capp.rules

1. ##
2. ## This file contains a sample audit configuration.  Combined with the
3. ## system events that are audited by default, this set of rules causes
4. ## audit to generate records for the auditable events specified by the
5. ## Controlled Access Protection Profile (CAPP).
6. ##
7. ## It should be noted that this set of rules identifies directories by
8. ## leaving a / at the end of the path.
9. ##
10. ## For audit 1.6.5 and higher
11. ##
12.  
13. ## Remove any existing rules
14. -D
15.  
16. ## Increase buffer size to handle the increased number of messages.
17. ## Feel free to increase this if the machine panic's
18. -b 8192
19.  
20. ## Set failure mode to panic
21. -f 2
22.  
23. ##
24. ## FAU_SAR.1, FAU_SAR.2, FMT_MTD.1
25. ## successful and unsuccessful attempts to read information from the
26. ## audit records; all modifications to the audit trail
27. ##
28. -w /var/log/audit/ -k LOG_audit
29.  
30. ##
31. ## FAU_SEL.1, FMT_MTD.1
32. ## modifications to audit configuration that occur while the audit
33. ## collection functions are operating; all modications to the set of
34. ## audited events
35. ##
36. -w /etc/audit/ -p wa -k CFG_audit
37. -w /etc/sysconfig/auditd  -p wa -k CFG_audit
38. -w /etc/libaudit.conf -p wa -k CFG_libaudit.conf
39. -w /etc/audisp/ -p wa -k CFG_audisp
40.  
41. ##
42. ## FDP_ACF.1, FMT_MSA.1, FMT_MTD.1, FMT_REV.1
43. ## all requests to perform an operation on an object covered by the
44. ## SFP; all modifications of the values of security attributes;
45. ## modifications to TSF data; attempts to revoke security attributes
46. ##
47.  
48. ## Objects covered by the Security Functional Policy (SFP) are:
49. ## -File system objects (files, directories, special files, extended attributes)
50. ## -IPC objects (SYSV shared memory, message queues, and semaphores)
51.  
52. ## Operations on file system objects - by default, only monitor
53. ## files and directories covered by filesystem watches.
54.  
55. ## Changes in ownership and permissions
56. #-a exit,always -F arch=b32 -S chmod -S fchmod -S fchmodat
57. #-a exit,always -F arch=b64 -S chmod -S fchmod -S fchmodat
58. #-a exit,always -F arch=b32 -S chown -S fchown -S fchownat -S lchown
59. #-a exit,always -F arch=b64 -S chown -S fchown -S fchownat -S lchown
60. ## Enable *32 rules if you are running on i386 or s390
61. ## Do not use for x86_64, ia64, ppc, ppc64, or s390x
62. #-a exit,always -F arch=b32 -S fchown32 -S chown32 -S lchown32
63.  
64. ## File content modification. Permissions are checked at open time,
65. ## monitoring individual read/write calls is not useful.
66. #-a exit,always -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate
67. #-a exit,always -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
68. ## Enable *64 rules if you are running on i386, ppc, ppc64, s390
69. ## Do not use for x86_64, ia64, or s390x
70. #-a exit,always -F arch=b32 -S truncate64 -S ftruncate64
71.  
72. ## directory operations
73. #-a exit,always -F arch=b32 -S mkdir -S mkdirat -S rmdir
74. #-a exit,always -F arch=b64 -S mkdir -S mkdirat -S rmdir
75.  
76. ## moving, removing, and linking
77. #-a exit,always -F arch=b32 -S unlink -S unlinkat -S rename -S renameat
78. #-a exit,always -F arch=b64 -S unlink -S unlinkat -S rename -S renameat
79. #-a exit,always -F arch=b32 -S link -S linkat -S symlink -S symlinkat
80. #-a exit,always -F arch=b64 -S link -S linkat -S symlink -S symlinkat
81.  
82. ## Extended attribute operations
83. ## Enable if you are interested in these events
84. #-a exit,always -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
85. #-a exit,always -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
86.  
87. ## special files
88. -a exit,always -F arch=b32 -S mknod -S mknodat
89. -a exit,always -F arch=b64 -S mknod -S mknodat
90.  
91. ## Other file system operations
92. ## Enable if i386
93. -a exit,always -F arch=b32 -S mount -S umount -S umount2
94. ## Enable if ppc, s390, or s390x
95. #-a exit,always -F arch=b32 -S mount -S umount -S umount2
96. #-a exit,always -F arch=b64 -S mount -S umount -S umount2
97. ## Enable if ia64
98. #-a exit,always -F arch=b64 -S mount -S umount
99. ## Enable if x86_64
100. #-a exit,always -F arch=b64 -S mount -S umount2
101. #-a exit,always -F arch=b32 -S mount -S umount -S umount2
102.  
103. ## IPC SYSV message queues
104. ## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
105. ## msgctl
106. #-a exit,always -S ipc -F a0=14
107. ## msgget
108. #-a exit,always -S ipc -F a0=13
109. ## Enable if you are interested in these events (x86_64,ia64)
110. #-a exit,always -S msgctl
111. #-a exit,always -S msgget
112.  
113. ## IPC SYSV semaphores
114. ## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
115. ## semctl
116. #-a exit,always -S ipc -F a0=3
117. ## semget
118. #-a exit,always -S ipc -F a0=2
119. ## semop
120. #-a exit,always -S ipc -F a0=1
121. ## semtimedop
122. #-a exit,always -S ipc -F a0=4
123. ## Enable if you are interested in these events (x86_64, ia64)
124. #-a exit,always -S semctl
125. #-a exit,always -S semget
126. #-a exit,always -S semop
127. #-a exit,always -S semtimedop
128.  
129. ## IPC SYSV shared memory
130. ## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
131. ## shmctl
132. #-a exit,always -S ipc -F a0=24
133. ## shmget
134. #-a exit,always -S ipc -F a0=23
135. ## Enable if you are interested in these events (x86_64, ia64)
136. #-a exit,always -S shmctl
137. #-a exit,always -S shmget
138.  
139. ##
140. ## FIA_USB.1
141. ## success and failure of binding user security attributes to a subject
142. ##
143. ## Enable if you are interested in these events
144. ##
145. #-a exit,always -F arch=b32 -S clone
146. #-a exit,always -F arch=b64 -S clone
147. #-a exit,always -F arch=b32 -S fork -S vfork
148. #-a exit,always -F arch=b64 -S fork -S vfork
149. ## For ia64 architecture, disable fork and vfork rules above, and
150. ## enable the following:
151. #-a exit,always -S clone2
152.  
153. ##
154. ## FMT_MSA.3
155. ## modifications of the default setting of permissive or restrictive
156. ## rules, all modifications of the initial value of security attributes
157. ##
158. ## Enable if you are interested in these events
159. ##
160. #-a exit,always -F arch=b32 -S umask
161. #-a exit,always -F arch=b64 -S umask
162.  
163. ##
164. ## FPT_STM.1
165. ## changes to the time
166. ##
167. -a exit,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime
168. -a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime
169.  
170. ##
171. ## FTP_ITC.1
172. ## set-up of trusted channel
173. ##
174. -w /usr/sbin/stunnel -p x
175.  
176. ##
177. ## Security Databases
178. ##
179.  
180. ## cron configuration & scheduled jobs
181. -w /etc/cron.allow -p wa -k CFG_cron.allow
182. -w /etc/cron.deny -p wa -k CFG_cron.deny
183. -w /etc/cron.d/ -p wa -k CFG_cron.d
184. -w /etc/cron.daily/ -p wa -k CFG_cron.daily
185. -w /etc/cron.hourly/ -p wa -k CFG_cron.hourly
186. -w /etc/cron.monthly/ -p wa -k CFG_cron.monthly
187. -w /etc/cron.weekly/ -p wa -k CFG_cron.weekly
188. -w /etc/crontab -p wa -k CFG_crontab
189. -w /var/spool/cron/root -k CFG_crontab_root
190.  
191. ## user, group, password databases
192. -w /etc/group -p wa -k CFG_group
193. -w /etc/passwd -p wa -k CFG_passwd
194. -w /etc/gshadow -k CFG_gshadow
195. -w /etc/shadow -k CFG_shadow
196. -w /etc/security/opasswd -k CFG_opasswd
197.  
198. ## login configuration and information
199. -w /etc/login.defs -p wa -k CFG_login.defs
200. -w /etc/securetty -p wa -k CFG_securetty
201. -w /var/log/faillog -p wa -k LOG_faillog
202. -w /var/log/lastlog -p wa -k LOG_lastlog
203. -w /var/log/tallylog -p wa -k LOG_tallylog
204.  
205. ## network configuration
206. -w /etc/hosts -p wa -k CFG_hosts
207. -w /etc/sysconfig/network-scripts/ -p wa -k CFG_network
208.  
209. ## system startup scripts
210. -w /etc/inittab -p wa -k CFG_inittab
211. -w /etc/rc.d/init.d/ -p wa -k CFG_initscripts
212.  
213. ## library search paths
214. -w /etc/ld.so.conf -p wa -k CFG_ld.so.conf
215.  
216. ## local time zone
217. -w /etc/localtime -p wa -k CFG_localtime
218.  
219. ## kernel parameters
220. -w /etc/sysctl.conf -p wa -k CFG_sysctl.conf
221.  
222. ## modprobe configuration
223. -w /etc/modprobe.conf -p wa -k CFG_modprobe.conf
224.  
225. ## pam configuration
226. -w /etc/pam.d/ -p wa -k CFG_pam
227. -w /etc/security/limits.conf -p wa  -k CFG_pam
228. -w /etc/security/pam_env.conf -p wa -k CFG_pam
229. -w /etc/security/namespace.conf -p wa -k CFG_pam
230. -w /etc/security/namespace.init -p wa -k CFG_pam
231.  
232. ## postfix configuration
233. -w /etc/aliases -p wa -k CFG_aliases
234. -w /etc/postfix/ -p wa -k CFG_postfix
235.  
236. ## ssh configuration
237. -w /etc/ssh/sshd_config -k CFG_sshd_config
238.  
239. ## stunnel configuration
240. -w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf
241. -w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem
242.  
243. ## vsftpd configuration
244. -w /etc/vsftpd.ftpusers -k CFG_vsftpd.ftpusers
245. -w /etc/vsftpd/vsftpd.conf -k CFG_vsftpd.conf
246.  
247. ## Not specifically required by CAPP; but common sense items
248. -a exit,always -F arch=b32 -S sethostname
249. -a exit,always -F arch=b64 -S sethostname
250. -w /etc/issue -p wa -k CFG_issue
251. -w /etc/issue.net -p wa -k CFG_issue.net
252.  
253. ## Optional - could indicate someone trying to do something bad or
254. ## just debugging
255. #-a exit,always -F arch=b32 -S ptrace -k paranoid
256. #-a exit,always -F arch=b64 -S ptrace -k paranoid
257.  
258. ## Optional - could be an attempt to bypass audit or simply legacy program
259. #-a exit,always -F arch=b32 -S personality -k paranoid
260. #-a exit,always -F arch=b64 -S personality -k paranoid
261.  
262. ## Put your own watches after this point
263. # -w /your-file -p rwxa -k mykey
264.  
265. ## Make the configuration immutable
266. #-e 2