aboutsummaryrefslogtreecommitdiffstats
path: root/framework/src/audit/contrib
diff options
context:
space:
mode:
Diffstat (limited to 'framework/src/audit/contrib')
-rwxr-xr-xframework/src/audit/contrib/avc_snap90
-rw-r--r--framework/src/audit/contrib/capp.rules302
-rw-r--r--framework/src/audit/contrib/lspp.rules343
-rw-r--r--framework/src/audit/contrib/nispom.rules148
-rw-r--r--framework/src/audit/contrib/plugin/Makefile7
-rw-r--r--framework/src/audit/contrib/plugin/audisp-example.c229
-rw-r--r--framework/src/audit/contrib/plugin/audisp-example.conf10
-rw-r--r--framework/src/audit/contrib/skeleton.c140
-rw-r--r--framework/src/audit/contrib/stig.rules193
9 files changed, 0 insertions, 1462 deletions
diff --git a/framework/src/audit/contrib/avc_snap b/framework/src/audit/contrib/avc_snap
deleted file mode 100755
index f4acba7d..00000000
--- a/framework/src/audit/contrib/avc_snap
+++ /dev/null
@@ -1,90 +0,0 @@
-#! /usr/bin/env python
-import os, string, select, struct, syslog
-import audit, avc, traceback
-import AuditMsg
-from setroubleshoot.signature import *
-from setroubleshoot.util import LoadPlugins
-
-class avc_snap:
- def __init__(self):
- self.audit_list = []
- self.cur_sig = ""
- self.plugins = LoadPlugins()
- syslog.syslog( "Number of Plugins = %d" % len(self.plugins))
-
- def is_avc(self):
- for i in self.audit_list:
- if i[0] == audit.AUDIT_AVC:
- return True
- return False
-
- def out(self):
- if self.is_avc():
- rules=avc.SERules()
- l=[]
- for ( type, data_list ) in self.audit_list:
- l += data_list
-
- if "granted" in l:
- self.audit_list = []
- return
-
- rules.translate(l)
- myavc = AVC(rules.AVCS[0])
- for plugin in self.plugins:
- try:
- if plugin.analyze(myavc):
- plugin.report()
- break;
-
- except TypeError, e:
- syslog.syslog("Type exception %s: %s " % ( plugin.analysisID, e.args))
- except:
- syslog.syslog("Plugin Exception %s " % plugin.analysisID)
-
- self.audit_list = []
-
- def process(self, type, data):
- data_list=data.split()
- new_sig=data_list[0]
-
- if len(self.audit_list) > 0 and new_sig != self.cur_sig:
- self.out()
- self.cur_sig = new_sig
-
- self.audit_list.append((type, data_list[1:]))
-
- def run(self):
- while 1:
- input,output, err = select.select([0],[], [], 5)
- try:
- if 0 in input:
- msg = AuditMsg.AuditMsg()
- if not msg.read_from_fd(0):
- syslog.syslog("Connection closing")
- return
- self.process(msg.get_type(), msg.get_body())
- else:
- self.out()
-
- except struct.error, e:
- syslog.syslog("struct exception %s " % e.args)
- return
- except TypeError, e:
- syslog.syslog("Type exception %s " % e.args)
-
-try:
- syslog.openlog("avc_snap")
- snap=avc_snap()
- snap.run()
-
-except IOError,e:
- syslog.syslog("IOError exception %s" % e.args)
-
-except Exception, e:
- syslog.syslog("Unexpected exception %s " % e.args)
- syslog.syslog(traceback.format_exc())
-
-except:
- syslog.syslog("Caught Exception")
- syslog.syslog(traceback.format_exc())
diff --git a/framework/src/audit/contrib/capp.rules b/framework/src/audit/contrib/capp.rules
deleted file mode 100644
index 5e38274f..00000000
--- a/framework/src/audit/contrib/capp.rules
+++ /dev/null
@@ -1,302 +0,0 @@
-##
-## This file contains a sample audit configuration. Combined with the
-## system events that are audited by default, this set of rules causes
-## audit to generate records for the auditable events specified by the
-## Controlled Access Protection Profile (CAPP).
-##
-## It should be noted that this set of rules identifies directories by
-## leaving a / at the end of the path.
-##
-## For audit 2.0.6 and higher
-##
-
-## Remove any existing rules
--D
-
-## Increase buffer size to handle the increased number of messages.
-## Feel free to increase this if the machine panic's
--b 8192
-
-## Set failure mode to panic
--f 2
-
-##
-## FAU_SAR.1, FAU_SAR.2, FMT_MTD.1
-## successful and unsuccessful attempts to read information from the
-## audit records; all modifications to the audit trail
-##
--w /var/log/audit/ -k LOG_audit
-
-##
-## FAU_SEL.1, FMT_MTD.1
-## modifications to audit configuration that occur while the audit
-## collection functions are operating; all modications to the set of
-## audited events
-##
--w /etc/audit/ -p wa -k CFG_audit
--w /etc/sysconfig/auditd -p wa -k CFG_auditd.conf
--w /etc/libaudit.conf -p wa -k CFG_libaudit.conf
--w /etc/audisp/ -p wa -k CFG_audisp
-
-##
-## FDP_ACF.1, FMT_MSA.1, FMT_MTD.1, FMT_REV.1
-## all requests to perform an operation on an object covered by the
-## SFP; all modifications of the values of security attributes;
-## modifications to TSF data; attempts to revoke security attributes
-##
-
-## Objects covered by the Security Functional Policy (SFP) are:
-## -File system objects (files, directories, special files, extended attributes)
-## -IPC objects (SYSV shared memory, message queues, and semaphores)
-
-## Operations on file system objects - by default, only monitor
-## files and directories covered by filesystem watches.
-
-## Changes in ownership and permissions
-#-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat
-#-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat
-#-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown
-#-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown
-## Enable *32 rules if you are running on i386 or s390
-## Do not use for x86_64, ia64, ppc, ppc64, or s390x
-#-a always,exit -F arch=b32 -S fchown32,chown32,lchown32
-
-## File content modification. Permissions are checked at open time,
-## monitoring individual read/write calls is not useful.
-#-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate
-#-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate
-## Enable *64 rules if you are running on i386, ppc, ppc64, s390
-## Do not use for x86_64, ia64, or s390x
-#-a always,exit -F arch=b32 -S truncate64,ftruncate64
-
-## directory operations
-#-a always,exit -F arch=b32 -S mkdir,mkdirat,rmdir
-#-a always,exit -F arch=b64 -S mkdir,mkdirat,rmdir
-
-## moving, removing, and linking
-#-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat
-#-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat
-#-a always,exit -F arch=b32 -S link,linkat,symlink,symlinkat
-#-a always,exit -F arch=b64 -S link,linkat,symlink,symlinkat
-
-## Extended attribute operations
-## Enable if you are interested in these events
-#-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
-#-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
-
-## special files
--a always,exit -F arch=b32 -S mknod,mknodat
--a always,exit -F arch=b64 -S mknod,mknodat
-
-## Other file system operations
-## Enable if i386
--a always,exit -F arch=b32 -S mount,umount,umount2
-## Enable if ppc, s390, or s390x
-#-a always,exit -F arch=b32 -S mount,umount,umount2
-#-a always,exit -F arch=b64 -S mount,umount,umount2
-## Enable if ia64
-#-a always,exit -F arch=b64 -S mount,umount
-## Enable if x86_64
-#-a always,exit -F arch=b64 -S mount,umount2
-#-a always,exit -F arch=b32 -S mount,umount,umount2
-
-## IPC SYSV message queues
-## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
-## msgctl
-#-a always,exit -S ipc -F a0=14
-## msgget
-#-a always,exit -S ipc -F a0=13
-## Enable if you are interested in these events (x86_64,ia64)
-#-a always,exit -S msgctl
-#-a always,exit -S msgget
-
-## IPC SYSV semaphores
-## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
-## semctl
-#-a always,exit -S ipc -F a0=3
-## semget
-#-a always,exit -S ipc -F a0=2
-## semop
-#-a always,exit -S ipc -F a0=1
-## semtimedop
-#-a always,exit -S ipc -F a0=4
-## Enable if you are interested in these events (x86_64, ia64)
-#-a always,exit -S semctl
-#-a always,exit -S semget
-#-a always,exit -S semop
-#-a always,exit -S semtimedop
-
-## IPC SYSV shared memory
-## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
-## shmctl
-#-a always,exit -S ipc -F a0=24
-## shmget
-#-a always,exit -S ipc -F a0=23
-## Enable if you are interested in these events (x86_64, ia64)
-#-a always,exit -S shmctl
-#-a always,exit -S shmget
-
-##
-## FIA_USB.1
-## success and failure of binding user security attributes to a subject
-##
-## Enable if you are interested in these events
-##
-#-a always,exit -F arch=b32 -S clone
-#-a always,exit -F arch=b64 -S clone
-#-a always,exit -F arch=b32 -S fork,vfork
-#-a always,exit -F arch=b64 -S fork,vfork
-## For ia64 architecture, disable fork and vfork rules above, and
-## enable the following:
-#-a always,exit -S clone2
-
-##
-## FMT_MSA.3
-## modifications of the default setting of permissive or restrictive
-## rules, all modifications of the initial value of security attributes
-##
-## Enable if you are interested in these events
-##
-#-a always,exit -F arch=b32 -S umask
-#-a always,exit -F arch=b64 -S umask
-
-##
-## FPT_STM.1
-## changes to the time
-##
--a always,exit -F arch=b32 -S adjtimex,settimeofday -S stime
--a always,exit -F arch=b64 -S adjtimex,settimeofday
--a always,exit -F arch=b32 -S clock_settime -F a0=0
--a always,exit -F arch=b64 -S clock_settime -F a0=0
-# Introduced in 2.6.39, commented out because it can make false positives
-#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
-#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
-
-##
-## FTP_ITC.1
-## set-up of trusted channel
-##
--w /usr/sbin/stunnel -p x
-
-##
-## Security Databases
-##
-
-## cron configuration & scheduled jobs
--w /etc/cron.allow -p wa -k CFG_cron.allow
--w /etc/cron.deny -p wa -k CFG_cron.deny
--w /etc/cron.d/ -p wa -k CFG_cron.d
--w /etc/cron.daily/ -p wa -k CFG_cron.daily
--w /etc/cron.hourly/ -p wa -k CFG_cron.hourly
--w /etc/cron.monthly/ -p wa -k CFG_cron.monthly
--w /etc/cron.weekly/ -p wa -k CFG_cron.weekly
--w /etc/crontab -p wa -k CFG_crontab
--w /var/spool/cron/root -k CFG_crontab_root
-
-## user, group, password databases
--w /etc/group -p wa -k CFG_group
--w /etc/passwd -p wa -k CFG_passwd
--w /etc/gshadow -k CFG_gshadow
--w /etc/shadow -k CFG_shadow
--w /etc/security/opasswd -k CFG_opasswd
-
-## login configuration and information
--w /etc/login.defs -p wa -k CFG_login.defs
--w /etc/securetty -p wa -k CFG_securetty
--w /var/run/faillock/ -p wa -k LOG_faillock
--w /var/log/lastlog -p wa -k LOG_lastlog
--w /var/log/tallylog -p wa -k LOG_tallylog
-
-## network configuration
--w /etc/hosts -p wa -k CFG_hosts
--w /etc/sysconfig/network-scripts/ -p wa -k CFG_network
-
-## system startup scripts
--w /etc/sysconfig/init -p wa -k CFG_init
--w /etc/init/ -p wa -k CFG_init
--w /etc/inittab -p wa -k CFG_inittab
--w /etc/rc.d/init.d/ -p wa -k CFG_initscripts
-
-## library search paths
--w /etc/ld.so.conf -p wa -k CFG_ld.so.conf
-
-## local time zone
--w /etc/localtime -p wa -k CFG_localtime
-
-## kernel parameters
--w /etc/sysctl.conf -p wa -k CFG_sysctl.conf
-
-## modprobe configuration
--w /etc/modprobe.d/ -p wa -k CFG_modprobe
-
-## pam configuration
--w /etc/pam.d/ -p wa -k CFG_pam
--w /etc/security/access.conf -p wa -k CFG_pam
--w /etc/security/limits.conf -p wa -k CFG_pam
--w /etc/security/pam_env.conf -p wa -k CFG_pam
--w /etc/security/namespace.conf -p wa -k CFG_pam
--w /etc/security/namespace.d/ -p wa -k CFG_pam
--w /etc/security/namespace.init -p wa -k CFG_pam
--w /etc/security/sepermit.conf -p wa -k CFG_pam
--w /etc/security/time.conf -p wa -k CFG_pam
-
-## postfix configuration
--w /etc/aliases -p wa -k CFG_aliases
--w /etc/postfix/ -p wa -k CFG_postfix
-
-## screen configuration
--w /etc/screenrc -p wa -k CFG_screen
-
-## ssh configuration
--w /etc/ssh/sshd_config -k CFG_sshd_config
-
-## stunnel configuration
--w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf
--w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem
-
-## sudo configuration
--w /etc/sudoers -k CFG_sudoers
--w /etc/sudoers.d/ -k CFG_sudoers
-
-## Not specifically required by CAPP; but common sense items
--a always,exit -F arch=b32 -S sethostname -S setdomainname
--a always,exit -F arch=b64 -S sethostname -S setdomainname
--w /etc/issue -p wa -k CFG_issue
--w /etc/issue.net -p wa -k CFG_issue.net
-
-## Optional - could indicate someone trying to do something bad or
-## just debugging
-#-a always,exit -F arch=b32 -S ptrace -F key=tracing
-#-a always,exit -F arch=b64 -S ptrace -F key=tracing
-#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection
-#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection
-#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection
-#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection
-#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection
-#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection
-
-## Optional - might want to watch module insertion
-#-w /sbin/insmod -p x -k modules
-#-w /sbin/rmmod -p x -k modules
-#-w /sbin/modprobe -p x -k modules
-#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
-#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
-#-a always,exit -F arch=b32 -S delete_module -F key=module-unload
-#-a always,exit -F arch=b64 -S delete_module -F key=module-unload
-
-## Optional - admin may be abusing power by looking in user's home dir
-#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
-
-## Optional - log container creation
-#-a always,exit -F arch=b32 -S clone -F a0&2080505856 -F key=container-create
-#-a always,exit -F arch=b64 -S clone -F a0&2080505856 -F key=container-create
-
-## Optional - watch for containers that may change their configuration
-#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config
-#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config
-
-## Put your own watches after this point
-# -w /your-file -p rwxa -k mykey
-
-## Make the configuration immutable
-#-e 2
diff --git a/framework/src/audit/contrib/lspp.rules b/framework/src/audit/contrib/lspp.rules
deleted file mode 100644
index e0919bd2..00000000
--- a/framework/src/audit/contrib/lspp.rules
+++ /dev/null
@@ -1,343 +0,0 @@
-##
-## This file contains a sample audit configuration. Combined with the
-## system events that are audited by default, this set of rules causes
-## audit to generate records for the auditable events specified by the
-## Labeled Security Protection Profile (LSPP).
-##
-## It should be noted that this set of rules identifies directories by
-## leaving a / at the end of the path.
-##
-## For audit 2.0.6 and higher
-##
-
-## Remove any existing rules
--D
-
-## Increase buffer size to handle the increased number of messages.
-## Feel free to increase this if the machine panic's
--b 8192
-
-## Set failure mode to panic
--f 2
-
-##
-## FAU_SAR.1, FAU_SAR.2, FMT_MTD.1
-## successful and unsuccessful attempts to read information from the
-## audit records; all modifications to the audit trail
-##
--w /var/log/audit/ -k LOG_audit
-
-##
-## FAU_SEL.1, FMT_MTD.1
-## modifications to audit configuration that occur while the audit
-## collection functions are operating; all modications to the set of
-## audited events
-##
--w /etc/audit/ -p wa -k CFG_audit
--w /etc/sysconfig/auditd -p wa -k CFG_auditd.conf
--w /etc/libaudit.conf -p wa -k CFG_libaudit.conf
--w /etc/audisp/ -p wa -k CFG_audisp
-
-##
-## FDP_ACF.1, FMT_MSA.1, FMT_MTD.1, FMT_REV.1, FDP_ETC.1, FDP_ITC.2
-## all requests to perform an operation on an object covered by the
-## SFP; all modifications of the values of security attributes;
-## modifications to TSF data; attempts to revoke security attributes;
-## all attempts to export information; all attempts to import user
-## data, including any security attributes
-
-## Objects covered by the Security Functional Policy (SFP) are:
-## -File system objects (files, directories, special files, extended attributes)
-## -IPC objects (SYSV shared memory, message queues, and semaphores)
-
-## Operations on file system objects - by default, only monitor
-## files and directories covered by filesystem watches.
-
-## Changes in ownership and permissions
-#-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat
-#-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat
-#-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown
-#-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown
-## Enable *32 rules if you are running on i386 or s390
-## Do not use for x86_64, ia64, ppc, ppc64, or s390x
-#-a always,exit -F arch=b32 -S fchown32,chown32,lchown32
-
-## File content modification. Permissions are checked at open time,
-## monitoring individual read/write calls is not useful.
-#-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate
-#-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate
-## Enable *64 rules if you are running on i386, ppc, ppc64, s390
-## Do not use for x86_64, ia64, or s390x
-#-a always,exit -F arch=b32 -S truncate64,ftruncate64
-
-## directory operations
-#-a always,exit -F arch=b32 -S mkdir,mkdirat,rmdir
-#-a always,exit -F arch=b64 -S mkdir,mkdirat,rmdir
-
-## moving, removing, and linking
-#-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat
-#-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat
-#-a always,exit -F arch=b32 -S link,linkat,symlink,symlinkat
-#-a always,exit -F arch=b64 -S link,linkat,symlink,symlinkat
-
-## Extended attribute operations
-## Enable if you are interested in these events
--a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
--a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
-
-## special files
--a always,exit -F arch=b32 -S mknod,mknodat
--a always,exit -F arch=b64 -S mknod,mknodat
-
-## Other file system operations
-## Enable if i386
--a always,exit -F arch=b32 -S mount,umount,umount2
-## Enable if ppc, s390, or s390x
-#-a always,exit -F arch=b32 -S mount,umount,umount2
-#-a always,exit -F arch=b64 -S mount,umount,umount2
-## Enable if ia64
-#-a always,exit -F arch=b64 -S mount,umount
-## Enable if x86_64
-#-a always,exit -F arch=b64 -S mount,umount2
-#-a always,exit -F arch=b32 -S mount,umount,umount2
-
-## IPC SYSV message queues
-## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
-## msgctl
-#-a always,exit -S ipc -F a0=14
-## msgget
-#-a always,exit -S ipc -F a0=13
-## Enable if you are interested in these events (x86_64,ia64)
-#-a always,exit -S msgctl
-#-a always,exit -S msgget
-
-## IPC SYSV semaphores
-## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
-## semctl
-#-a always,exit -S ipc -F a0=0x3
-## semget
-#-a always,exit -S ipc -F a0=0x2
-## semop
-#-a always,exit -S ipc -F a0=0x1
-## semtimedop
-#-a always,exit -S ipc -F a0=0x4
-## Enable if you are interested in these events (x86_64, ia64)
-#-a always,exit -S semctl
-#-a always,exit -S semget
-#-a always,exit -S semop
-#-a always,exit -S semtimedop
-
-## IPC SYSV shared memory
-## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
-## shmctl
-#-a always,exit -S ipc -F a0=24
-## shmget
-#-a always,exit -S ipc -F a0=23
-## Enable if you are interested in these events (x86_64, ia64)
-#-a always,exit -S shmctl
-#-a always,exit -S shmget
-
-##
-## FIA_USB.1
-## success and failure of binding user security attributes to a subject
-##
-## Enable if you are interested in these events
-##
-#-a always,exit -F arch=b32 -S clone
-#-a always,exit -F arch=b64 -S clone
-#-a always,exit -F arch=b32 -S fork,vfork
-#-a always,exit -F arch=b64 -S fork,vfork
-## For ia64 architecture, disable fork and vfork rules above, and
-## enable the following:
-#-a always,exit -S clone2
-
-##
-## FDP_ETC.2
-## Export of Labeled User Data
-##
-## Printing
--w /etc/cups/ -p wa -k CFG_cups
--w /etc/init.d/cups -p wa -k CFG_initd_cups
-
-##
-## FDP_ETC.2, FDP_ITC.2
-## Export/Import of Labeled User Data
-##
-## Networking
--w /etc/netlabel.rules -p wa -k CFG_netlabel.rules
--w /etc/ipsec.conf -p wa -k CFG_ipsec.conf
--w /etc/ipsec.d/ -p wa -k CFG_ipsec.conf
--w /etc/ipsec.secrets -p wa -k CFG_ipsec.secrets
-
-##
-## FDP_IFC.1
-## Mandatory Access Control Policy
-##
--w /etc/selinux/config -p wa -k CFG_selinux_config
--w /etc/selinux/mls/ -p wa -k CFG_MAC_policy
--w /usr/share/selinux/mls/ -p wa -k CFG_MAC_policy
--w /etc/selinux/semanage.conf -p wa -k CFG_MAC_policy
-
-##
-## FMT_MSA.3
-## modifications of the default setting of permissive or restrictive
-## rules, all modifications of the initial value of security attributes
-##
-## Enable if you are interested in these events
-##
-#-a always,exit -F arch=b32 -S umask
-#-a always,exit -F arch=b64 -S umask
-
-##
-## FPT_STM.1
-## changes to the time
-##
--a always,exit -F arch=b32 -S stime,adjtimex,settimeofday
--a always,exit -F arch=b64 -S adjtimex,settimeofday
--a always,exit -F arch=b32 -S clock_settime -F a0=0x0
--a always,exit -F arch=b64 -S clock_settime -F a0=0x0
-# Introduced in 2.6.39, commented out because it can make false positives
-#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
-#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
-
-##
-## FTP_ITC.1
-## set-up of trusted channel
-##
--w /usr/sbin/stunnel -p x
-
-##
-## FPT_TST.1 Self Test
-## aide is used to verify integrity of data and executables
-##
--w /etc/aide.conf -p wa -k CFG_aide.conf
--w /var/lib/aide/aide.db.gz -k CFG_aide.db
--w /var/lib/aide/aide.db.new.gz -k CFG_aide.db
--w /var/log/aide/ -p wa -k CFG_aide.log
-
-##
-## Security Databases
-##
-
-## cron configuration & scheduled jobs
--w /etc/cron.allow -p wa -k CFG_cron.allow
--w /etc/cron.deny -p wa -k CFG_cron.deny
--w /etc/cron.d/ -p wa -k CFG_cron.d
--w /etc/cron.daily/ -p wa -k CFG_cron.daily
--w /etc/cron.hourly/ -p wa -k CFG_cron.hourly
--w /etc/cron.monthly/ -p wa -k CFG_cron.monthly
--w /etc/cron.weekly/ -p wa -k CFG_cron.weekly
--w /etc/crontab -p wa -k CFG_crontab
--w /var/spool/cron/root -k CFG_crontab_root
-
-## user, group, password databases
--w /etc/group -p wa -k CFG_group
--w /etc/passwd -p wa -k CFG_passwd
--w /etc/gshadow -k CFG_gshadow
--w /etc/shadow -k CFG_shadow
--w /etc/security/opasswd -k CFG_opasswd
-
-## login configuration and information
--w /etc/login.defs -p wa -k CFG_login.defs
--w /etc/securetty -p wa -k CFG_securetty
--w /var/run/faillock/ -p wa -k LOG_faillock
--w /var/log/lastlog -p wa -k LOG_lastlog
--w /var/log/tallylog -p wa -k LOG_tallylog
-
-## network configuration
--w /etc/hosts -p wa -k CFG_hosts
--w /etc/sysconfig/network-scripts/ -p wa -k CFG_network
-
-## system startup scripts
--w /etc/sysconfig/init -p wa -k CFG_init
--w /etc/init/ -p wa -k CFG_init
--w /etc/inittab -p wa -k CFG_inittab
--w /etc/rc.d/init.d/ -p wa -k CFG_initscripts
-
-## library search paths
--w /etc/ld.so.conf -p wa -k CFG_ld.so.conf
-
-## local time zone
--w /etc/localtime -p wa -k CFG_localtime
-
-## kernel parameters
--w /etc/sysctl.conf -p wa -k CFG_sysctl.conf
-
-## modprobe configuration
--w /etc/modprobe.d/ -p wa -k CFG_modprobe
-
-## pam configuration
--w /etc/pam.d/ -p wa -k CFG_pam
--w /etc/security/access.conf -p wa -k CFG_pam
--w /etc/security/limits.conf -p wa -k CFG_pam
--w /etc/security/pam_env.conf -p wa -k CFG_pam
--w /etc/security/namespace.conf -p wa -k CFG_pam
--w /etc/security/namespace.d/ -p wa -k CFG_pam
--w /etc/security/namespace.init -p wa -k CFG_pam
--w /etc/security/sepermit.conf -p wa -k CFG_pam
--w /etc/security/time.conf -p wa -k CFG_pam
-
-## postfix configuration
--w /etc/aliases -p wa -k CFG_aliases
--w /etc/postfix/ -p wa -k CFG_postfix
-
-## screen configuration
--w /etc/screenrc -p wa -k CFG_screen
-
-## ssh configuration
--w /etc/ssh/sshd_config -k CFG_sshd_config
-
-## stunnel configuration
--w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf
--w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem
-
-## sudo configuration
--w /etc/sudoers -k CFG_sudoers
--w /etc/sudoers.d/ -k CFG_sudoers
-
-## xinetd configuration
--w /etc/xinetd.d/ -k CFG_xinetd.d
--w /etc/xinetd.conf -k CFG_xinetd.conf
-
-## Not specifically required by LSPP; but common sense items
--a always,exit -F arch=b32 -S sethostname,setdomainname
--a always,exit -F arch=b64 -S sethostname,setdomainname
--w /etc/issue -p wa -k CFG_issue
--w /etc/issue.net -p wa -k CFG_issue.net
-
-## Optional - could indicate someone trying to do something bad or
-## just debugging
-#-a always,exit -F arch=b32 -S ptrace -F key=tracing
-#-a always,exit -F arch=b64 -S ptrace -F key=tracing
-#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection
-#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection
-#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection
-#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection
-#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection
-#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection
-
-## Optional - might want to watch module insertion
-#-w /sbin/insmod -p x -k modules
-#-w /sbin/rmmod -p x -k modules
-#-w /sbin/modprobe -p x -k modules
-#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
-#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
-#-a always,exit -F arch=b32 -S delete_module -F key=module-unload
-#-a always,exit -F arch=b64 -S delete_module -F key=module-unload
-
-## Optional - admin may be abusing power by looking in user's home dir
-#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
-
-## Optional - log container creation
-#-a always,exit -F arch=b32 -S clone -F a0&0x2080505856 -F key=container-create
-#-a always,exit -F arch=b64 -S clone -F a0&0x2080505856 -F key=container-create
-
-## Optional - watch for containers that may change their configuration
-#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config
-#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config
-
-## Put your own watches after this point
-# -w /your-file -p rwxa -k mykey
-
-## Make the configuration immutable
-#-e 2
diff --git a/framework/src/audit/contrib/nispom.rules b/framework/src/audit/contrib/nispom.rules
deleted file mode 100644
index 6bcca086..00000000
--- a/framework/src/audit/contrib/nispom.rules
+++ /dev/null
@@ -1,148 +0,0 @@
-##
-## This file contains the a sample audit configuration intended to
-## meet the NISPOM Chapter 8 rules.
-##
-## This file should be saved as /etc/audit/audit.rules.
-##
-## For audit 1.6.5 and higher
-##
-
-## Remove any existing rules
--D
-
-## Increase buffer size to handle the increased number of messages.
-## Feel free to increase this if the machine panic's
--b 8192
-
-## Set failure mode to panic
--f 2
-
-## Make the loginuid immutable. This prevents tampering with the auid.
---loginuid-immutable
-
-## Audit 1, 1(a) Enough information to determine the date and time of
-## action (e.g., common network time), the system locale of the action,
-## the system entity that initiated or completed the action, the resources
-## involved, and the action involved.
-
-## Things that could affect time
--a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change
--a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
--a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
--a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
-# Introduced in 2.6.39, commented out because it can make false positives
-#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
-#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
--w /etc/localtime -p wa -k time-change
-
-## Things that could affect system locale
--a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
--a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
--w /etc/issue -p wa -k system-locale
--w /etc/issue.net -p wa -k system-locale
--w /etc/hosts -p wa -k system-locale
--w /etc/sysconfig/network -p wa -k system-locale
--a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale
-
-## Audit 1, 1(b) Successful and unsuccessful logons and logoffs.
-## This is covered by patches to login, gdm, and openssh
-## Might also want to watch these files if needing extra information
-#-w /var/log/tallylog -p wa -k logins
-#-w /var/run/faillock/ -p wa -k logins
-#-w /var/log/lastlog -p wa -k logins
-#-w /var/log/btmp -p wa -k logins
-#-w /var/run/utmp -p wa -k logins
-
-## Audit 1, 1(c) Successful and unsuccessful accesses to
-## security-relevant objects and directories, including
-## creation, open, close, modification, and deletion.
-
-## unsuccessful creation
--a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -F key=creation
--a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -F key=creation
--a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -F key=creation
--a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -F key=creation
-
-## unsuccessful open
--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F key=open
--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F key=open
--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F key=open
--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F key=open
-
-## unsuccessful close
--a always,exit -F arch=b32 -S close -F exit=-EIO -F key=close
--a always,exit -F arch=b64 -S close -F exit=-EIO -F key=close
-
-## unsuccessful modifications
--a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -F key=mods
--a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -F key=mods
--a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -F key=mods
--a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -F key=mods
-
-## unsuccessful deletion
--a always,exit -F arch=b32 -S unlink,rmdir,unlinkat -F exit=-EACCES -F key=delete
--a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F exit=-EACCES -F key=delete
--a always,exit -F arch=b32 -S unlink,rmdirunlinkat -F exit=-EPERM -F key=delete
--a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F exit=-EPERM -F key=delete
-
-## Audit 1, 1(d) Changes in user authenticators.
-## Covered by patches to libpam, passwd, and shadow-utils
-## Might also want to watch these files for changes
--w /etc/group -p wa -k auth
--w /etc/passwd -p wa -k auth
--w /etc/gshadow -p wa -k auth
--w /etc/shadow -p wa -k auth
--w /etc/security/opasswd -p wa -k auth
-
-## Audit 1, 1(e) The blocking or blacklisting of a user ID,
-## terminal, or access port and the reason for the action.
-## Covered by patches to pam_tally2 or pam_faillock and pam_limits
-
-## Audit 1, 1(f) Denial of access resulting from an excessive
-## number of unsuccessful logon attempts.
-## Covered by patches to pam_tally2 or pam_faillock
-
-## Audit 1, 2 Audit Trail Protection. The contents of audit trails
-## shall be protected against unauthorized access, modification,
-## or deletion.
-## This should be covered by file permissions, but we can watch it
-## to see any activity
--w /var/log/audit/ -k audit-logs
-
-## Not specifically required by NISPOM; but common sense items
-## Optional - could indicate someone trying to do something bad or
-## just debugging
-#-a always,exit -F arch=b32 -S ptrace -F key=tracing
-#-a always,exit -F arch=b64 -S ptrace -F key=tracing
-#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection
-#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection
-#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection
-#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection
-#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection
-#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection
-
-## Optional - might want to watch module insertion
-#-w /sbin/insmod -p x -k modules
-#-w /sbin/rmmod -p x -k modules
-#-w /sbin/modprobe -p x -k modules
-#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
-#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
-#-a always,exit -F arch=b32 -S delete_module -F key=module-unload
-#-a always,exit -F arch=b64 -S delete_module -F key=module-unload
-
-## Optional - admin may be abusing power by looking in user's home dir
-#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
-
-## Optional - log container creation
-#-a always,exit -F arch=b32 -S clone -F a0&0x2080505856 -F key=container-create
-#-a always,exit -F arch=b64 -S clone -F a0&0x2080505856 -F key=container-create
-
-## Optional - watch for containers that may change their configuration
-#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config
-#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config
-
-## Put your own watches after this point
-# -w /your-file -p rwxa -k mykey
-
-## Make the configuration immutable
-#-e 2
diff --git a/framework/src/audit/contrib/plugin/Makefile b/framework/src/audit/contrib/plugin/Makefile
deleted file mode 100644
index 4256c4d1..00000000
--- a/framework/src/audit/contrib/plugin/Makefile
+++ /dev/null
@@ -1,7 +0,0 @@
-CFLAGS=-g -W -Wall -Wundef
-LIBS= -lauparse -laudit
-all:
- gcc $(CFLAGS) audisp-example.c -o audisp-example $(LIBS)
-
-clean:
- rm -f audisp-example *.o
diff --git a/framework/src/audit/contrib/plugin/audisp-example.c b/framework/src/audit/contrib/plugin/audisp-example.c
deleted file mode 100644
index 6fcca1a1..00000000
--- a/framework/src/audit/contrib/plugin/audisp-example.c
+++ /dev/null
@@ -1,229 +0,0 @@
-/* audisp-example.c --
- * Copyright 2012 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- *
- * This is a sample program to demonstrate several concepts of how to
- * write an audispd plugin using libauparse. It can be tested by using a
- * file of raw audit records. You can generate the test file like:
- *
- * ausearch --start today --raw > test.log.
- *
- * Then you can test this app by: cat test.log | ./audisp-example
- *
- * It will print things to stdout. In a real program, you wouldn't
- * do anything with stdout since that is likely to be pointing to /dev/null.
- *
- * Excluding some init/destroy items you might need to add to main, the
- * event_handler function is the main place that you would modify to do
- * things specific to your plugin.
- *
- */
-
-#define _GNU_SOURCE
-#include <stdio.h>
-#include <signal.h>
-#include <string.h>
-#include <sys/select.h>
-#include <errno.h>
-#include "libaudit.h"
-#include "auparse.h"
-
-/* Global Data */
-static volatile int stop = 0;
-static volatile int hup = 0;
-static auparse_state_t *au = NULL;
-
-/* Local declarations */
-static void handle_event(auparse_state_t *au,
- auparse_cb_event_t cb_event_type, void *user_data);
-
-/*
- * SIGTERM handler
- */
-static void term_handler( int sig )
-{
- stop = 1;
-}
-
-/*
- * SIGHUP handler: re-read config
- */
-static void hup_handler( int sig )
-{
- hup = 1;
-}
-
-static void reload_config(void)
-{
- hup = 0;
-}
-
-int main(int argc, char *argv[])
-{
- char tmp[MAX_AUDIT_MESSAGE_LENGTH+1];
- struct sigaction sa;
-
- /* Register sighandlers */
- sa.sa_flags = 0;
- sigemptyset(&sa.sa_mask);
- /* Set handler for the ones we care about */
- sa.sa_handler = term_handler;
- sigaction(SIGTERM, &sa, NULL);
- sa.sa_handler = hup_handler;
- sigaction(SIGHUP, &sa, NULL);
-
- /* Initialize the auparse library */
- au = auparse_init(AUSOURCE_FEED, 0);
- if (au == NULL) {
- printf("audisp-example is exiting due to auparse init errors");
- return -1;
- }
- auparse_add_callback(au, handle_event, NULL, NULL);
- do {
- fd_set read_mask;
- struct timeval tv;
- int retval;
-
- /* Load configuration */
- if (hup) {
- reload_config();
- }
- do {
- tv.tv_sec = 5;
- tv.tv_usec = 0;
- FD_ZERO(&read_mask);
- FD_SET(0, &read_mask);
- if (auparse_feed_has_data(au))
- retval= select(1, &read_mask, NULL, NULL, &tv);
- else
- retval= select(1, &read_mask, NULL, NULL, NULL);
- } while (retval == -1 && errno == EINTR && !hup && !stop);
-
- /* Now the event loop */
- if (!stop && !hup && retval > 0) {
- if (fgets_unlocked(tmp, MAX_AUDIT_MESSAGE_LENGTH,
- stdin)) {
- auparse_feed(au, tmp, strnlen(tmp,
- MAX_AUDIT_MESSAGE_LENGTH));
- }
- } else if (retval == 0)
- auparse_flush_feed(au);
- if (feof(stdin))
- break;
- } while (stop == 0);
-
- /* Flush any accumulated events from queue */
- auparse_flush_feed(au);
- auparse_destroy(au);
- if (stop)
- printf("audisp-example is exiting on stop request\n");
- else
- printf("audisp-example is exiting on stdin EOF\n");
-
- return 0;
-}
-
-/* This function shows how to dump a whole event by iterating over records */
-static void dump_whole_event(auparse_state_t *au)
-{
- auparse_first_record(au);
- do {
- printf("%s\n", auparse_get_record_text(au));
- } while (auparse_next_record(au) > 0);
- printf("\n");
-}
-
-/* This function shows how to dump a whole record's text */
-static void dump_whole_record(auparse_state_t *au)
-{
- printf("%s: %s\n", audit_msg_type_to_name(auparse_get_type(au)),
- auparse_get_record_text(au));
- printf("\n");
-}
-
-/* This function shows how to iterate through the fields of a record
- * and print its name and raw value and interpretted value. */
-static void dump_fields_of_record(auparse_state_t *au)
-{
- printf("record type %d(%s) has %d fields\n", auparse_get_type(au),
- audit_msg_type_to_name(auparse_get_type(au)),
- auparse_get_num_fields(au));
-
- printf("line=%d file=%s\n", auparse_get_line_number(au),
- auparse_get_filename(au) ? auparse_get_filename(au) : "stdin");
-
- const au_event_t *e = auparse_get_timestamp(au);
- if (e == NULL) {
- printf("Error getting timestamp - aborting\n");
- return;
- }
- /* Note that e->sec can be treated as time_t data if you want
- * something a little more readable */
- printf("event time: %u.%u:%lu, host=%s\n", (unsigned)e->sec,
- e->milli, e->serial, e->host ? e->host : "?");
- auparse_first_field(au);
-
- do {
- printf("field: %s=%s (%s)\n",
- auparse_get_field_name(au),
- auparse_get_field_str(au),
- auparse_interpret_field(au));
- } while (auparse_next_field(au) > 0);
- printf("\n");
-}
-
-/* This function receives a single complete event at a time from the auparse
- * library. This is where the main analysis code would be added. */
-static void handle_event(auparse_state_t *au,
- auparse_cb_event_t cb_event_type, void *user_data)
-{
- int type, num=0;
-
- if (cb_event_type != AUPARSE_CB_EVENT_READY)
- return;
-
- /* Loop through the records in the event looking for one to process.
- We use physical record number because we may search around and
- move the cursor accidentally skipping a record. */
- while (auparse_goto_record_num(au, num) > 0) {
- type = auparse_get_type(au);
- /* Now we can branch based on what record type we find.
- This is just a few suggestions, but it could be anything. */
- switch (type) {
- case AUDIT_AVC:
- dump_fields_of_record(au);
- break;
- case AUDIT_SYSCALL:
- dump_whole_record(au);
- break;
- case AUDIT_USER_LOGIN:
- break;
- case AUDIT_ANOM_ABEND:
- break;
- case AUDIT_MAC_STATUS:
- dump_whole_event(au);
- break;
- default:
- break;
- }
- num++;
- }
-}
-
diff --git a/framework/src/audit/contrib/plugin/audisp-example.conf b/framework/src/audit/contrib/plugin/audisp-example.conf
deleted file mode 100644
index e8a7b81e..00000000
--- a/framework/src/audit/contrib/plugin/audisp-example.conf
+++ /dev/null
@@ -1,10 +0,0 @@
-# This file controls the configuration of the
-# example syslog plugin. It simply takes events and writes
-# them to syslog.
-
-active = no
-direction = out
-path = /sbin/audisp-example
-type = always
-args = 1
-format = string
diff --git a/framework/src/audit/contrib/skeleton.c b/framework/src/audit/contrib/skeleton.c
deleted file mode 100644
index 7e041042..00000000
--- a/framework/src/audit/contrib/skeleton.c
+++ /dev/null
@@ -1,140 +0,0 @@
-/* skeleton.c --
- *
- * This is a sample program that you can customize to create your own audit
- * event handler. It will be started by auditd via the dispatcher option in
- * /etc/audit/auditd.conf. This program can be built as follows:
- *
- * gcc skeleton.c -o skeleton -laudit
- */
-
-#include <stdio.h>
-#include <sys/types.h>
-#include <sys/uio.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <signal.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <string.h>
-#include <locale.h>
-#include "libaudit.h"
-
-
-// Local data
-static volatile int signaled = 0;
-static int pipe_fd;
-static const char *pgm = "skeleton";
-
-// Local functions
-static int event_loop(void);
-
-// SIGTERM handler
-static void term_handler( int sig )
-{
- signaled = 1;
-}
-
-
-/*
- * main is started by auditd. See dispatcher in auditd.conf
- */
-int main(int argc, char *argv[])
-{
- struct sigaction sa;
-
- setlocale (LC_ALL, "");
- openlog(pgm, LOG_PID, LOG_DAEMON);
- syslog(LOG_NOTICE, "starting...");
-
-#ifndef DEBUG
- // Make sure we are root
- if (getuid() != 0) {
- syslog(LOG_ERR, "You must be root to run this program.");
- return 4;
- }
-#endif
-
- // register sighandlers
- sa.sa_flags = 0 ;
- sa.sa_handler = term_handler;
- sigemptyset( &sa.sa_mask ) ;
- sigaction( SIGTERM, &sa, NULL );
- sa.sa_handler = term_handler;
- sigemptyset( &sa.sa_mask ) ;
- sigaction( SIGCHLD, &sa, NULL );
- sa.sa_handler = SIG_IGN;
- sigaction( SIGHUP, &sa, NULL );
- (void)chdir("/");
-
- // change over to pipe_fd
- pipe_fd = dup(0);
- close(0);
- open("/dev/null", O_RDONLY);
- fcntl(pipe_fd, F_SETFD, FD_CLOEXEC);
-
- // Start the program
- return event_loop();
-}
-
-static int event_loop(void)
-{
- void *data;
- struct iovec vec[2];
- struct audit_dispatcher_header hdr;
-
- // allocate data structures
- data = malloc(MAX_AUDIT_MESSAGE_LENGTH);
- if (data == NULL) {
- syslog(LOG_ERR, "Cannot allocate buffer");
- return 1;
- }
- memset(data, 0, MAX_AUDIT_MESSAGE_LENGTH);
- memset(&hdr, 0, sizeof(hdr));
-
- do {
- int rc;
- struct timeval tv;
- fd_set fd;
-
- tv.tv_sec = 1;
- tv.tv_usec = 0;
- FD_ZERO(&fd);
- FD_SET(pipe_fd, &fd);
- rc = select(pipe_fd+1, &fd, NULL, NULL, &tv);
- if (rc == 0)
- continue;
- else if (rc == -1)
- break;
-
- /* Get header first. it is fixed size */
- vec[0].iov_base = (void*)&hdr;
- vec[0].iov_len = sizeof(hdr);
- do {
- rc = readv(fd, &vec[0], 1);
- } while (rc < 0 && errno == EINTR);
-
- if (rc > 0) {
- // Next payload
- vec[1].iov_base = data;
- vec[1].iov_len = hdr.size;
- do {
- rc = readv(fd, &vec[1], 1);
- } while (rc < 0 && errno == EINTR);
- }
- if (rc <= 0) {
- syslog(LOG_ERR, "rc == %d(%s)", rc, strerror(errno));
- continue;
- }
-
- // Handle events here. Just for illustration, we print
- // to syslog, but you will want to do something else.
- syslog(LOG_NOTICE,"type=%d, payload size=%d",
- hdr.type, hdr.size);
- syslog(LOG_NOTICE,"data=\"%.*s\"", hdr.size,
- (char *)data);
-
- } while(!signaled);
-
- return 0;
-}
-
diff --git a/framework/src/audit/contrib/stig.rules b/framework/src/audit/contrib/stig.rules
deleted file mode 100644
index 5a51d7f0..00000000
--- a/framework/src/audit/contrib/stig.rules
+++ /dev/null
@@ -1,193 +0,0 @@
-## This file contains the auditctl rules that are loaded
-## whenever the audit daemon is started via the initscripts.
-## The rules are simply the parameters that would be passed
-## to auditctl.
-##
-## First rule - delete all
--D
-
-## Increase the buffers to survive stress events.
-## Make this bigger for busy systems
--b 8192
-
-## Set failure mode to panic
--f 2
-
-## Make the loginuid immutable. This prevents tampering with the auid.
---loginuid-immutable
-
-## NOTE:
-## 1) if this is being used on a 32 bit machine, comment out the b64 lines
-## 2) These rules assume that login under the root account is not allowed.
-## 3) It is also assumed that 500 represents the first usable user account. To
-## be sure, look at UID_MIN in /etc/login.defs.
-## 4) If these rules generate too much spurious data for your tastes, limit the
-## the syscall file rules with a directory, like -F dir=/etc
-## 5) You can search for the results on the key fields in the rules
-##
-##
-## (GEN002880: CAT II) The IAO will ensure the auditing software can
-## record the following for each audit event:
-##- Date and time of the event
-##- Userid that initiated the event
-##- Type of event
-##- Success or failure of the event
-##- For I&A events, the origin of the request (e.g., terminal ID)
-##- For events that introduce an object into a user’s address space, and
-## for object deletion events, the name of the object, and in MLS
-## systems, the object’s security level.
-##
-## Things that could affect time
--a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change
--a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
--a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
--a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
-# Introduced in 2.6.39, commented out because it can make false positives
-#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
-#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
--w /etc/localtime -p wa -k time-change
-
-## Things that affect identity
--w /etc/group -p wa -k identity
--w /etc/passwd -p wa -k identity
--w /etc/gshadow -p wa -k identity
--w /etc/shadow -p wa -k identity
--w /etc/security/opasswd -p wa -k identity
-
-## Things that could affect system locale
--a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
--a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
--w /etc/issue -p wa -k system-locale
--w /etc/issue.net -p wa -k system-locale
--w /etc/hosts -p wa -k system-locale
--w /etc/sysconfig/network -p wa -k system-locale
--a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale
-
-## Things that could affect MAC policy
--a always,exit -F dir=/etc/selinux/ -F perm=wa -F key=MAC-policy
-
-
-## (GEN002900: CAT III) The IAO will ensure audit files are retained at
-## least one year; systems containing SAMI will be retained for five years.
-##
-## Site action - no action in config files
-
-## (GEN002920: CAT III) The IAO will ensure audit files are backed up
-## no less than weekly onto a different system than the system being
-## audited or backup media.
-##
-## Can be done with cron script
-
-## (GEN002700: CAT I) (Previously – G095) The SA will ensure audit data
-## files have permissions of 640, or more restrictive.
-##
-## Done automatically by auditd
-
-## (GEN002720-GEN002840: CAT II) (Previously – G100-G106) The SA will
-## configure the auditing system to audit the following events for all
-## users and root:
-##
-## - Logon (unsuccessful and successful) and logout (successful)
-##
-## Handled by pam, sshd, login, and gdm
-## Might also want to watch these files if needing extra information
-#-w /var/log/tallylog -p wa -k logins
-#-w /var/run/faillock/ -p wa -k logins
-#-w /var/log/lastlog -p wa -k logins
-
-
-##- Process and session initiation (unsuccessful and successful)
-##
-## The session initiation is audited by pam without any rules needed.
-## Might also want to watch this file if needing extra information
-#-w /var/run/utmp -p wa -k session
-#-w /var/log/btmp -p wa -k session
-#-w /var/log/wtmp -p wa -k session
-
-##- Discretionary access control permission modification (unsuccessful
-## and successful use of chown/chmod)
--a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
--a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
--a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
--a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=4294967295 -F key=perm_mod
--a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=4294967295 -F key=perm_mod
-
-##- Unauthorized access attempts to files (unsuccessful)
--a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -F key=access
--a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -F key=access
--a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -F key=access
--a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -F key=access
-
-##- Use of privileged commands (unsuccessful and successful)
-## use find /bin -type f -perm -04000 2>/dev/null and put all those files in a rule like this
--a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -F key=privileged
-
-##- Use of print command (unsuccessful and successful)
-
-##- Export to media (successful)
-## You have to mount media before using it. You must disable all automounting
-## so that its done manually in order to get the correct user requesting the
-## export
--a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -F key=export
--a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -F key=export
-
-##- System startup and shutdown (unsuccessful and successful)
-
-##- Files and programs deleted by the user (successful and unsuccessful)
--a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=500 -F auid!=4294967295 -F key=delete
--a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=500 -F auid!=4294967295 -F key=delete
-
-##- All system administration actions
-##- All security personnel actions
-##
-## Look for pam_tty_audit and add it to your login entry point's pam configs.
-## If that is not found, use sudo which should be patched to record its
-## commands to the audit system. Do not allow unrestricted root shells or
-## sudo cannot record the action.
--w /etc/sudoers -p wa -k actions
--w /etc/sudoers.d/ -p wa -k actions
-
-## (GEN002860: CAT II) (Previously – G674) The SA and/or IAO will
-##ensure old audit logs are closed and new audit logs are started daily.
-##
-## Site action. Can be assisted by a cron job
-
-## Not specifically required by the STIG; but common sense items
-## Optional - could indicate someone trying to do something bad or
-## just debugging
-#-a always,exit -F arch=b32 -S ptrace -F key=tracing
-#-a always,exit -F arch=b64 -S ptrace -F key=tracing
-#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection
-#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection
-#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection
-#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection
-#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection
-#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection
-
-## Optional - might want to watch module insertion
-#-w /sbin/insmod -p x -k modules
-#-w /sbin/rmmod -p x -k modules
-#-w /sbin/modprobe -p x -k modules
-#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
-#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
-#-a always,exit -F arch=b32 -S delete_module -F key=module-unload
-#-a always,exit -F arch=b64 -S delete_module -F key=module-unload
-
-## Optional - admin may be abusing power by looking in user's home dir
-#-a always,exit -F dir=/home -F uid=0 -F auid>=500 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
-
-## Optional - log container creation
-#-a always,exit -F arch=b32 -S clone -F a0&0x7C020000 -F key=container-create
-#-a always,exit -F arch=b64 -S clone -F a0&0x7C020000 -F key=container-create
-
-## Optional - watch for containers that may change their configuration
-#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config
-#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config
-
-## Put your own watches after this point
-# -w /your-file -p rwxa -k mykey
-
-## Make the configuration immutable - reboot is required to change audit rules
--e 2
-