From 19d701ddf07d855128ded0cf2b573ce468e3bdd6 Mon Sep 17 00:00:00 2001
From: Ashlee Young <ashlee@wildernessvoice.com>
Date: Wed, 20 Jan 2016 01:10:01 +0000
Subject: Removing Suricata and Audit from source repo, and updated build.sh to
 avoid building suricata. Will re-address this in C release via tar balls.

Change-Id: I3710076f8b7f3313cb3cb5260c4eb0a6834d4f6e
Signed-off-by: Ashlee Young <ashlee@wildernessvoice.com>
---
 framework/src/audit/contrib/lspp.rules | 343 ---------------------------------
 1 file changed, 343 deletions(-)
 delete mode 100644 framework/src/audit/contrib/lspp.rules

(limited to 'framework/src/audit/contrib/lspp.rules')

diff --git a/framework/src/audit/contrib/lspp.rules b/framework/src/audit/contrib/lspp.rules
deleted file mode 100644
index e0919bd2..00000000
--- a/framework/src/audit/contrib/lspp.rules
+++ /dev/null
@@ -1,343 +0,0 @@
-##
-## This file contains a sample audit configuration.  Combined with the
-## system events that are audited by default, this set of rules causes
-## audit to generate records for the auditable events specified by the
-## Labeled Security Protection Profile (LSPP).
-## 
-## It should be noted that this set of rules identifies directories by
-## leaving a / at the end of the path.
-##
-## For audit 2.0.6 and higher
-##
-
-## Remove any existing rules
--D
-
-## Increase buffer size to handle the increased number of messages.
-## Feel free to increase this if the machine panic's
--b 8192
-
-## Set failure mode to panic
--f 2
-
-##
-## FAU_SAR.1, FAU_SAR.2, FMT_MTD.1
-## successful and unsuccessful attempts to read information from the
-## audit records; all modifications to the audit trail
-##
--w /var/log/audit/ -k LOG_audit
-
-## 
-## FAU_SEL.1, FMT_MTD.1
-## modifications to audit configuration that occur while the audit
-## collection functions are operating; all modications to the set of
-## audited events
-##
--w /etc/audit/ -p wa -k CFG_audit
--w /etc/sysconfig/auditd  -p wa -k CFG_auditd.conf
--w /etc/libaudit.conf -p wa -k CFG_libaudit.conf
--w /etc/audisp/ -p wa -k CFG_audisp
-
-##
-## FDP_ACF.1, FMT_MSA.1, FMT_MTD.1, FMT_REV.1, FDP_ETC.1, FDP_ITC.2
-## all requests to perform an operation on an object covered by the
-## SFP; all modifications of the values of security attributes;
-## modifications to TSF data; attempts to revoke security attributes;
-## all attempts to export information; all attempts to import user
-## data, including any security attributes
-
-## Objects covered by the Security Functional Policy (SFP) are:
-## -File system objects (files, directories, special files, extended attributes)
-## -IPC objects (SYSV shared memory, message queues, and semaphores)
-
-## Operations on file system objects - by default, only monitor
-## files and directories covered by filesystem watches.
-
-## Changes in ownership and permissions
-#-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat 
-#-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat 
-#-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown
-#-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown
-## Enable *32 rules if you are running on i386 or s390
-## Do not use for x86_64, ia64, ppc, ppc64, or s390x
-#-a always,exit -F arch=b32 -S fchown32,chown32,lchown32
-
-## File content modification. Permissions are checked at open time,
-## monitoring individual read/write calls is not useful.
-#-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate
-#-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate
-## Enable *64 rules if you are running on i386, ppc, ppc64, s390
-## Do not use for x86_64, ia64, or s390x
-#-a always,exit -F arch=b32 -S truncate64,ftruncate64
-
-## directory operations
-#-a always,exit -F arch=b32 -S mkdir,mkdirat,rmdir
-#-a always,exit -F arch=b64 -S mkdir,mkdirat,rmdir
-
-## moving, removing, and linking
-#-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat
-#-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat
-#-a always,exit -F arch=b32 -S link,linkat,symlink,symlinkat
-#-a always,exit -F arch=b64 -S link,linkat,symlink,symlinkat
-
-## Extended attribute operations
-## Enable if you are interested in these events
--a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
--a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
-
-## special files
--a always,exit -F arch=b32 -S mknod,mknodat
--a always,exit -F arch=b64 -S mknod,mknodat
-
-## Other file system operations
-## Enable if i386
--a always,exit -F arch=b32 -S mount,umount,umount2
-## Enable if ppc, s390, or s390x
-#-a always,exit -F arch=b32 -S mount,umount,umount2
-#-a always,exit -F arch=b64 -S mount,umount,umount2
-## Enable if ia64
-#-a always,exit -F arch=b64 -S mount,umount
-## Enable if x86_64
-#-a always,exit -F arch=b64 -S mount,umount2
-#-a always,exit -F arch=b32 -S mount,umount,umount2
-
-## IPC SYSV message queues
-## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
-## msgctl
-#-a always,exit -S ipc -F a0=14
-## msgget
-#-a always,exit -S ipc -F a0=13
-## Enable if you are interested in these events (x86_64,ia64)
-#-a always,exit -S msgctl
-#-a always,exit -S msgget
-
-## IPC SYSV semaphores
-## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
-## semctl
-#-a always,exit -S ipc -F a0=0x3
-## semget
-#-a always,exit -S ipc -F a0=0x2
-## semop
-#-a always,exit -S ipc -F a0=0x1
-## semtimedop
-#-a always,exit -S ipc -F a0=0x4
-## Enable if you are interested in these events (x86_64, ia64)
-#-a always,exit -S semctl
-#-a always,exit -S semget
-#-a always,exit -S semop
-#-a always,exit -S semtimedop
-
-## IPC SYSV shared memory
-## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
-## shmctl
-#-a always,exit -S ipc -F a0=24
-## shmget
-#-a always,exit -S ipc -F a0=23
-## Enable if you are interested in these events (x86_64, ia64)
-#-a always,exit -S shmctl
-#-a always,exit -S shmget
-
-##
-## FIA_USB.1
-## success and failure of binding user security attributes to a subject
-##
-## Enable if you are interested in these events
-##
-#-a always,exit -F arch=b32 -S clone
-#-a always,exit -F arch=b64 -S clone
-#-a always,exit -F arch=b32 -S fork,vfork
-#-a always,exit -F arch=b64 -S fork,vfork
-## For ia64 architecture, disable fork and vfork rules above, and
-## enable the following:
-#-a always,exit -S clone2
-
-##
-## FDP_ETC.2 
-## Export of Labeled User Data
-##
-## Printing
--w /etc/cups/ -p wa -k CFG_cups
--w /etc/init.d/cups -p wa -k CFG_initd_cups
-
-##
-## FDP_ETC.2, FDP_ITC.2
-## Export/Import of Labeled User Data
-##
-## Networking
--w /etc/netlabel.rules -p wa -k CFG_netlabel.rules
--w /etc/ipsec.conf -p wa -k CFG_ipsec.conf
--w /etc/ipsec.d/ -p wa -k CFG_ipsec.conf
--w /etc/ipsec.secrets -p wa -k CFG_ipsec.secrets
-
-##
-## FDP_IFC.1
-## Mandatory Access Control Policy
-##
--w /etc/selinux/config -p wa -k CFG_selinux_config
--w /etc/selinux/mls/ -p wa -k CFG_MAC_policy
--w /usr/share/selinux/mls/ -p wa -k CFG_MAC_policy
--w /etc/selinux/semanage.conf -p wa -k CFG_MAC_policy
-
-##
-## FMT_MSA.3
-## modifications of the default setting of permissive or restrictive
-## rules, all modifications of the initial value of security attributes
-##
-## Enable if you are interested in these events
-##
-#-a always,exit -F arch=b32 -S umask
-#-a always,exit -F arch=b64 -S umask
-
-##
-## FPT_STM.1
-## changes to the time
-##
--a always,exit -F arch=b32 -S stime,adjtimex,settimeofday
--a always,exit -F arch=b64 -S adjtimex,settimeofday
--a always,exit -F arch=b32 -S clock_settime -F a0=0x0
--a always,exit -F arch=b64 -S clock_settime -F a0=0x0
-# Introduced in 2.6.39, commented out because it can make false positives
-#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
-#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
-
-##
-## FTP_ITC.1
-## set-up of trusted channel
-##
--w /usr/sbin/stunnel -p x
-
-##
-## FPT_TST.1 Self Test
-## aide is used to verify integrity of data and executables
-##
--w /etc/aide.conf -p wa -k CFG_aide.conf
--w /var/lib/aide/aide.db.gz -k CFG_aide.db
--w /var/lib/aide/aide.db.new.gz -k CFG_aide.db
--w /var/log/aide/ -p wa -k CFG_aide.log
-
-##
-## Security Databases
-##
-
-## cron configuration & scheduled jobs
--w /etc/cron.allow -p wa -k CFG_cron.allow
--w /etc/cron.deny -p wa -k CFG_cron.deny
--w /etc/cron.d/ -p wa -k CFG_cron.d
--w /etc/cron.daily/ -p wa -k CFG_cron.daily
--w /etc/cron.hourly/ -p wa -k CFG_cron.hourly
--w /etc/cron.monthly/ -p wa -k CFG_cron.monthly
--w /etc/cron.weekly/ -p wa -k CFG_cron.weekly 
--w /etc/crontab -p wa -k CFG_crontab
--w /var/spool/cron/root -k CFG_crontab_root
-
-## user, group, password databases
--w /etc/group -p wa -k CFG_group
--w /etc/passwd -p wa -k CFG_passwd
--w /etc/gshadow -k CFG_gshadow
--w /etc/shadow -k CFG_shadow
--w /etc/security/opasswd -k CFG_opasswd
-
-## login configuration and information
--w /etc/login.defs -p wa -k CFG_login.defs
--w /etc/securetty -p wa -k CFG_securetty
--w /var/run/faillock/ -p wa -k LOG_faillock
--w /var/log/lastlog -p wa -k LOG_lastlog
--w /var/log/tallylog -p wa -k LOG_tallylog
-
-## network configuration
--w /etc/hosts -p wa -k CFG_hosts
--w /etc/sysconfig/network-scripts/ -p wa -k CFG_network
-
-## system startup scripts
--w /etc/sysconfig/init -p wa -k CFG_init
--w /etc/init/ -p wa -k CFG_init
--w /etc/inittab -p wa -k CFG_inittab
--w /etc/rc.d/init.d/ -p wa -k CFG_initscripts
-
-## library search paths
--w /etc/ld.so.conf -p wa -k CFG_ld.so.conf
-
-## local time zone
--w /etc/localtime -p wa -k CFG_localtime
-
-## kernel parameters
--w /etc/sysctl.conf -p wa -k CFG_sysctl.conf
-
-## modprobe configuration
--w /etc/modprobe.d/ -p wa -k CFG_modprobe
-
-## pam configuration
--w /etc/pam.d/ -p wa -k CFG_pam
--w /etc/security/access.conf -p wa  -k CFG_pam
--w /etc/security/limits.conf -p wa  -k CFG_pam
--w /etc/security/pam_env.conf -p wa -k CFG_pam
--w /etc/security/namespace.conf -p wa -k CFG_pam
--w /etc/security/namespace.d/ -p wa -k CFG_pam
--w /etc/security/namespace.init -p wa -k CFG_pam
--w /etc/security/sepermit.conf -p wa -k CFG_pam
--w /etc/security/time.conf -p wa -k CFG_pam
-
-## postfix configuration
--w /etc/aliases -p wa -k CFG_aliases
--w /etc/postfix/ -p wa -k CFG_postfix
-
-## screen configuration
--w /etc/screenrc -p wa -k CFG_screen
-
-## ssh configuration
--w /etc/ssh/sshd_config -k CFG_sshd_config
-
-## stunnel configuration
--w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf
--w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem
-
-## sudo configuration
--w /etc/sudoers -k CFG_sudoers
--w /etc/sudoers.d/ -k CFG_sudoers
-
-## xinetd configuration
--w /etc/xinetd.d/ -k CFG_xinetd.d
--w /etc/xinetd.conf -k CFG_xinetd.conf
-
-## Not specifically required by LSPP; but common sense items
--a always,exit -F arch=b32 -S sethostname,setdomainname
--a always,exit -F arch=b64 -S sethostname,setdomainname
--w /etc/issue -p wa -k CFG_issue
--w /etc/issue.net -p wa -k CFG_issue.net
-
-## Optional - could indicate someone trying to do something bad or
-## just debugging
-#-a always,exit -F arch=b32 -S ptrace -F key=tracing
-#-a always,exit -F arch=b64 -S ptrace -F key=tracing
-#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection
-#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection
-#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection
-#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection
-#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection
-#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection
-
-## Optional - might want to watch module insertion
-#-w /sbin/insmod -p x -k modules
-#-w /sbin/rmmod -p x -k modules
-#-w /sbin/modprobe -p x -k modules
-#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
-#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
-#-a always,exit -F arch=b32 -S delete_module -F key=module-unload
-#-a always,exit -F arch=b64 -S delete_module -F key=module-unload
-
-## Optional - admin may be abusing power by looking in user's home dir
-#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
-
-## Optional - log container creation
-#-a always,exit -F arch=b32 -S clone -F a0&0x2080505856 -F key=container-create
-#-a always,exit -F arch=b64 -S clone -F a0&0x2080505856 -F key=container-create
-
-## Optional - watch for containers that may change their configuration
-#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config
-#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config
-
-## Put your own watches after this point
-# -w /your-file -p rwxa -k mykey
-
-## Make the configuration immutable
-#-e 2
-- 
cgit 1.2.3-korg