From df5afa4fcd9725380f94ca6476248d4cc24f889a Mon Sep 17 00:00:00 2001 From: Ashlee Young Date: Sun, 29 Nov 2015 08:22:13 -0800 Subject: v2.4.4 audit sources Change-Id: I9315a7408817db51edf084fb4d27fbb492785084 Signed-off-by: Ashlee Young --- framework/src/audit/contrib/nispom.rules | 148 +++++++++++++++++++++++++++++++ 1 file changed, 148 insertions(+) create mode 100644 framework/src/audit/contrib/nispom.rules (limited to 'framework/src/audit/contrib/nispom.rules') diff --git a/framework/src/audit/contrib/nispom.rules b/framework/src/audit/contrib/nispom.rules new file mode 100644 index 00000000..6bcca086 --- /dev/null +++ b/framework/src/audit/contrib/nispom.rules @@ -0,0 +1,148 @@ +## +## This file contains the a sample audit configuration intended to +## meet the NISPOM Chapter 8 rules. +## +## This file should be saved as /etc/audit/audit.rules. +## +## For audit 1.6.5 and higher +## + +## Remove any existing rules +-D + +## Increase buffer size to handle the increased number of messages. +## Feel free to increase this if the machine panic's +-b 8192 + +## Set failure mode to panic +-f 2 + +## Make the loginuid immutable. This prevents tampering with the auid. +--loginuid-immutable + +## Audit 1, 1(a) Enough information to determine the date and time of +## action (e.g., common network time), the system locale of the action, +## the system entity that initiated or completed the action, the resources +## involved, and the action involved. + +## Things that could affect time +-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change +-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change +-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change +-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change +# Introduced in 2.6.39, commented out because it can make false positives +#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change +#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change +-w /etc/localtime -p wa -k time-change + +## Things that could affect system locale +-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale +-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/sysconfig/network -p wa -k system-locale +-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale + +## Audit 1, 1(b) Successful and unsuccessful logons and logoffs. +## This is covered by patches to login, gdm, and openssh +## Might also want to watch these files if needing extra information +#-w /var/log/tallylog -p wa -k logins +#-w /var/run/faillock/ -p wa -k logins +#-w /var/log/lastlog -p wa -k logins +#-w /var/log/btmp -p wa -k logins +#-w /var/run/utmp -p wa -k logins + +## Audit 1, 1(c) Successful and unsuccessful accesses to +## security-relevant objects and directories, including +## creation, open, close, modification, and deletion. + +## unsuccessful creation +-a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -F key=creation +-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -F key=creation +-a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -F key=creation +-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -F key=creation + +## unsuccessful open +-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F key=open +-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F key=open +-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F key=open +-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F key=open + +## unsuccessful close +-a always,exit -F arch=b32 -S close -F exit=-EIO -F key=close +-a always,exit -F arch=b64 -S close -F exit=-EIO -F key=close + +## unsuccessful modifications +-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -F key=mods +-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -F key=mods +-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -F key=mods +-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -F key=mods + +## unsuccessful deletion +-a always,exit -F arch=b32 -S unlink,rmdir,unlinkat -F exit=-EACCES -F key=delete +-a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F exit=-EACCES -F key=delete +-a always,exit -F arch=b32 -S unlink,rmdirunlinkat -F exit=-EPERM -F key=delete +-a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F exit=-EPERM -F key=delete + +## Audit 1, 1(d) Changes in user authenticators. +## Covered by patches to libpam, passwd, and shadow-utils +## Might also want to watch these files for changes +-w /etc/group -p wa -k auth +-w /etc/passwd -p wa -k auth +-w /etc/gshadow -p wa -k auth +-w /etc/shadow -p wa -k auth +-w /etc/security/opasswd -p wa -k auth + +## Audit 1, 1(e) The blocking or blacklisting of a user ID, +## terminal, or access port and the reason for the action. +## Covered by patches to pam_tally2 or pam_faillock and pam_limits + +## Audit 1, 1(f) Denial of access resulting from an excessive +## number of unsuccessful logon attempts. +## Covered by patches to pam_tally2 or pam_faillock + +## Audit 1, 2 Audit Trail Protection. The contents of audit trails +## shall be protected against unauthorized access, modification, +## or deletion. +## This should be covered by file permissions, but we can watch it +## to see any activity +-w /var/log/audit/ -k audit-logs + +## Not specifically required by NISPOM; but common sense items +## Optional - could indicate someone trying to do something bad or +## just debugging +#-a always,exit -F arch=b32 -S ptrace -F key=tracing +#-a always,exit -F arch=b64 -S ptrace -F key=tracing +#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection +#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection +#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection +#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection +#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection +#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection + +## Optional - might want to watch module insertion +#-w /sbin/insmod -p x -k modules +#-w /sbin/rmmod -p x -k modules +#-w /sbin/modprobe -p x -k modules +#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load +#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load +#-a always,exit -F arch=b32 -S delete_module -F key=module-unload +#-a always,exit -F arch=b64 -S delete_module -F key=module-unload + +## Optional - admin may be abusing power by looking in user's home dir +#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse + +## Optional - log container creation +#-a always,exit -F arch=b32 -S clone -F a0&0x2080505856 -F key=container-create +#-a always,exit -F arch=b64 -S clone -F a0&0x2080505856 -F key=container-create + +## Optional - watch for containers that may change their configuration +#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config +#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config + +## Put your own watches after this point +# -w /your-file -p rwxa -k mykey + +## Make the configuration immutable +#-e 2 -- cgit 1.2.3-korg