Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ##
- ## This file contains a sample audit configuration. Combined with the
- ## system events that are audited by default, this set of rules causes
- ## audit to generate records for the auditable events specified by the
- ## Labeled Security Protection Profile (LSPP).
- ##
- ## It should be noted that this set of rules identifies directories by
- ## leaving a / at the end of the path.
- ##
- ## For audit 1.6.5 and higher
- ##
- ## Remove any existing rules
- -D
- ## Increase buffer size to handle the increased number of messages.
- ## Feel free to increase this if the machine panic's
- -b 8192
- ## Set failure mode to panic
- -f 2
- ##
- ## FAU_SAR.1, FAU_SAR.2, FMT_MTD.1
- ## successful and unsuccessful attempts to read information from the
- ## audit records; all modifications to the audit trail
- ##
- -w /var/log/audit/ -k LOG_audit
- ##
- ## FAU_SEL.1, FMT_MTD.1
- ## modifications to audit configuration that occur while the audit
- ## collection functions are operating; all modications to the set of
- ## audited events
- ##
- -w /etc/audit/ -p wa -k CFG_audit
- -w /etc/sysconfig/auditd -p wa -k CFG_auditd.conf
- -w /etc/libaudit.conf -p wa -k CFG_libaudit.conf
- -w /etc/audisp/ -p wa -k CFG_audisp
- ##
- ## FDP_ACF.1, FMT_MSA.1, FMT_MTD.1, FMT_REV.1, FDP_ETC.1, FDP_ITC.2
- ## all requests to perform an operation on an object covered by the
- ## SFP; all modifications of the values of security attributes;
- ## modifications to TSF data; attempts to revoke security attributes;
- ## all attempts to export information; all attempts to import user
- ## data, including any security attributes
- ## Objects covered by the Security Functional Policy (SFP) are:
- ## -File system objects (files, directories, special files, extended attributes)
- ## -IPC objects (SYSV shared memory, message queues, and semaphores)
- ## Operations on file system objects - by default, only monitor
- ## files and directories covered by filesystem watches.
- ## Changes in ownership and permissions
- #-a exit,always -F arch=b32 -S chmod -S fchmod -S fchmodat
- #-a exit,always -F arch=b64 -S chmod -S fchmod -S fchmodat
- #-a exit,always -F arch=b32 -S chown -S fchown -S fchownat -S lchown
- #-a exit,always -F arch=b64 -S chown -S fchown -S fchownat -S lchown
- ## Enable *32 rules if you are running on i386 or s390
- ## Do not use for x86_64, ia64, ppc, ppc64, or s390x
- #-a exit,always -F arch=b32 -S fchown32 -S chown32 -S lchown32
- ## File content modification. Permissions are checked at open time,
- ## monitoring individual read/write calls is not useful.
- #-a exit,always -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate
- #-a exit,always -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
- ## Enable *64 rules if you are running on i386, ppc, ppc64, s390
- ## Do not use for x86_64, ia64, or s390x
- #-a exit,always -F arch=b32 -S truncate64 -S ftruncate64
- ## directory operations
- #-a exit,always -F arch=b32 -S mkdir -S mkdirat -S rmdir
- #-a exit,always -F arch=b64 -S mkdir -S mkdirat -S rmdir
- ## moving, removing, and linking
- #-a exit,always -F arch=b32 -S unlink -S unlinkat -S rename -S renameat
- #-a exit,always -F arch=b64 -S unlink -S unlinkat -S rename -S renameat
- #-a exit,always -F arch=b32 -S link -S linkat -S symlink -S symlinkat
- #-a exit,always -F arch=b64 -S link -S linkat -S symlink -S symlinkat
- ## Extended attribute operations
- ## Enable if you are interested in these events
- -a exit,always -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
- -a exit,always -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
- ## special files
- -a exit,always -F arch=b32 -S mknod -S mknodat
- -a exit,always -F arch=b64 -S mknod -S mknodat
- ## Other file system operations
- ## Enable if i386
- -a exit,always -F arch=b32 -S mount -S umount -S umount2
- ## Enable if ppc, s390, or s390x
- #-a exit,always -F arch=b32 -S mount -S umount -S umount2
- #-a exit,always -F arch=b64 -S mount -S umount -S umount2
- ## Enable if ia64
- #-a exit,always -F arch=b64 -S mount -S umount
- ## Enable if x86_64
- #-a exit,always -F arch=b64 -S mount -S umount2
- #-a exit,always -F arch=b32 -S mount -S umount -S umount2
- ## IPC SYSV message queues
- ## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
- ## msgctl
- #-a exit,always -S ipc -F a0=14
- ## msgget
- #-a exit,always -S ipc -F a0=13
- ## Enable if you are interested in these events (x86_64,ia64)
- #-a exit,always -S msgctl
- #-a exit,always -S msgget
- ## IPC SYSV semaphores
- ## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
- ## semctl
- #-a exit,always -S ipc -F a0=3
- ## semget
- #-a exit,always -S ipc -F a0=2
- ## semop
- #-a exit,always -S ipc -F a0=1
- ## semtimedop
- #-a exit,always -S ipc -F a0=4
- ## Enable if you are interested in these events (x86_64, ia64)
- #-a exit,always -S semctl
- #-a exit,always -S semget
- #-a exit,always -S semop
- #-a exit,always -S semtimedop
- ## IPC SYSV shared memory
- ## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
- ## shmctl
- #-a exit,always -S ipc -F a0=24
- ## shmget
- #-a exit,always -S ipc -F a0=23
- ## Enable if you are interested in these events (x86_64, ia64)
- #-a exit,always -S shmctl
- #-a exit,always -S shmget
- ##
- ## FIA_USB.1
- ## success and failure of binding user security attributes to a subject
- ##
- ## Enable if you are interested in these events
- ##
- #-a exit,always -F arch=b32 -S clone
- #-a exit,always -F arch=b64 -S clone
- #-a exit,always -F arch=b32 -S fork -S vfork
- #-a exit,always -F arch=b64 -S fork -S vfork
- ## For ia64 architecture, disable fork and vfork rules above, and
- ## enable the following:
- #-a exit,always -S clone2
- ##
- ## FDP_ETC.2
- ## Export of Labeled User Data
- ##
- ## Printing
- -w /etc/cups/ -p wa -k CFG_cups
- -w /etc/init.d/cups -p wa -k CFG_initd_cups
- ##
- ## FDP_ETC.2, FDP_ITC.2
- ## Export/Import of Labeled User Data
- ##
- ## Networking
- -w /etc/netlabel.rules -p wa -k CFG_netlabel.rules
- -w /etc/racoon/racoon.conf -p wa -k CFG_racoon.conf
- -w /etc/racoon/psk.txt -p wa -k CFG_racoon_keys
- -w /etc/racoon/certs/ -p wa -k CFG_racoon_certs
- ##
- ## FDP_IFC.1
- ## Mandatory Access Control Policy
- ##
- -w /etc/selinux/config -p wa -k CFG_selinux_config
- -w /etc/selinux/mls/ -p wa -k CFG_MAC_policy
- -w /usr/share/selinux/mls/ -p wa -k CFG_MAC_policy
- -w /etc/selinux/semanage.conf -p wa -k CFG_MAC_policy
- ##
- ## FMT_MSA.3
- ## modifications of the default setting of permissive or restrictive
- ## rules, all modifications of the initial value of security attributes
- ##
- ## Enable if you are interested in these events
- ##
- #-a exit,always -F arch=b32 -S umask
- #-a exit,always -F arch=b64 -S umask
- ##
- ## FPT_STM.1
- ## changes to the time
- ##
- -a exit,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime
- -a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime
- ##
- ## FTP_ITC.1
- ## set-up of trusted channel
- ##
- -w /usr/sbin/stunnel -p x
- ##
- ## FPT_TST.1 Self Test
- ## aide is used to verify integrity of data and executables
- ##
- -w /etc/security/rbac-self-test.conf -p wa -k CFG_RBAC_self_test
- -w /etc/aide.conf -p wa -k CFG_aide.conf
- -w /var/lib/aide/aide.db.gz -k CFG_aide.db
- -w /var/lib/aide/aide.db.new.gz -k CFG_aide.db
- -w /var/log/aide/ -p wa -k CFG_aide.log
- ##
- ## Security Databases
- ##
- ## cron configuration & scheduled jobs
- -w /etc/cron.allow -p wa -k CFG_cron.allow
- -w /etc/cron.deny -p wa -k CFG_cron.deny
- -w /etc/cron.d/ -p wa -k CFG_cron.d
- -w /etc/cron.daily/ -p wa -k CFG_cron.daily
- -w /etc/cron.hourly/ -p wa -k CFG_cron.hourly
- -w /etc/cron.monthly/ -p wa -k CFG_cron.monthly
- -w /etc/cron.weekly/ -p wa -k CFG_cron.weekly
- -w /etc/crontab -p wa -k CFG_crontab
- -w /var/spool/cron/root -k CFG_crontab_root
- ## user, group, password databases
- -w /etc/group -p wa -k CFG_group
- -w /etc/passwd -p wa -k CFG_passwd
- -w /etc/gshadow -k CFG_gshadow
- -w /etc/shadow -k CFG_shadow
- -w /etc/security/opasswd -k CFG_opasswd
- ## login configuration and information
- -w /etc/login.defs -p wa -k CFG_login.defs
- -w /etc/securetty -p wa -k CFG_securetty
- -w /var/log/faillog -p wa -k LOG_faillog
- -w /var/log/lastlog -p wa -k LOG_lastlog
- -w /var/log/tallylog -p wa -k LOG_tallylog
- ## network configuration
- -w /etc/hosts -p wa -k CFG_hosts
- -w /etc/sysconfig/network-scripts/ -p wa -k CFG_network
- ## system startup scripts
- -w /etc/inittab -p wa -k CFG_inittab
- -w /etc/rc.d/init.d/ -p wa -k CFG_initscripts
- ## library search paths
- -w /etc/ld.so.conf -p wa -k CFG_ld.so.conf
- ## local time zone
- -w /etc/localtime -p wa -k CFG_localtime
- ## kernel parameters
- -w /etc/sysctl.conf -p wa -k CFG_sysctl.conf
- ## modprobe configuration
- -w /etc/modprobe.conf -p wa -k CFG_modprobe.conf
- ## pam configuration
- -w /etc/pam.d/ -p wa -k CFG_pam
- -w /etc/security/limits.conf -p wa -k CFG_pam
- -w /etc/security/pam_env.conf -p wa -k CFG_pam
- -w /etc/security/namespace.conf -p wa -k CFG_pam
- -w /etc/security/namespace.init -p wa -k CFG_pam
- ## postfix configuration
- -w /etc/aliases -p wa -k CFG_aliases
- -w /etc/postfix/ -p wa -k CFG_postfix
- ## ssh configuration
- -w /etc/ssh/sshd_config -k CFG_sshd_config
- ## stunnel configuration
- -w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf
- -w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem
- ## vsftpd configuration
- -w /etc/vsftpd.ftpusers -k CFG_vsftpd.ftpusers
- -w /etc/vsftpd/vsftpd.conf -k CFG_vsftpd.conf
- ## Not specifically required by LSPP; but common sense items
- -a exit,always -F arch=b32 -S sethostname
- -a exit,always -F arch=b64 -S sethostname
- -w /etc/issue -p wa -k CFG_issue
- -w /etc/issue.net -p wa -k CFG_issue.net
- ## Optional - could indicate someone trying to do something bad or
- ## just debugging
- #-a exit,always -F arch=b32 -S ptrace -k paranoid
- #-a exit,always -F arch=b64 -S ptrace -k paranoid
- ## Optional - could be an attempt to bypass audit or simply legacy program
- #-a exit,always -F arch=b32 -S personality -k paranoid
- #-a exit,always -F arch=b64 -S personality -k paranoid
- ## Put your own watches after this point
- # -w /your-file -p rwxa -k mykey
- ## Make the configuration immutable
- #-e 2
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement