1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
|
## This file contains the auditctl rules that are loaded
## whenever the audit daemon is started via the initscripts.
## The rules are simply the parameters that would be passed
## to auditctl.
##
## First rule - delete all
-D
## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192
## Set failure mode to panic
-f 2
## Make the loginuid immutable. This prevents tampering with the auid.
--loginuid-immutable
## NOTE:
## 1) if this is being used on a 32 bit machine, comment out the b64 lines
## 2) These rules assume that login under the root account is not allowed.
## 3) It is also assumed that 500 represents the first usable user account. To
## be sure, look at UID_MIN in /etc/login.defs.
## 4) If these rules generate too much spurious data for your tastes, limit the
## the syscall file rules with a directory, like -F dir=/etc
## 5) You can search for the results on the key fields in the rules
##
##
## (GEN002880: CAT II) The IAO will ensure the auditing software can
## record the following for each audit event:
##- Date and time of the event
##- Userid that initiated the event
##- Type of event
##- Success or failure of the event
##- For I&A events, the origin of the request (e.g., terminal ID)
##- For events that introduce an object into a user’s address space, and
## for object deletion events, the name of the object, and in MLS
## systems, the object’s security level.
##
## Things that could affect time
-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
# Introduced in 2.6.39, commented out because it can make false positives
#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
-w /etc/localtime -p wa -k time-change
## Things that affect identity
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
## Things that could affect system locale
-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale
## Things that could affect MAC policy
-a always,exit -F dir=/etc/selinux/ -F perm=wa -F key=MAC-policy
## (GEN002900: CAT III) The IAO will ensure audit files are retained at
## least one year; systems containing SAMI will be retained for five years.
##
## Site action - no action in config files
## (GEN002920: CAT III) The IAO will ensure audit files are backed up
## no less than weekly onto a different system than the system being
## audited or backup media.
##
## Can be done with cron script
## (GEN002700: CAT I) (Previously – G095) The SA will ensure audit data
## files have permissions of 640, or more restrictive.
##
## Done automatically by auditd
## (GEN002720-GEN002840: CAT II) (Previously – G100-G106) The SA will
## configure the auditing system to audit the following events for all
## users and root:
##
## - Logon (unsuccessful and successful) and logout (successful)
##
## Handled by pam, sshd, login, and gdm
## Might also want to watch these files if needing extra information
#-w /var/log/tallylog -p wa -k logins
#-w /var/run/faillock/ -p wa -k logins
#-w /var/log/lastlog -p wa -k logins
##- Process and session initiation (unsuccessful and successful)
##
## The session initiation is audited by pam without any rules needed.
## Might also want to watch this file if needing extra information
#-w /var/run/utmp -p wa -k session
#-w /var/log/btmp -p wa -k session
#-w /var/log/wtmp -p wa -k session
##- Discretionary access control permission modification (unsuccessful
## and successful use of chown/chmod)
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=4294967295 -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=4294967295 -F key=perm_mod
##- Unauthorized access attempts to files (unsuccessful)
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -F key=access
##- Use of privileged commands (unsuccessful and successful)
## use find /bin -type f -perm -04000 2>/dev/null and put all those files in a rule like this
-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -F key=privileged
##- Use of print command (unsuccessful and successful)
##- Export to media (successful)
## You have to mount media before using it. You must disable all automounting
## so that its done manually in order to get the correct user requesting the
## export
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -F key=export
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -F key=export
##- System startup and shutdown (unsuccessful and successful)
##- Files and programs deleted by the user (successful and unsuccessful)
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=500 -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=500 -F auid!=4294967295 -F key=delete
##- All system administration actions
##- All security personnel actions
##
## Look for pam_tty_audit and add it to your login entry point's pam configs.
## If that is not found, use sudo which should be patched to record its
## commands to the audit system. Do not allow unrestricted root shells or
## sudo cannot record the action.
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
## (GEN002860: CAT II) (Previously – G674) The SA and/or IAO will
##ensure old audit logs are closed and new audit logs are started daily.
##
## Site action. Can be assisted by a cron job
## Not specifically required by the STIG; but common sense items
## Optional - could indicate someone trying to do something bad or
## just debugging
#-a always,exit -F arch=b32 -S ptrace -F key=tracing
#-a always,exit -F arch=b64 -S ptrace -F key=tracing
#-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection
#-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection
#-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection
#-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection
#-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection
#-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection
## Optional - might want to watch module insertion
#-w /sbin/insmod -p x -k modules
#-w /sbin/rmmod -p x -k modules
#-w /sbin/modprobe -p x -k modules
#-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
#-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
#-a always,exit -F arch=b32 -S delete_module -F key=module-unload
#-a always,exit -F arch=b64 -S delete_module -F key=module-unload
## Optional - admin may be abusing power by looking in user's home dir
#-a always,exit -F dir=/home -F uid=0 -F auid>=500 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
## Optional - log container creation
#-a always,exit -F arch=b32 -S clone -F a0&0x7C020000 -F key=container-create
#-a always,exit -F arch=b64 -S clone -F a0&0x7C020000 -F key=container-create
## Optional - watch for containers that may change their configuration
#-a always,exit -F arch=b32 -S unshare,setns -F key=container-config
#-a always,exit -F arch=b64 -S unshare,setns -F key=container-config
## Put your own watches after this point
# -w /your-file -p rwxa -k mykey
## Make the configuration immutable - reboot is required to change audit rules
-e 2
|
