From df5afa4fcd9725380f94ca6476248d4cc24f889a Mon Sep 17 00:00:00 2001
From: Ashlee Young <ashlee@wildernessvoice.com>
Date: Sun, 29 Nov 2015 08:22:13 -0800
Subject: v2.4.4 audit sources

Change-Id: I9315a7408817db51edf084fb4d27fbb492785084
Signed-off-by: Ashlee Young <ashlee@wildernessvoice.com>
---
 framework/src/audit/contrib/lspp.rules | 343 +++++++++++++++++++++++++++++++++
 1 file changed, 343 insertions(+)
 create mode 100644 framework/src/audit/contrib/lspp.rules

(limited to 'framework/src/audit/contrib/lspp.rules')

diff --git a/framework/src/audit/contrib/lspp.rules b/framework/src/audit/contrib/lspp.rules
new file mode 100644
index 00000000..e0919bd2
--- /dev/null
+++ b/framework/src/audit/contrib/lspp.rules
@@ -0,0 +1,343 @@
+##
+## This file contains a sample audit configuration.  Combined with the
+## system events that are audited by default, this set of rules causes
+## audit to generate records for the auditable events specified by the
+## Labeled Security Protection Profile (LSPP).
+## 
+## It should be noted that this set of rules identifies directories by
+## leaving a / at the end of the path.
+##
+## For audit 2.0.6 and higher
+##
+
+## Remove any existing rules
+-D
+
+## Increase buffer size to handle the increased number of messages.
+## Feel free to increase this if the machine panic's
+-b 8192
+
+## Set failure mode to panic
+-f 2
+
+##
+## FAU_SAR.1, FAU_SAR.2, FMT_MTD.1
+## successful and unsuccessful attempts to read information from the
+## audit records; all modifications to the audit trail
+##
+-w /var/log/audit/ -k LOG_audit
+
+## 
+## FAU_SEL.1, FMT_MTD.1
+## modifications to audit configuration that occur while the audit
+## collection functions are operating; all modications to the set of
+## audited events
+##
+-w /etc/audit/ -p wa -k CFG_audit
+-w /etc/sysconfig/auditd  -p wa -k CFG_auditd.conf
+-w /etc/libaudit.conf -p wa -k CFG_libaudit.conf
+-w /etc/audisp/ -p wa -k CFG_audisp
+
+##
+## FDP_ACF.1, FMT_MSA.1, FMT_MTD.1, FMT_REV.1, FDP_ETC.1, FDP_ITC.2
+## all requests to perform an operation on an object covered by the
+## SFP; all modifications of the values of security attributes;
+## modifications to TSF data; attempts to revoke security attributes;
+## all attempts to export information; all attempts to import user
+## data, including any security attributes
+
+## Objects covered by the Security Functional Policy (SFP) are:
+## -File system objects (files, directories, special files, extended attributes)
+## -IPC objects (SYSV shared memory, message queues, and semaphores)
+
+## Operations on file system objects - by default, only monitor
+## files and directories covered by filesystem watches.
+
+## Changes in ownership and permissions
+#-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat 
+#-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat 
+#-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown
+#-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown
+## Enable *32 rules if you are running on i386 or s390
+## Do not use for x86_64, ia64, ppc, ppc64, or s390x
+#-a always,exit -F arch=b32 -S fchown32,chown32,lchown32
+
+## File content modification. Permissions are checked at open time,
+## monitoring individual read/write calls is not useful.
+#-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate
+#-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate
+## Enable *64 rules if you are running on i386, ppc, ppc64, s390
+## Do not use for x86_64, ia64, or s390x
+#-a always,exit -F arch=b32 -S truncate64,ftruncate64
+
+## directory operations
+#-a always,exit -F arch=b32 -S mkdir,mkdirat,rmdir
+#-a always,exit -F arch=b64 -S mkdir,mkdirat,rmdir
+
+## moving, removing, and linking
+#-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat
+#-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat
+#-a always,exit -F arch=b32 -S link,linkat,symlink,symlinkat
+#-a always,exit -F arch=b64 -S link,linkat,symlink,symlinkat
+
+## Extended attribute operations
+## Enable if you are interested in these events
+-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
+-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
+
+## special files
+-a always,exit -F arch=b32 -S mknod,mknodat
+-a always,exit -F arch=b64 -S mknod,mknodat
+
+## Other file system operations
+## Enable if i386
+-a always,exit -F arch=b32 -S mount,umount,umount2
+## Enable if ppc, s390, or s390x
+#-a always,exit -F arch=b32 -S mount,umount,umount2
+#-a always,exit -F arch=b64 -S mount,umount,umount2
+## Enable if ia64
+#-a always,exit -F arch=b64 -S mount,umount
+## Enable if x86_64
+#-a always,exit -F arch=b64 -S mount,umount2
+#-a always,exit -F arch=b32 -S mount,umount,umount2
+
+## IPC SYSV message queues
+## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
+## msgctl
+#-a always,exit -S ipc -F a0=14
+## msgget
+#-a always,exit -S ipc -F a0=13
+## Enable if you are interested in these events (x86_64,ia64)
+#-a always,exit -S msgctl
+#-a always,exit -S msgget
+
+## IPC SYSV semaphores
+## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
+## semctl
+#-a always,exit -S ipc -F a0=0x3
+## semget
+#-a always,exit -S ipc -F a0=0x2
+## semop
+#-a always,exit -S ipc -F a0=0x1
+## semtimedop
+#-a always,exit -S ipc -F a0=0x4
+## Enable if you are interested in these events (x86_64, ia64)
+#-a always,exit -S semctl
+#-a always,exit -S semget
+#-a always,exit -S semop
+#-a always,exit -S semtimedop
+
+## IPC SYSV shared memory
+## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
+## shmctl
+#-a always,exit -S ipc -F a0=24
+## shmget
+#-a always,exit -S ipc -F a0=23
+## Enable if you are interested in these events (x86_64, ia64)
+#-a always,exit -S shmctl
+#-a always,exit -S shmget
+
+##
+## FIA_USB.1
+## success and failure of binding user security attributes to a subject
+##
+## Enable if you are interested in these events
+##
+#-a always,exit -F arch=b32 -S clone
+#-a always,exit -F arch=b64 -S clone
+#-a always,exit -F arch=b32 -S fork,vfork
+#-a always,exit -F arch=b64 -S fork,vfork
+## For ia64 architecture, disable fork and vfork rules above, and
+## enable the following:
+#-a always,exit -S clone2
+
+##
+## FDP_ETC.2 
+## Export of Labeled User Data
+##
+## Printing
+-w /etc/cups/ -p wa -k CFG_cups
+-w /etc/init.d/cups -p wa -k CFG_initd_cups
+
+##
+## FDP_ETC.2, FDP_ITC.2
+## Export/Import of Labeled User Data
+##
+## Networking
+-w /etc/netlabel.rules -p wa -k CFG_netlabel.rules
+-w /etc/ipsec.conf -p wa -k CFG_ipsec.conf
+-w /etc/ipsec.d/ -p wa -k CFG_ipsec.conf
+-w /etc/ipsec.secrets -p wa -k CFG_ipsec.secrets
+
+##
+## FDP_IFC.1
+## Mandatory Access Control Policy
+##
+-w /etc/selinux/config -p wa -k CFG_selinux_config
+-w /etc/selinux/mls/ -p wa -k CFG_MAC_policy
+-w /usr/share/selinux/mls/ -p wa -k CFG_MAC_policy
+-w /etc/selinux/semanage.conf -p wa -k CFG_MAC_policy
+
+##
+## FMT_MSA.3
+## modifications of the default setting of permissive or restrictive
+## rules, all modifications of the initial value of security attributes
+##
+## Enable if you are interested in these events
+##
+#-a always,exit -F arch=b32 -S umask
+#-a always,exit -F arch=b64 -S umask
+
+##
+## FPT_STM.1
+## changes to the time
+##
+-a always,exit -F arch=b32 -S stime,adjtimex,settimeofday
+-a always,exit -F arch=b64 -S adjtimex,settimeofday
+-a always,exit -F arch=b32 -S clock_settime -F a0=0x0
+-a always,exit -F arch=b64 -S clock_settime -F a0=0x0
+# Introduced in 2.6.39, commented out because it can make false positives
+#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
+#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
+
+##
+## FTP_ITC.1
+## set-up of trusted channel
+##
+-w /usr/sbin/stunnel -p x
+
+##
+## FPT_TST.1 Self Test
+## aide is used to verify integrity of data and executables
+##
+-w /etc/aide.conf -p wa -k CFG_aide.conf
+-w /var/lib/aide/aide.db.gz -k CFG_aide.db
+-w /var/lib/aide/aide.db.new.gz -k CFG_aide.db
+-w /var/log/aide/ -p wa -k CFG_aide.log
+
+##
+## Security Databases
+##
+
+## cron configuration & scheduled jobs
+-w /etc/cron.allow -p wa -k CFG_cron.allow
+-w /etc/cron.deny -p wa -k CFG_cron.deny
+-w /etc/cron.d/ -p wa -k CFG_cron.d
+-w /etc/cron.daily/ -p wa -k CFG_cron.daily
+-w /etc/cron.hourly/ -p wa -k CFG_cron.hourly
+-w /etc/cron.monthly/ -p wa -k CFG_cron.monthly
+-w /etc/cron.weekly/ -p wa -k CFG_cron.weekly 
+-w /etc/crontab -p wa -k CFG_crontab
+-w /var/spool/cron/root -k CFG_crontab_root
+
+## user, group, password databases
+-w /etc/group -p wa -k CFG_group
+-w /etc/passwd -p wa -k CFG_passwd
+-w /etc/gshadow -k CFG_gshadow
+-w /etc/shadow -k CFG_shadow
+-w /etc/security/opasswd -k CFG_opasswd
+
+## login configuration and information
+-w /etc/login.defs -p wa -k CFG_login.defs
+-w /etc/securetty -p wa -k CFG_securetty
+-w /var/run/faillock/ -p wa -k LOG_faillock
+-w /var/log/lastlog -p wa -k LOG_lastlog
+-w /var/log/tallylog -p wa -k LOG_tallylog
+
+## network configuration
+-w /etc/hosts -p wa -k CFG_hosts
+-w /etc/sysconfig/network-scripts/ -p wa -k CFG_network
+
+## system startup scripts
+-w /etc/sysconfig/init -p wa -k CFG_init
+-w /etc/init/ -p wa -k CFG_init
+-w /etc/inittab -p wa -k CFG_inittab
+-w /etc/rc.d/init.d/ -p wa -k CFG_initscripts
+
+## library search paths
+-w /etc/ld.so.conf -p wa -k CFG_ld.so.conf
+
+## local time zone
+-w /etc/localtime -p wa -k CFG_localtime
+
+## kernel parameters
+-w /etc/sysctl.conf -p wa -k CFG_sysctl.conf
+
+## modprobe configuration
+-w /etc/modprobe.d/ -p wa -k CFG_modprobe
+
+## pam configuration
+-w /etc/pam.d/ -p wa -k CFG_pam
+-w /etc/security/access.conf -p wa  -k CFG_pam
+-w /etc/security/limits.conf -p wa  -k CFG_pam
+-w /etc/security/pam_env.conf -p wa -k CFG_pam
+-w /etc/security/namespace.conf -p wa -k CFG_pam
+-w /etc/security/namespace.d/ -p wa -k CFG_pam
+-w /etc/security/namespace.init -p wa -k CFG_pam
+-w /etc/security/sepermit.conf -p wa -k CFG_pam
+-w /etc/security/time.conf -p wa -k CFG_pam
+
+## postfix configuration
+-w /etc/aliases -p wa -k CFG_aliases
+-w /etc/postfix/ -p wa -k CFG_postfix
+
+## screen configuration
+-w /etc/screenrc -p wa -k CFG_screen
+
+## ssh configuration
+-w /etc/ssh/sshd_config -k CFG_sshd_config
+
+## stunnel configuration
+-w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf
+-w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem
+
+## sudo configuration
+-w /etc/sudoers -k CFG_sudoers
+-w /etc/sudoers.d/ -k CFG_sudoers
+
+## xinetd configuration
+-w /etc/xinetd.d/ -k CFG_xinetd.d
+-w /etc/xinetd.conf -k CFG_xinetd.conf
+
+## Not specifically required by LSPP; but common sense items
+-a always,exit -F arch=b32 -S sethostname,setdomainname
+-a always,exit -F arch=b64 -S sethostname,setdomainname
+-w /etc/issue -p wa -k CFG_issue
+-w /etc/issue.net -p wa -k CFG_issue.net
+
+## Optional - could indicate someone trying to do something bad or
+## just debugging
+#-a always,exit -F arch=b32 -S ptrace -F key=tracing
+#-a always,exit -F arch=b64 -S ptrace -F key=tracing
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection
+#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection
+#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection
+
+## Optional - might want to watch module insertion
+#-w /sbin/insmod -p x -k modules
+#-w /sbin/rmmod -p x -k modules
+#-w /sbin/modprobe -p x -k modules
+#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
+#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
+#-a always,exit -F arch=b32 -S delete_module -F key=module-unload
+#-a always,exit -F arch=b64 -S delete_module -F key=module-unload
+
+## Optional - admin may be abusing power by looking in user's home dir
+#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
+
+## Optional - log container creation
+#-a always,exit -F arch=b32 -S clone -F a0&0x2080505856 -F key=container-create
+#-a always,exit -F arch=b64 -S clone -F a0&0x2080505856 -F key=container-create
+
+## Optional - watch for containers that may change their configuration
+#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config
+#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config
+
+## Put your own watches after this point
+# -w /your-file -p rwxa -k mykey
+
+## Make the configuration immutable
+#-e 2
-- 
cgit 1.2.3-korg