lspp.rules

1. ##
2. ## This file contains a sample audit configuration.  Combined with the
3. ## system events that are audited by default, this set of rules causes
4. ## audit to generate records for the auditable events specified by the
5. ## Labeled Security Protection Profile (LSPP).
6. ##
7. ## It should be noted that this set of rules identifies directories by
8. ## leaving a / at the end of the path.
9. ##
10. ## For audit 1.6.5 and higher
11. ##
12.  
13. ## Remove any existing rules
14. -D
15.  
16. ## Increase buffer size to handle the increased number of messages.
17. ## Feel free to increase this if the machine panic's
18. -b 8192
19.  
20. ## Set failure mode to panic
21. -f 2
22.  
23. ##
24. ## FAU_SAR.1, FAU_SAR.2, FMT_MTD.1
25. ## successful and unsuccessful attempts to read information from the
26. ## audit records; all modifications to the audit trail
27. ##
28. -w /var/log/audit/ -k LOG_audit
29.  
30. ##
31. ## FAU_SEL.1, FMT_MTD.1
32. ## modifications to audit configuration that occur while the audit
33. ## collection functions are operating; all modications to the set of
34. ## audited events
35. ##
36. -w /etc/audit/ -p wa -k CFG_audit
37. -w /etc/sysconfig/auditd  -p wa -k CFG_auditd.conf
38. -w /etc/libaudit.conf -p wa -k CFG_libaudit.conf
39. -w /etc/audisp/ -p wa -k CFG_audisp
40.  
41. ##
42. ## FDP_ACF.1, FMT_MSA.1, FMT_MTD.1, FMT_REV.1, FDP_ETC.1, FDP_ITC.2
43. ## all requests to perform an operation on an object covered by the
44. ## SFP; all modifications of the values of security attributes;
45. ## modifications to TSF data; attempts to revoke security attributes;
46. ## all attempts to export information; all attempts to import user
47. ## data, including any security attributes
48.  
49. ## Objects covered by the Security Functional Policy (SFP) are:
50. ## -File system objects (files, directories, special files, extended attributes)
51. ## -IPC objects (SYSV shared memory, message queues, and semaphores)
52.  
53. ## Operations on file system objects - by default, only monitor
54. ## files and directories covered by filesystem watches.
55.  
56. ## Changes in ownership and permissions
57. #-a exit,always -F arch=b32 -S chmod -S fchmod -S fchmodat
58. #-a exit,always -F arch=b64 -S chmod -S fchmod -S fchmodat
59. #-a exit,always -F arch=b32 -S chown -S fchown -S fchownat -S lchown
60. #-a exit,always -F arch=b64 -S chown -S fchown -S fchownat -S lchown
61. ## Enable *32 rules if you are running on i386 or s390
62. ## Do not use for x86_64, ia64, ppc, ppc64, or s390x
63. #-a exit,always -F arch=b32 -S fchown32 -S chown32 -S lchown32
64.  
65. ## File content modification. Permissions are checked at open time,
66. ## monitoring individual read/write calls is not useful.
67. #-a exit,always -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate
68. #-a exit,always -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
69. ## Enable *64 rules if you are running on i386, ppc, ppc64, s390
70. ## Do not use for x86_64, ia64, or s390x
71. #-a exit,always -F arch=b32 -S truncate64 -S ftruncate64
72.  
73. ## directory operations
74. #-a exit,always -F arch=b32 -S mkdir -S mkdirat -S rmdir
75. #-a exit,always -F arch=b64 -S mkdir -S mkdirat -S rmdir
76.  
77. ## moving, removing, and linking
78. #-a exit,always -F arch=b32 -S unlink -S unlinkat -S rename -S renameat
79. #-a exit,always -F arch=b64 -S unlink -S unlinkat -S rename -S renameat
80. #-a exit,always -F arch=b32 -S link -S linkat -S symlink -S symlinkat
81. #-a exit,always -F arch=b64 -S link -S linkat -S symlink -S symlinkat
82.  
83. ## Extended attribute operations
84. ## Enable if you are interested in these events
85. -a exit,always -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
86. -a exit,always -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
87.  
88. ## special files
89. -a exit,always -F arch=b32 -S mknod -S mknodat
90. -a exit,always -F arch=b64 -S mknod -S mknodat
91.  
92. ## Other file system operations
93. ## Enable if i386
94. -a exit,always -F arch=b32 -S mount -S umount -S umount2
95. ## Enable if ppc, s390, or s390x
96. #-a exit,always -F arch=b32 -S mount -S umount -S umount2
97. #-a exit,always -F arch=b64 -S mount -S umount -S umount2
98. ## Enable if ia64
99. #-a exit,always -F arch=b64 -S mount -S umount
100. ## Enable if x86_64
101. #-a exit,always -F arch=b64 -S mount -S umount2
102. #-a exit,always -F arch=b32 -S mount -S umount -S umount2
103.  
104. ## IPC SYSV message queues
105. ## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
106. ## msgctl
107. #-a exit,always -S ipc -F a0=14
108. ## msgget
109. #-a exit,always -S ipc -F a0=13
110. ## Enable if you are interested in these events (x86_64,ia64)
111. #-a exit,always -S msgctl
112. #-a exit,always -S msgget
113.  
114. ## IPC SYSV semaphores
115. ## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
116. ## semctl
117. #-a exit,always -S ipc -F a0=3
118. ## semget
119. #-a exit,always -S ipc -F a0=2
120. ## semop
121. #-a exit,always -S ipc -F a0=1
122. ## semtimedop
123. #-a exit,always -S ipc -F a0=4
124. ## Enable if you are interested in these events (x86_64, ia64)
125. #-a exit,always -S semctl
126. #-a exit,always -S semget
127. #-a exit,always -S semop
128. #-a exit,always -S semtimedop
129.  
130. ## IPC SYSV shared memory
131. ## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
132. ## shmctl
133. #-a exit,always -S ipc -F a0=24
134. ## shmget
135. #-a exit,always -S ipc -F a0=23
136. ## Enable if you are interested in these events (x86_64, ia64)
137. #-a exit,always -S shmctl
138. #-a exit,always -S shmget
139.  
140. ##
141. ## FIA_USB.1
142. ## success and failure of binding user security attributes to a subject
143. ##
144. ## Enable if you are interested in these events
145. ##
146. #-a exit,always -F arch=b32 -S clone
147. #-a exit,always -F arch=b64 -S clone
148. #-a exit,always -F arch=b32 -S fork -S vfork
149. #-a exit,always -F arch=b64 -S fork -S vfork
150. ## For ia64 architecture, disable fork and vfork rules above, and
151. ## enable the following:
152. #-a exit,always -S clone2
153.  
154. ##
155. ## FDP_ETC.2
156. ## Export of Labeled User Data
157. ##
158. ## Printing
159. -w /etc/cups/ -p wa -k CFG_cups
160. -w /etc/init.d/cups -p wa -k CFG_initd_cups
161.  
162. ##
163. ## FDP_ETC.2, FDP_ITC.2
164. ## Export/Import of Labeled User Data
165. ##
166. ## Networking
167. -w /etc/netlabel.rules -p wa -k CFG_netlabel.rules
168. -w /etc/racoon/racoon.conf -p wa -k CFG_racoon.conf
169. -w /etc/racoon/psk.txt -p wa -k CFG_racoon_keys
170. -w /etc/racoon/certs/ -p wa -k CFG_racoon_certs
171.  
172. ##
173. ## FDP_IFC.1
174. ## Mandatory Access Control Policy
175. ##
176. -w /etc/selinux/config -p wa -k CFG_selinux_config
177. -w /etc/selinux/mls/ -p wa -k CFG_MAC_policy
178. -w /usr/share/selinux/mls/ -p wa -k CFG_MAC_policy
179. -w /etc/selinux/semanage.conf -p wa -k CFG_MAC_policy
180.  
181. ##
182. ## FMT_MSA.3
183. ## modifications of the default setting of permissive or restrictive
184. ## rules, all modifications of the initial value of security attributes
185. ##
186. ## Enable if you are interested in these events
187. ##
188. #-a exit,always -F arch=b32 -S umask
189. #-a exit,always -F arch=b64 -S umask
190.  
191. ##
192. ## FPT_STM.1
193. ## changes to the time
194. ##
195. -a exit,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime
196. -a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime
197.  
198. ##
199. ## FTP_ITC.1
200. ## set-up of trusted channel
201. ##
202. -w /usr/sbin/stunnel -p x
203.  
204. ##
205. ## FPT_TST.1 Self Test
206. ## aide is used to verify integrity of data and executables
207. ##
208. -w /etc/security/rbac-self-test.conf -p wa -k CFG_RBAC_self_test
209. -w /etc/aide.conf -p wa -k CFG_aide.conf
210. -w /var/lib/aide/aide.db.gz -k CFG_aide.db
211. -w /var/lib/aide/aide.db.new.gz -k CFG_aide.db
212. -w /var/log/aide/ -p wa -k CFG_aide.log
213.  
214. ##
215. ## Security Databases
216. ##
217.  
218. ## cron configuration & scheduled jobs
219. -w /etc/cron.allow -p wa -k CFG_cron.allow
220. -w /etc/cron.deny -p wa -k CFG_cron.deny
221. -w /etc/cron.d/ -p wa -k CFG_cron.d
222. -w /etc/cron.daily/ -p wa -k CFG_cron.daily
223. -w /etc/cron.hourly/ -p wa -k CFG_cron.hourly
224. -w /etc/cron.monthly/ -p wa -k CFG_cron.monthly
225. -w /etc/cron.weekly/ -p wa -k CFG_cron.weekly
226. -w /etc/crontab -p wa -k CFG_crontab
227. -w /var/spool/cron/root -k CFG_crontab_root
228.  
229. ## user, group, password databases
230. -w /etc/group -p wa -k CFG_group
231. -w /etc/passwd -p wa -k CFG_passwd
232. -w /etc/gshadow -k CFG_gshadow
233. -w /etc/shadow -k CFG_shadow
234. -w /etc/security/opasswd -k CFG_opasswd
235.  
236. ## login configuration and information
237. -w /etc/login.defs -p wa -k CFG_login.defs
238. -w /etc/securetty -p wa -k CFG_securetty
239. -w /var/log/faillog -p wa -k LOG_faillog
240. -w /var/log/lastlog -p wa -k LOG_lastlog
241. -w /var/log/tallylog -p wa -k LOG_tallylog
242.  
243. ## network configuration
244. -w /etc/hosts -p wa -k CFG_hosts
245. -w /etc/sysconfig/network-scripts/ -p wa -k CFG_network
246.  
247. ## system startup scripts
248. -w /etc/inittab -p wa -k CFG_inittab
249. -w /etc/rc.d/init.d/ -p wa -k CFG_initscripts
250.  
251. ## library search paths
252. -w /etc/ld.so.conf -p wa -k CFG_ld.so.conf
253.  
254. ## local time zone
255. -w /etc/localtime -p wa -k CFG_localtime
256.  
257. ## kernel parameters
258. -w /etc/sysctl.conf -p wa -k CFG_sysctl.conf
259.  
260. ## modprobe configuration
261. -w /etc/modprobe.conf -p wa -k CFG_modprobe.conf
262.  
263. ## pam configuration
264. -w /etc/pam.d/ -p wa -k CFG_pam
265. -w /etc/security/limits.conf -p wa  -k CFG_pam
266. -w /etc/security/pam_env.conf -p wa -k CFG_pam
267. -w /etc/security/namespace.conf -p wa -k CFG_pam
268. -w /etc/security/namespace.init -p wa -k CFG_pam
269.  
270. ## postfix configuration
271. -w /etc/aliases -p wa -k CFG_aliases
272. -w /etc/postfix/ -p wa -k CFG_postfix
273.  
274. ## ssh configuration
275. -w /etc/ssh/sshd_config -k CFG_sshd_config
276.  
277. ## stunnel configuration
278. -w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf
279. -w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem
280.  
281. ## vsftpd configuration
282. -w /etc/vsftpd.ftpusers -k CFG_vsftpd.ftpusers
283. -w /etc/vsftpd/vsftpd.conf -k CFG_vsftpd.conf
284.  
285. ## Not specifically required by LSPP; but common sense items
286. -a exit,always -F arch=b32 -S sethostname
287. -a exit,always -F arch=b64 -S sethostname
288. -w /etc/issue -p wa -k CFG_issue
289. -w /etc/issue.net -p wa -k CFG_issue.net
290.  
291. ## Optional - could indicate someone trying to do something bad or
292. ## just debugging
293. #-a exit,always -F arch=b32 -S ptrace -k paranoid
294. #-a exit,always -F arch=b64 -S ptrace -k paranoid
295.  
296. ## Optional - could be an attempt to bypass audit or simply legacy program
297. #-a exit,always -F arch=b32 -S personality -k paranoid
298. #-a exit,always -F arch=b64 -S personality -k paranoid
299.  
300. ## Put your own watches after this point
301. # -w /your-file -p rwxa -k mykey
302.  
303. ## Make the configuration immutable
304. #-e 2