## ## This file contains a sample audit configuration. Combined with the ## system events that are audited by default, this set of rules causes ## audit to generate records for the auditable events specified by the ## Labeled Security Protection Profile (LSPP). ## ## It should be noted that this set of rules identifies directories by ## leaving a / at the end of the path. ## ## For audit 2.0.6 and higher ## ## Remove any existing rules -D ## Increase buffer size to handle the increased number of messages. ## Feel free to increase this if the machine panic's -b 8192 ## Set failure mode to panic -f 2 ## ## FAU_SAR.1, FAU_SAR.2, FMT_MTD.1 ## successful and unsuccessful attempts to read information from the ## audit records; all modifications to the audit trail ## -w /var/log/audit/ -k LOG_audit ## ## FAU_SEL.1, FMT_MTD.1 ## modifications to audit configuration that occur while the audit ## collection functions are operating; all modications to the set of ## audited events ## -w /etc/audit/ -p wa -k CFG_audit -w /etc/sysconfig/auditd -p wa -k CFG_auditd.conf -w /etc/libaudit.conf -p wa -k CFG_libaudit.conf -w /etc/audisp/ -p wa -k CFG_audisp ## ## FDP_ACF.1, FMT_MSA.1, FMT_MTD.1, FMT_REV.1, FDP_ETC.1, FDP_ITC.2 ## all requests to perform an operation on an object covered by the ## SFP; all modifications of the values of security attributes; ## modifications to TSF data; attempts to revoke security attributes; ## all attempts to export information; all attempts to import user ## data, including any security attributes ## Objects covered by the Security Functional Policy (SFP) are: ## -File system objects (files, directories, special files, extended attributes) ## -IPC objects (SYSV shared memory, message queues, and semaphores) ## Operations on file system objects - by default, only monitor ## files and directories covered by filesystem watches. ## Changes in ownership and permissions #-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat #-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat #-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown #-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown ## Enable *32 rules if you are running on i386 or s390 ## Do not use for x86_64, ia64, ppc, ppc64, or s390x #-a always,exit -F arch=b32 -S fchown32,chown32,lchown32 ## File content modification. Permissions are checked at open time, ## monitoring individual read/write calls is not useful. #-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate #-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate ## Enable *64 rules if you are running on i386, ppc, ppc64, s390 ## Do not use for x86_64, ia64, or s390x #-a always,exit -F arch=b32 -S truncate64,ftruncate64 ## directory operations #-a always,exit -F arch=b32 -S mkdir,mkdirat,rmdir #-a always,exit -F arch=b64 -S mkdir,mkdirat,rmdir ## moving, removing, and linking #-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat #-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat #-a always,exit -F arch=b32 -S link,linkat,symlink,symlinkat #-a always,exit -F arch=b64 -S link,linkat,symlink,symlinkat ## Extended attribute operations ## Enable if you are interested in these events -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr ## special files -a always,exit -F arch=b32 -S mknod,mknodat -a always,exit -F arch=b64 -S mknod,mknodat ## Other file system operations ## Enable if i386 -a always,exit -F arch=b32 -S mount,umount,umount2 ## Enable if ppc, s390, or s390x #-a always,exit -F arch=b32 -S mount,umount,umount2 #-a always,exit -F arch=b64 -S mount,umount,umount2 ## Enable if ia64 #-a always,exit -F arch=b64 -S mount,umount ## Enable if x86_64 #-a always,exit -F arch=b64 -S mount,umount2 #-a always,exit -F arch=b32 -S mount,umount,umount2 ## IPC SYSV message queues ## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) ## msgctl #-a always,exit -S ipc -F a0=14 ## msgget #-a always,exit -S ipc -F a0=13 ## Enable if you are interested in these events (x86_64,ia64) #-a always,exit -S msgctl #-a always,exit -S msgget ## IPC SYSV semaphores ## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) ## semctl #-a always,exit -S ipc -F a0=0x3 ## semget #-a always,exit -S ipc -F a0=0x2 ## semop #-a always,exit -S ipc -F a0=0x1 ## semtimedop #-a always,exit -S ipc -F a0=0x4 ## Enable if you are interested in these events (x86_64, ia64) #-a always,exit -S semctl #-a always,exit -S semget #-a always,exit -S semop #-a always,exit -S semtimedop ## IPC SYSV shared memory ## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) ## shmctl #-a always,exit -S ipc -F a0=24 ## shmget #-a always,exit -S ipc -F a0=23 ## Enable if you are interested in these events (x86_64, ia64) #-a always,exit -S shmctl #-a always,exit -S shmget ## ## FIA_USB.1 ## success and failure of binding user security attributes to a subject ## ## Enable if you are interested in these events ## #-a always,exit -F arch=b32 -S clone #-a always,exit -F arch=b64 -S clone #-a always,exit -F arch=b32 -S fork,vfork #-a always,exit -F arch=b64 -S fork,vfork ## For ia64 architecture, disable fork and vfork rules above, and ## enable the following: #-a always,exit -S clone2 ## ## FDP_ETC.2 ## Export of Labeled User Data ## ## Printing -w /etc/cups/ -p wa -k CFG_cups -w /etc/init.d/cups -p wa -k CFG_initd_cups ## ## FDP_ETC.2, FDP_ITC.2 ## Export/Import of Labeled User Data ## ## Networking -w /etc/netlabel.rules -p wa -k CFG_netlabel.rules -w /etc/ipsec.conf -p wa -k CFG_ipsec.conf -w /etc/ipsec.d/ -p wa -k CFG_ipsec.conf -w /etc/ipsec.secrets -p wa -k CFG_ipsec.secrets ## ## FDP_IFC.1 ## Mandatory Access Control Policy ## -w /etc/selinux/config -p wa -k CFG_selinux_config -w /etc/selinux/mls/ -p wa -k CFG_MAC_policy -w /usr/share/selinux/mls/ -p wa -k CFG_MAC_policy -w /etc/selinux/semanage.conf -p wa -k CFG_MAC_policy ## ## FMT_MSA.3 ## modifications of the default setting of permissive or restrictive ## rules, all modifications of the initial value of security attributes ## ## Enable if you are interested in these events ## #-a always,exit -F arch=b32 -S umask #-a always,exit -F arch=b64 -S umask ## ## FPT_STM.1 ## changes to the time ## -a always,exit -F arch=b32 -S stime,adjtimex,settimeofday -a always,exit -F arch=b64 -S adjtimex,settimeofday -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 # Introduced in 2.6.39, commented out because it can make false positives #-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change #-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change ## ## FTP_ITC.1 ## set-up of trusted channel ## -w /usr/sbin/stunnel -p x ## ## FPT_TST.1 Self Test ## aide is used to verify integrity of data and executables ## -w /etc/aide.conf -p wa -k CFG_aide.conf -w /var/lib/aide/aide.db.gz -k CFG_aide.db -w /var/lib/aide/aide.db.new.gz -k CFG_aide.db -w /var/log/aide/ -p wa -k CFG_aide.log ## ## Security Databases ## ## cron configuration & scheduled jobs -w /etc/cron.allow -p wa -k CFG_cron.allow -w /etc/cron.deny -p wa -k CFG_cron.deny -w /etc/cron.d/ -p wa -k CFG_cron.d -w /etc/cron.daily/ -p wa -k CFG_cron.daily -w /etc/cron.hourly/ -p wa -k CFG_cron.hourly -w /etc/cron.monthly/ -p wa -k CFG_cron.monthly -w /etc/cron.weekly/ -p wa -k CFG_cron.weekly -w /etc/crontab -p wa -k CFG_crontab -w /var/spool/cron/root -k CFG_crontab_root ## user, group, password databases -w /etc/group -p wa -k CFG_group -w /etc/passwd -p wa -k CFG_passwd -w /etc/gshadow -k CFG_gshadow -w /etc/shadow -k CFG_shadow -w /etc/security/opasswd -k CFG_opasswd ## login configuration and information -w /etc/login.defs -p wa -k CFG_login.defs -w /etc/securetty -p wa -k CFG_securetty -w /var/run/faillock/ -p wa -k LOG_faillock -w /var/log/lastlog -p wa -k LOG_lastlog -w /var/log/tallylog -p wa -k LOG_tallylog ## network configuration -w /etc/hosts -p wa -k CFG_hosts -w /etc/sysconfig/network-scripts/ -p wa -k CFG_network ## system startup scripts -w /etc/sysconfig/init -p wa -k CFG_init -w /etc/init/ -p wa -k CFG_init -w /etc/inittab -p wa -k CFG_inittab -w /etc/rc.d/init.d/ -p wa -k CFG_initscripts ## library search paths -w /etc/ld.so.conf -p wa -k CFG_ld.so.conf ## local time zone -w /etc/localtime -p wa -k CFG_localtime ## kernel parameters -w /etc/sysctl.conf -p wa -k CFG_sysctl.conf ## modprobe configuration -w /etc/modprobe.d/ -p wa -k CFG_modprobe ## pam configuration -w /etc/pam.d/ -p wa -k CFG_pam -w /etc/security/access.conf -p wa -k CFG_pam -w /etc/security/limits.conf -p wa -k CFG_pam -w /etc/security/pam_env.conf -p wa -k CFG_pam -w /etc/security/namespace.conf -p wa -k CFG_pam -w /etc/security/namespace.d/ -p wa -k CFG_pam -w /etc/security/namespace.init -p wa -k CFG_pam -w /etc/security/sepermit.conf -p wa -k CFG_pam -w /etc/security/time.conf -p wa -k CFG_pam ## postfix configuration -w /etc/aliases -p wa -k CFG_aliases -w /etc/postfix/ -p wa -k CFG_postfix ## screen configuration -w /etc/screenrc -p wa -k CFG_screen ## ssh configuration -w /etc/ssh/sshd_config -k CFG_sshd_config ## stunnel configuration -w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf -w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem ## sudo configuration -w /etc/sudoers -k CFG_sudoers -w /etc/sudoers.d/ -k CFG_sudoers ## xinetd configuration -w /etc/xinetd.d/ -k CFG_xinetd.d -w /etc/xinetd.conf -k CFG_xinetd.conf ## Not specifically required by LSPP; but common sense items -a always,exit -F arch=b32 -S sethostname,setdomainname -a always,exit -F arch=b64 -S sethostname,setdomainname -w /etc/issue -p wa -k CFG_issue -w /etc/issue.net -p wa -k CFG_issue.net ## Optional - could indicate someone trying to do something bad or ## just debugging #-a always,exit -F arch=b32 -S ptrace -F key=tracing #-a always,exit -F arch=b64 -S ptrace -F key=tracing #-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection #-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection #-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection #-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection #-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection #-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection ## Optional - might want to watch module insertion #-w /sbin/insmod -p x -k modules #-w /sbin/rmmod -p x -k modules #-w /sbin/modprobe -p x -k modules #-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load #-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load #-a always,exit -F arch=b32 -S delete_module -F key=module-unload #-a always,exit -F arch=b64 -S delete_module -F key=module-unload ## Optional - admin may be abusing power by looking in user's home dir #-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse ## Optional - log container creation #-a always,exit -F arch=b32 -S clone -F a0&0x2080505856 -F key=container-create #-a always,exit -F arch=b64 -S clone -F a0&0x2080505856 -F key=container-create ## Optional - watch for containers that may change their configuration #-a always,exit -F arch=b32 -S unshare,setns -F key=container-config #-a always,exit -F arch=b64 -S unshare,setns -F key=container-config ## Put your own watches after this point # -w /your-file -p rwxa -k mykey ## Make the configuration immutable #-e 2