents the first usable user account. To
+## be sure, look at UID_MIN in /etc/login.defs.
+## 4) If these rules generate too much spurious data for your tastes, limit the
+## the syscall file rules with a directory, like -F dir=/etc
+## 5) You can search for the results on the key fields in the rules
+##
+##
+## (GEN002880: CAT II) The IAO will ensure the auditing software can
+## record the following for each audit event:
+##- Date and time of the event
+##- Userid that initiated the event
+##- Type of event
+##- Success or failure of the event
+##- For I&A events, the origin of the request (e.g., terminal ID)
+##- For events that introduce an object into a user’s address space, and
+## for object deletion events, the name of the object, and in MLS
+## systems, the object’s security level.
+##
+## Things that could affect time
+-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change
+-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
+-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
+-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
+# Introduced in 2.6.39, commented out because it can make false positives
+#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
+#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
+-w /etc/localtime -p wa -k time-change
+
+## Things that affect identity
+-w /etc/group -p wa -k identity
+-w /etc/passwd -p wa -k identity
+-w /etc/gshadow -p wa -k identity
+-w /etc/shadow -p wa -k identity
+-w /etc/security/opasswd -p wa -k identity
+
+## Things that could affect system locale
+-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
+-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
+-w /etc/issue -p wa -k system-locale
+-w /etc/issue.net -p wa -k system-locale
+-w /etc/hosts -p wa -k system-locale
+-w /etc/sysconfig/network -p wa -k system-locale
+-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale
+
+## Things that could affect MAC policy
+-a always,exit -F dir=/etc/selinux/ -F perm=wa -F key=MAC-policy
+
+
+## (GEN002900: CAT III) The IAO will ensure audit files are retained at
+## least one year; systems containing SAMI will be retained for five years.
+##
+## Site action - no action in config files
+
+## (GEN002920: CAT III) The IAO will ensure audit files are backed up
+## no less than weekly onto a different system than the system being
+## audited or backup media.
+##
+## Can be done with cron script
+
+## (GEN002700: CAT I) (Previously – G095) The SA will ensure audit data
+## files have permissions of 640, or more restrictive.
+##
+## Done automatically by auditd
+
+## (GEN002720-GEN002840: CAT II) (Previously – G100-G106) The SA will
+## configure the auditing system to audit the following events for all
+## users and root:
+##
+## - Logon (unsuccessful and successful) and logout (successful)
+##
+## Handled by pam, sshd, login, and gdm
+## Might also want to watch these files if needing extra information
+#-w /var/log/tallylog -p wa -k logins
+#-w /var/run/faillock/ -p wa -k logins
+#-w /var/log/lastlog -p wa -k logins
+
+
+##- Process and session initiation (unsuccessful and successful)
+##
+## The session initiation is audited by pam without any rules needed.
+## Might also want to watch this file if needing extra information
+#-w /var/run/utmp -p wa -k session
+#-w /var/log/btmp -p wa -k session
+#-w /var/log/wtmp -p wa -k session
+
+##- Discretionary access control permission modification (unsuccessful
+## and successful use of chown/chmod)
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
+-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
+-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=4294967295 -F key=perm_mod
+-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=4294967295 -F key=perm_mod
+
+##- Unauthorized access attempts to files (unsuccessful)
+-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -F key=access
+
+##- Use of privileged commands (unsuccessful and successful)
+## use find /bin -type f -perm -04000 2>/dev/null and put all those files in a rule like this
+-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -F key=privileged
+
+##- Use of print command (unsuccessful and successful)
+
+##- Export to media (successful)
+## You have to mount media before using it. You must disable all automounting
+## so that its done manually in order to get the correct user requesting the
+## export
+-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -F key=export
+-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -F key=export
+
+##- System startup and shutdown (unsuccessful and successful)
+
+##- Files and programs deleted by the user (successful and unsuccessful)
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=500 -F auid!=4294967295 -F key=delete
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=500 -F auid!=4294967295 -F key=delete
+
+##- All system administration actions
+##- All security personnel actions
+##
+## Look for pam_tty_audit and add it to your login entry point's pam configs.
+## If that is not found, use sudo which should be patched to record its
+## commands to the audit system. Do not allow unrestricted root shells or
+## sudo cannot record the action.
+-w /etc/sudoers -p wa -k actions
+-w /etc/sudoers.d/ -p wa -k actions
+
+## (GEN002860: CAT II) (Previously – G674) The SA and/or IAO will
+##ensure old audit logs are closed and new audit logs are started daily.
+##
+## Site action. Can be assisted by a cron job
+
+## Not specifically required by the STIG; but common sense items
+## Optional - could indicate someone trying to do something bad or
+## just debugging
+#-a always,exit -F arch=b32 -S ptrace -F key=tracing
+#-a always,exit -F arch=b64 -S ptrace -F key=tracing
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection
+
+## Optional - might want to watch module insertion
+#-w /sbin/insmod -p x -k modules
+#-w /sbin/rmmod -p x -k modules
+#-w /sbin/modprobe -p x -k modules
+#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
+#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
+#-a always,exit -F arch=b32 -S delete_module -F key=module-unload
+#-a always,exit -F arch=b64 -S delete_module -F key=module-unload
+
+## Optional - admin may be abusing power by looking in user's home dir
+#-a always,exit -F dir=/home -F uid=0 -F auid>=500 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
+
+## Optional - log container creation
+#-a always,exit -F arch=b32 -S clone -F a0&0x7C020000 -F key=container-create
+#-a always,exit -F arch=b64 -S clone -F a0&0x7C020000 -F key=container-create
+
+## Optional - watch for containers that may change their configuration
+#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config
+#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config
+
+## Put your own watches after this point
+# -w /your-file -p rwxa -k mykey
+
+## Make the configuration immutable - reboot is required to change audit rules
+-e 2
+