path: root/framework/src/audit/contrib/lspp.rules

##
## This file contains a sample audit configuration.  Combined with the
## system events that are audited by default, this set of rules causes
## audit to generate records for the auditable events specified by the
## Labeled Security Protection Profile (LSPP).
## 
## It should be noted that this set of rules identifies directories by
## leaving a / at the end of the path.
##
## For audit 2.0.6 and higher
##

## Remove any existing rules
-D

## Increase buffer size to handle the increased number of messages.
## Feel free to increase this if the machine panic's
-b 8192

## Set failure mode to panic
-f 2

##
## FAU_SAR.1, FAU_SAR.2, FMT_MTD.1
## successful and unsuccessful attempts to read information from the
## audit records; all modifications to the audit trail
##
-w /var/log/audit/ -k LOG_audit

## 
## FAU_SEL.1, FMT_MTD.1
## modifications to audit configuration that occur while the audit
## collection functions are operating; all modications to the set of
## audited events
##
-w /etc/audit/ -p wa -k CFG_audit
-w /etc/sysconfig/auditd  -p wa -k CFG_auditd.conf
-w /etc/libaudit.conf -p wa -k CFG_libaudit.conf
-w /etc/audisp/ -p wa -k CFG_audisp

##
## FDP_ACF.1, FMT_MSA.1, FMT_MTD.1, FMT_REV.1, FDP_ETC.1, FDP_ITC.2
## all requests to perform an operation on an object covered by the
## SFP; all modifications of the values of security attributes;
## modifications to TSF data; attempts to revoke security attributes;
## all attempts to export information; all attempts to import user
## data, including any security attributes

## Objects covered by the Security Functional Policy (SFP) are:
## -File system objects (files, directories, special files, extended attributes)
## -IPC objects (SYSV shared memory, message queues, and semaphores)

## Operations on file system objects - by default, only monitor
## files and directories covered by filesystem watches.

## Changes in ownership and permissions
#-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat 
#-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat 
#-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown
#-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown
## Enable *32 rules if you are running on i386 or s390
## Do not use for x86_64, ia64, ppc, ppc64, or s390x
#-a always,exit -F arch=b32 -S fchown32,chown32,lchown32

## File content modification. Permissions are checked at open time,
## monitoring individual read/write calls is not useful.
#-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate
#-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate
## Enable *64 rules if you are running on i386, ppc, ppc64, s390
## Do not use for x86_64, ia64, or s390x
#-a always,exit -F arch=b32 -S truncate64,ftruncate64

## directory operations
#-a always,exit -F arch=b32 -S mkdir,mkdirat,rmdir
#-a always,exit -F arch=b64 -S mkdir,mkdirat,rmdir

## moving, removing, and linking
#-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat
#-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat
#-a always,exit -F arch=b32 -S link,linkat,symlink,symlinkat
#-a always,exit -F arch=b64 -S link,linkat,symlink,symlinkat

## Extended attribute operations
## Enable if you are interested in these events
-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr

## special files
-a always,exit -F arch=b32 -S mknod,mknodat
-a always,exit -F arch=b64 -S mknod,mknodat

## Other file system operations
## Enable if i386
-a always,exit -F arch=b32 -S mount,umount,umount2
## Enable if ppc, s390, or s390x
#-a always,exit -F arch=b32 -S mount,umount,umount2
#-a always,exit -F arch=b64 -S mount,umount,umount2
## Enable if ia64
#-a always,exit -F arch=b64 -S mount,umount
## Enable if x86_64
#-a always,exit -F arch=b64 -S mount,umount2
#-a always,exit -F arch=b32 -S mount,umount,umount2

## IPC SYSV message queues
## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
## msgctl
#-a always,exit -S ipc -F a0=14
## msgget
#-a always,exit -S ipc -F a0=13
## Enable if you are interested in these events (x86_64,ia64)
#-a always,exit -S msgctl
#-a always,exit -S msgget

## IPC SYSV semaphores
## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
## semctl
#-a always,exit -S ipc -F a0=0x3
## semget
#-a always,exit -S ipc -F a0=0x2
## semop
#-a always,exit -S ipc -F a0=0x1
## semtimedop
#-a always,exit -S ipc -F a0=0x4
## Enable if you are interested in these events (x86_64, ia64)
#-a always,exit -S semctl
#-a always,exit -S semget
#-a always,exit -S semop
#-a always,exit -S semtimedop

## IPC SYSV shared memory
## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
## shmctl
#-a always,exit -S ipc -F a0=24
## shmget
#-a always,exit -S ipc -F a0=23
## Enable if you are interested in these events (x86_64, ia64)
#-a always,exit -S shmctl
#-a always,exit -S shmget

##
## FIA_USB.1
## success and failure of binding user security attributes to a subject
##
## Enable if you are interested in these events
##
#-a always,exit -F arch=b32 -S clone
#-a always,exit -F arch=b64 -S clone
#-a always,exit -F arch=b32 -S fork,vfork
#-a always,exit -F arch=b64 -S fork,vfork
## For ia64 architecture, disable fork and vfork rules above, and
## enable the following:
#-a always,exit -S clone2

##
## FDP_ETC.2 
## Export of Labeled User Data
##
## Printing
-w /etc/cups/ -p wa -k CFG_cups
-w /etc/init.d/cups -p wa -k CFG_initd_cups

##
## FDP_ETC.2, FDP_ITC.2
## Export/Import of Labeled User Data
##
## Networking
-w /etc/netlabel.rules -p wa -k CFG_netlabel.rules
-w /etc/ipsec.conf -p wa -k CFG_ipsec.conf
-w /etc/ipsec.d/ -p wa -k CFG_ipsec.conf
-w /etc/ipsec.secrets -p wa -k CFG_ipsec.secrets

##
## FDP_IFC.1
## Mandatory Access Control Policy
##
-w /etc/selinux/config -p wa -k CFG_selinux_config
-w /etc/selinux/mls/ -p wa -k CFG_MAC_policy
-w /usr/share/selinux/mls/ -p wa -k CFG_MAC_policy
-w /etc/selinux/semanage.conf -p wa -k CFG_MAC_policy

##
## FMT_MSA.3
## modifications of the default setting of permissive or restrictive
## rules, all modifications of the initial value of security attributes
##
## Enable if you are interested in these events
##
#-a always,exit -F arch=b32 -S umask
#-a always,exit -F arch=b64 -S umask

##
## FPT_STM.1
## changes to the time
##
-a always,exit -F arch=b32 -S stime,adjtimex,settimeofday
-a always,exit -F arch=b64 -S adjtimex,settimeofday
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0
# Introduced in 2.6.39, commented out because it can make false positives
#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change

##
## FTP_ITC.1
## set-up of trusted channel
##
-w /usr/sbin/stunnel -p x

##
## FPT_TST.1 Self Test
## aide is used to verify integrity of data and executables
##
-w /etc/aide.conf -p wa -k CFG_aide.conf
-w /var/lib/aide/aide.db.gz -k CFG_aide.db
-w /var/lib/aide/aide.db.new.gz -k CFG_aide.db
-w /var/log/aide/ -p wa -k CFG_aide.log

##
## Security Databases
##

## cron configuration & scheduled jobs
-w /etc/cron.allow -p wa -k CFG_cron.allow
-w /etc/cron.deny -p wa -k CFG_cron.deny
-w /etc/cron.d/ -p wa -k CFG_cron.d
-w /etc/cron.daily/ -p wa -k CFG_cron.daily
-w /etc/cron.hourly/ -p wa -k CFG_cron.hourly
-w /etc/cron.monthly/ -p wa -k CFG_cron.monthly
-w /etc/cron.weekly/ -p wa -k CFG_cron.weekly 
-w /etc/crontab -p wa -k CFG_crontab
-w /var/spool/cron/root -k CFG_crontab_root

## user, group, password databases
-w /etc/group -p wa -k CFG_group
-w /etc/passwd -p wa -k CFG_passwd
-w /etc/gshadow -k CFG_gshadow
-w /etc/shadow -k CFG_shadow
-w /etc/security/opasswd -k CFG_opasswd

## login configuration and information
-w /etc/login.defs -p wa -k CFG_login.defs
-w /etc/securetty -p wa -k CFG_securetty
-w /var/run/faillock/ -p wa -k LOG_faillock
-w /var/log/lastlog -p wa -k LOG_lastlog
-w /var/log/tallylog -p wa -k LOG_tallylog

## network configuration
-w /etc/hosts -p wa -k CFG_hosts
-w /etc/sysconfig/network-scripts/ -p wa -k CFG_network

## system startup scripts
-w /etc/sysconfig/init -p wa -k CFG_init
-w /etc/init/ -p wa -k CFG_init
-w /etc/inittab -p wa -k CFG_inittab
-w /etc/rc.d/init.d/ -p wa -k CFG_initscripts

## library search paths
-w /etc/ld.so.conf -p wa -k CFG_ld.so.conf

## local time zone
-w /etc/localtime -p wa -k CFG_localtime

## kernel parameters
-w /etc/sysctl.conf -p wa -k CFG_sysctl.conf

## modprobe configuration
-w /etc/modprobe.d/ -p wa -k CFG_modprobe

## pam configuration
-w /etc/pam.d/ -p wa -k CFG_pam
-w /etc/security/access.conf -p wa  -k CFG_pam
-w /etc/security/limits.conf -p wa  -k CFG_pam
-w /etc/security/pam_env.conf -p wa -k CFG_pam
-w /etc/security/namespace.conf -p wa -k CFG_pam
-w /etc/security/namespace.d/ -p wa -k CFG_pam
-w /etc/security/namespace.init -p wa -k CFG_pam
-w /etc/security/sepermit.conf -p wa -k CFG_pam
-w /etc/security/time.conf -p wa -k CFG_pam

## postfix configuration
-w /etc/aliases -p wa -k CFG_aliases
-w /etc/postfix/ -p wa -k CFG_postfix

## screen configuration
-w /etc/screenrc -p wa -k CFG_screen

## ssh configuration
-w /etc/ssh/sshd_config -k CFG_sshd_config

## stunnel configuration
-w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf
-w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem

## sudo configuration
-w /etc/sudoers -k CFG_sudoers
-w /etc/sudoers.d/ -k CFG_sudoers

## xinetd configuration
-w /etc/xinetd.d/ -k CFG_xinetd.d
-w /etc/xinetd.conf -k CFG_xinetd.conf

## Not specifically required by LSPP; but common sense items
-a always,exit -F arch=b32 -S sethostname,setdomainname
-a always,exit -F arch=b64 -S sethostname,setdomainname
-w /etc/issue -p wa -k CFG_issue
-w /etc/issue.net -p wa -k CFG_issue.net

## Optional - could indicate someone trying to do something bad or
## just debugging
#-a always,exit -F arch=b32 -S ptrace -F key=tracing
#-a always,exit -F arch=b64 -S ptrace -F key=tracing
#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection
#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection
#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection
#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection
#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection
#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection

## Optional - might want to watch module insertion
#-w /sbin/insmod -p x -k modules
#-w /sbin/rmmod -p x -k modules
#-w /sbin/modprobe -p x -k modules
#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
#-a always,exit -F arch=b32 -S delete_module -F key=module-unload
#-a always,exit -F arch=b64 -S delete_module -F key=module-unload

## Optional - admin may be abusing power by looking in user's home dir
#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse

## Optional - log container creation
#-a always,exit -F arch=b32 -S clone -F a0&0x2080505856 -F key=container-create
#-a always,exit -F arch=b64 -S clone -F a0&0x2080505856 -F key=container-create

## Optional - watch for containers that may change their configuration
#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config
#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config

## Put your own watches after this point
# -w /your-file -p rwxa -k mykey

## Make the configuration immutable
#-e 2