|
|
859841 |
diff -ur audit-2.4.orig/contrib/stig.rules audit-2.4/contrib/stig.rules
|
|
|
859841 |
--- audit-2.4.orig/contrib/stig.rules 2014-08-24 12:39:26.000000000 -0400
|
|
|
859841 |
+++ audit-2.4/contrib/stig.rules 2014-09-18 08:36:39.301843819 -0400
|
|
|
859841 |
@@ -16,7 +16,7 @@
|
|
|
859841 |
## NOTE:
|
|
|
859841 |
## 1) if this is being used on a 32 bit machine, comment out the b64 lines
|
|
|
859841 |
## 2) These rules assume that login under the root account is not allowed.
|
|
|
859841 |
-## 3) It is also assumed that 500 represents the first usable user account. To
|
|
|
859841 |
+## 3) It is also assumed that 1000 represents the first usable user account. To
|
|
|
859841 |
## be sure, look at UID_MIN in /etc/login.defs.
|
|
|
859841 |
## 4) If these rules generate too much spurious data for your tastes, limit the
|
|
|
859841 |
## the syscall file rules with a directory, like -F dir=/etc
|
|
|
859841 |
@@ -102,22 +102,22 @@
|
|
|
859841 |
|
|
|
859841 |
##- Discretionary access control permission modification (unsuccessful
|
|
|
859841 |
## and successful use of chown/chmod)
|
|
|
859841 |
--a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
|
|
|
859841 |
--a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
|
|
|
859841 |
--a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
|
|
|
859841 |
--a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
|
|
|
859841 |
--a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
|
|
|
859841 |
--a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
|
|
|
859841 |
+-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
|
|
859841 |
+-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
|
|
859841 |
+-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
|
|
859841 |
+-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
|
|
859841 |
+-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
|
|
859841 |
+-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
|
|
859841 |
|
|
|
859841 |
##- Unauthorized access attempts to files (unsuccessful)
|
|
|
859841 |
--a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
|
|
|
859841 |
--a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
|
|
|
859841 |
--a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
|
|
|
859841 |
--a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
|
|
|
859841 |
+-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
|
|
|
859841 |
+-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
|
|
|
859841 |
+-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
|
|
|
859841 |
+-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
|
|
|
859841 |
|
|
|
859841 |
##- Use of privileged commands (unsuccessful and successful)
|
|
|
859841 |
## use find /bin -type f -perm -04000 2>/dev/null and put all those files in a rule like this
|
|
|
859841 |
--a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
|
|
|
859841 |
+-a always,exit -F path=/bin/ping -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
|
|
|
859841 |
|
|
|
859841 |
##- Use of print command (unsuccessful and successful)
|
|
|
859841 |
|
|
|
859841 |
@@ -125,14 +125,14 @@
|
|
|
859841 |
## You have to mount media before using it. You must disable all automounting
|
|
|
859841 |
## so that its done manually in order to get the correct user requesting the
|
|
|
859841 |
## export
|
|
|
859841 |
--a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
|
|
|
859841 |
--a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
|
|
|
859841 |
+-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k export
|
|
|
859841 |
+-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export
|
|
|
859841 |
|
|
|
859841 |
##- System startup and shutdown (unsuccessful and successful)
|
|
|
859841 |
|
|
|
859841 |
##- Files and programs deleted by the user (successful and unsuccessful)
|
|
|
859841 |
--a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
|
|
|
859841 |
--a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
|
|
|
859841 |
+-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
|
|
|
859841 |
+-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
|
|
|
859841 |
|
|
|
859841 |
##- All system administration actions
|
|
|
859841 |
##- All security personnel actions
|
|
|
859841 |
@@ -170,7 +170,7 @@
|
|
|
859841 |
#-a always,exit -F arch=b64 -S delete_module -k module-unload
|
|
|
859841 |
|
|
|
859841 |
## Optional - admin may be abusing power by looking in user's home dir
|
|
|
859841 |
-#-a always,exit -F dir=/home -F uid=0 -F auid>=500 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
|
|
|
859841 |
+#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
|
|
|
859841 |
|
|
|
859841 |
## Optional - log container creation
|
|
|
859841 |
#-a always,exit -F arch=b32 -S clone -F a0&2080505856 -k container-create
|
|
|
859841 |
diff -ur audit-2.4.orig/docs/audit.rules.7 audit-2.4/docs/audit.rules.7
|
|
|
859841 |
--- audit-2.4.orig/docs/audit.rules.7 2014-08-24 12:39:22.000000000 -0400
|
|
|
859841 |
+++ audit-2.4/docs/audit.rules.7 2014-09-18 08:36:39.301843819 -0400
|
|
|
859841 |
@@ -76,10 +76,10 @@
|
|
|
859841 |
.B \-F
|
|
|
859841 |
options that fine tune what to match against. Rather than list all the valid field types here, the reader should look at the auditctl man page which has a full listing of each field and what it means. But its worth mentioning a couple things.
|
|
|
859841 |
|
|
|
859841 |
-The audit system considers uids to be unsigned numbers. The audit system uses the number \-1 to indicate that a loginuid is not set. This means that when its printed out, it looks like 4294967295. If you write a rule that you wanted try to get the valid users of the system, you need to look in /etc/login.defs to see where user accounts start. For example, if UID_MIN is 500, then you would also need to take into account that the unsigned representation of \-1 is higher than 500. So you would address this with the following piece of a rule:
|
|
|
859841 |
+The audit system considers uids to be unsigned numbers. The audit system uses the number \-1 to indicate that a loginuid is not set. This means that when its printed out, it looks like 4294967295. If you write a rule that you wanted try to get the valid users of the system, you need to look in /etc/login.defs to see where user accounts start. For example, if UID_MIN is 1000, then you would also need to take into account that the unsigned representation of \-1 is higher than 1000. So you would address this with the following piece of a rule:
|
|
|
859841 |
|
|
|
859841 |
.nf
|
|
|
859841 |
-\-F auid>=500 \-F auid!=4294967295
|
|
|
859841 |
+\-F auid>=1000 \-F auid!=4294967295
|
|
|
859841 |
.fi
|
|
|
859841 |
|
|
|
859841 |
These individual checks are "anded" and both have to be true.
|