Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 153459 Details for
Bug 234923
LSPP: update lspp.rules file for evaluation
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
patch updating audit rules
audit-1.3.1-rules-update.patch (text/plain), 13.44 KB, created by
Steve Grubb
on 2007-04-25 21:21:22 UTC
(
hide
)
Description:
patch updating audit rules
Filename:
MIME Type:
Creator:
Steve Grubb
Created:
2007-04-25 21:21:22 UTC
Size:
13.44 KB
patch
obsolete
>diff -urp audit-1.3.1.orig/contrib/capp.rules audit-1.3.1/contrib/capp.rules >--- audit-1.3.1.orig/contrib/capp.rules 2007-04-25 11:09:49.000000000 -0400 >+++ audit-1.3.1/contrib/capp.rules 2007-04-25 16:41:29.000000000 -0400 >@@ -29,11 +29,11 @@ > ## audit records; all modifications to the audit trail > ## > -w /var/log/audit/ -k LOG_audit >--w /var/log/audit/audit_log -k LOG_audit_log >-#-w /var/log/audit/audit_log.1 -k LOG_audit_log >-#-w /var/log/audit/audit_log.2 -k LOG_audit_log >-#-w /var/log/audit/audit_log.3 -k LOG_audit_log >-#-w /var/log/audit/audit_log.4 -k LOG_audit_log >+-w /var/log/audit/audit.log -k LOG_audit.log >+#-w /var/log/audit/audit.log.1 -k LOG_audit.log >+#-w /var/log/audit/audit.log.2 -k LOG_audit.log >+#-w /var/log/audit/audit.log.3 -k LOG_audit.log >+#-w /var/log/audit/audit.log.4 -k LOG_audit.log > > ## > ## FAU_SEL.1, FMT_MTD.1 >@@ -42,6 +42,7 @@ > ## audited events > ## > -w /etc/audit/auditd.conf -p wa -k CFG_auditd.conf >+-w /etc/sysconfig/auditd -p wa -k CFG_auditd.conf > -w /etc/audit/audit.rules -p wa -k CFG_audit.rules > -w /etc/libaudit.conf -p wa -k CFG_libaudit.conf > >@@ -53,43 +54,49 @@ > ## > > ## Objects covered by the Security Functional Policy (SFP) are: >-## - File system objects (files, directories, special files, extended attributes) >-## - IPC objects (SYSV shared memory, message queues, and semaphores) >+## -File system objects (files, directories, special files, extended attributes) >+## -IPC objects (SYSV shared memory, message queues, and semaphores) > > ## Operations on file system objects - by default, only monitor > ## files and directories covered by filesystem watches. > > ## Changes in ownership and permissions >-#-a entry,always -S chmod -S fchmod -S chown -S chown32 -S fchown -S fchown32 -S lchown -S lchown32 >-## For x86_64,ia64 architectures, disable any *32 rules above >+#-a entry,always -S chmod -S fchmod -S fchmodat >+#-a entry,always -S chown -S fchown -S fchownat -S lchown >+## Enable *32 rules if you are running on i386 or s390 >+## Do not use for x86_64, ia64, ppc, ppc64, or s390x >+#-a entry,always -S fchown32 > > ## File content modification. Permissions are checked at open time, > ## monitoring individual read/write calls is not useful. >-#-a entry,always -S creat -S open -S truncate -S truncate64 -S ftruncate -S ftruncate64 >-## For x86_64,ia64 architectures, disable any *64 rules above >+#-a entry,always -S creat -S open -S openat -S truncate -S ftruncate >+## Enable *64 rules if you are running on i386, ppc, ppc64, s390 >+## Do not use for x86_64, ia64, or s390x >+#-a entry,always -S truncate64 >+#-a entry,always -S ftruncate64 > > ## directory operations >-#-a entry,always -S mkdir -S rmdir >+#-a entry,always -S mkdir -S mkdirat -S rmdir > > ## moving, removing, and linking >-#-a entry,always -S unlink -S rename -S link -S symlink >+#-a entry,always -S unlink -S unlinkat -S rename -S renameat >+#-a entry,always -S link -S linkat -S symlink -S symlinkat > > ## Extended attribute operations > ## Enable if you are interested in these events - combine where possible >-#-a entry,always -S setxattr >-#-a entry,always -S lsetxattr >-#-a entry,always -S fsetxattr >-#-a entry,always -S removexattr >-#-a entry,always -S lremovexattr >-#-a entry,always -S fremovexattr >+#-a entry,always -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr > > ## special files >--a entry,always -S mknod >+-a entry,always -S mknod -S mknodat > > ## Other file system operations > -a entry,always -S mount -S umount -S umount2 >-## For x86_64 architecture, disable umount rule >-## For ia64 architecture, disable umount2 rule >+## Enable umount rule if you are running on i386,ppc,ppc64,s390,s390x,ia64 >+## Do not use for x86_64 >+#-a entry,always -S umount >+## Enable umount rule if you are running on i386,ppc,ppc64,s390,s390x,ia64 >+## Do not use for ia64 >+#-a entry,always -S umount2 > > ## IPC SYSV message queues > ## Enable if you are interested in these events (x86) >@@ -165,11 +172,6 @@ > ## Security Databases > ## > >-## at configuration & scheduled jobs >--w /var/spool/at -k LOG_at >--w /etc/at.allow -k CFG_at.allow >--w /etc/at.deny -k CFG_at.deny >- > ## cron configuration & scheduled jobs > -w /etc/cron.allow -p wa -k CFG_cron.allow > -w /etc/cron.deny -p wa -k CFG_cron.deny >@@ -190,9 +192,10 @@ > > ## login configuration and information > -w /etc/login.defs -p wa -k CFG_login.defs >--w /etc/securetty -k CFG_securetty >--w /var/log/faillog -k LOG_faillog >--w /var/log/lastlog -k LOG_lastlog >+-w /etc/securetty -p wa -k CFG_securetty >+-w /var/log/faillog -p wa -k LOG_faillog >+-w /var/log/lastlog -p wa -k LOG_lastlog >+-w /var/log/tallylog -p wa -k LOG_tallylog > > ## network configuration > -w /etc/hosts -p wa -k CFG_hosts >@@ -217,6 +220,10 @@ > > ## pam configuration > -w /etc/pam.d/ >+-w /etc/security/limits.conf -p wa -k CFG_pam >+-w /etc/security/pam_env.conf -p wa -k CFG_pam >+-w /etc/security/namespace.conf -p wa -k CFG_pam >+-w /etc/security/namespace.init -p wa -k CFG_pam > > ## postfix configuration > -w /etc/aliases -p wa -k CFG_aliases >@@ -238,5 +245,12 @@ > -w /etc/issue -p wa -k CFG_issue > -w /etc/issue.net -p wa -k CFG_issue.net > >+## Optional - could indicate someone trying to do something bad or >+## just debugging >+#-a entry,always -S ptrace >+ >+## Optional - could be an attempt to bypass audit or simply legacy program >+#-a exit,always -S personality >+ > ## Put your own watches after this point > # -w /your-file -p rwxa -k mykey >diff -urp audit-1.3.1.orig/contrib/lspp.rules audit-1.3.1/contrib/lspp.rules >--- audit-1.3.1.orig/contrib/lspp.rules 2007-04-25 11:09:49.000000000 -0400 >+++ audit-1.3.1/contrib/lspp.rules 2007-04-25 17:02:15.000000000 -0400 >@@ -21,11 +21,11 @@ > ## audit records; all modifications to the audit trail > ## > -w /var/log/audit/ -k LOG_audit >--w /var/log/audit/audit_log -k LOG_audit_log >-#-w /var/log/audit/audit_log.1 -k LOG_audit_log >-#-w /var/log/audit/audit_log.2 -k LOG_audit_log >-#-w /var/log/audit/audit_log.3 -k LOG_audit_log >-#-w /var/log/audit/audit_log.4 -k LOG_audit_log >+-w /var/log/audit/audit.log -k LOG_audit.log >+#-w /var/log/audit/audit.log.1 -k LOG_audit.log >+#-w /var/log/audit/audit.log.2 -k LOG_audit.log >+#-w /var/log/audit/audit.log.3 -k LOG_audit.log >+#-w /var/log/audit/audit.log.4 -k LOG_audit.log > > ## > ## FAU_SEL.1, FMT_MTD.1 >@@ -33,8 +33,9 @@ > ## collection functions are operating; all modications to the set of > ## audited events > ## >--w /etc/audit/auditd.conf -k CFG_auditd.conf >--w /etc/audit/audit.rules -k CFG_audit.rules >+-w /etc/audit/auditd.conf -p wa -k CFG_auditd.conf >+-w /etc/sysconfig/auditd -p wa -k CFG_auditd.conf >+-w /etc/audit/audit.rules -p wa -k CFG_audit.rules > -w /etc/libaudit.conf -p wa -k CFG_libaudit.conf > > ## >@@ -46,14 +47,15 @@ > ## data, including any security attributes > > ## Objects covered by the Security Functional Policy (SFP) are: >-## - File system objects (files, directories, special files, extended attributes) >-## - IPC objects (SYSV shared memory, message queues, and semaphores) >+## -File system objects (files, directories, special files, extended attributes) >+## -IPC objects (SYSV shared memory, message queues, and semaphores) > > ## Operations on file system objects - by default, only monitor > ## files and directories covered by filesystem watches. > > ## Changes in ownership and permissions >-#-a entry,always -S chmod -S fchmod -S chown -S fchown -S lchown >+#-a entry,always -S chmod -S fchmod -S fchmodat >+#-a entry,always -S chown -S fchown -S fchownat -S lchown > ## Enable *32 rules if you are running on i386 or s390 > ## Do not use for x86_64, ia64, ppc, ppc64, or s390x > #-a entry,always -S fchown32 >@@ -62,24 +64,25 @@ > > ## File content modification. Permissions are checked at open time, > ## monitoring individual read/write calls is not useful. >-#-a entry,always -S creat -S open -S truncate -S ftruncate >+#-a entry,always -S creat -S open -S openat -S truncate -S ftruncate > ## Enable *64 rules if you are running on i386, ppc, ppc64, s390 > ## Do not use for x86_64, ia64, or s390x > #-a entry,always -S truncate64 > #-a entry,always -S ftruncate64 > > ## directory operations >-#-a entry,always -S mkdir -S rmdir >+#-a entry,always -S mkdir -S mkdirat -S rmdir > > ## moving, removing, and linking >-#-a entry,always -S unlink -S rename -S link -S symlink >+#-a entry,always -S unlink -S unlinkat -S rename -S renameat >+#-a entry,always -S link -S linkat -S symlink -S symlinkat > > ## Extended attribute operations > ## Enable if you are interested in these events > -a entry,always -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr > > ## special files >--a entry,always -S mknod >+-a entry,always -S mknod -S mknodat > > ## Other file system operations > -a entry,always -S mount >@@ -140,6 +143,62 @@ > #-a entry,always -S clone2 > > ## >+## FDP_ETC.2 >+## Export of Labeled User Data >+## >+## Printing >+-w /etc/cups/ -p wa -k CFG_cups >+#-w /etc/cups/cupsd.conf -p wa -k CFG_cupsd.conf >+#-w /etc/cups/client.conf -p wa -k CFG_client.conf >+-w /etc/init.d/cups -p wa -k CFG_initd_cups >+ >+## >+## FDP_ETC.2, FDP_ITC.2 >+## Export/Import of Labeled User Data >+## >+## Networking >+-w /etc/netlabel.rules -p wa -k CFG_netlabel.rules >+-w /etc/racoon/racoon.conf -p wa -k CFG_racoon.conf >+-w /etc/racoon/psk.txt -p wa -k CFG_racoon_keys >+-w /etc/racoon/certs/ -p wa -k CFG_racoon_certs >+##-w /etc/racoon/certs/your-cert-name -p wa -k CFG_racoon_certs >+ >+## >+## FDP_IFC.1 >+## Mandatory Access Control Policy >+## >+-w /etc/selinux/config -p wa -k CFG_selinux_config >+-w /etc/selinux/mls -p wa -k CFG_MAC_policy >+-w /etc/selinux/mls/contexts -p wa -k CFG_MAC_policy >+-w /etc/selinux/mls/contexts/customizable_types -p wa -k CFG_MAC_policy >+-w /etc/selinux/mls/contexts/dbus_contexts -p wa -k CFG_MAC_policy >+-w /etc/selinux/mls/contexts/default_contexts -p wa -k CFG_MAC_policy >+-w /etc/selinux/mls/contexts/default_type -p wa -k CFG_MAC_policy >+-w /etc/selinux/mls/contexts/failsafe_context -p wa -k CFG_MAC_policy >+-w /etc/selinux/mls/contexts/files -p wa -k CFG_MAC_policy >+-w /etc/selinux/mls/contexts/files/media -p wa -k CFG_MAC_policy >+-w /etc/selinux/mls/contexts/initrc_context -p wa -k CFG_MAC_policy >+-w /etc/selinux/mls/contexts/removable_context -p wa -k CFG_MAC_policy >+-w /etc/selinux/mls/contexts/securetty_types -p wa -k CFG_MAC_policy >+-w /etc/selinux/mls/contexts/userhelper_context -p wa -k CFG_MAC_policy >+-w /etc/selinux/mls/contexts/users -p wa -k CFG_MAC_policy >+-w /etc/selinux/mls/contexts/users/root -p wa -k CFG_MAC_policy >+-w /etc/selinux/mls/modules -p wa -k CFG_MAC_policy >+-w /etc/selinux/mls/modules/active -p wa -k CFG_MAC_policy >+-w /etc/selinux/mls/modules/semanage.read.LOCK -p wa -k CFG_MAC_policy >+-w /etc/selinux/mls/modules/semanage.trans.LOCK -p wa -k CFG_MAC_policy >+-w /etc/selinux/mls/policy -p wa -k CFG_MAC_policy >+-w /etc/selinux/mls/setrans.conf -p wa -k CFG_MAC_policy >+-w /usr/share/selinux/mls -p wa -k CFG_MAC_policy >+-w /usr/share/selinux/mls/amtu.pp -p wa -k CFG_MAC_policy >+-w /usr/share/selinux/mls/base.pp -p wa -k CFG_MAC_policy >+-w /usr/share/selinux/mls/enableaudit.pp -p wa -k CFG_MAC_policy >+-w /usr/share/selinux/mls/java.pp -p wa -k CFG_MAC_policy >+-w /usr/share/selinux/mls/pcscd.pp -p wa -k CFG_MAC_policy >+-w /etc/selinux/mls/seusers -p wa -k CFG_MAC_policy >+-w /etc/selinux/semanage.conf -p wa -k CFG_MAC_policy >+ >+## > ## FMT_MSA.3 > ## modifications of the default setting of permissive or restrictive > ## rules, all modifications of the initial value of security attributes >@@ -161,13 +220,20 @@ > -w /usr/sbin/stunnel -p x > > ## >-## Security Databases >+## FPT_TST.1 Self Test >+## aide is used to verify integrity of data and executables > ## >+-w /etc/aide.conf -p wa -k CFG_aide.conf >+-w /var/log/aide -p wa -k CFG_aide.log >+#-w /var/log/aide/aide.log -p wa -k CFG_aide.log >+#-w /var/log/aide/aide.log.1 -p wa -k CFG_aide.log >+## Next line needs to be updated with your path for the database >+#-w /var/lib/aide/aide.db.gz -k CFG_aide.db >+-w /etc/security/rbac-self-test.conf -p wa -k CFG_RBAC_self_test > >-## at configuration & scheduled jobs >--w /var/spool/at -k LOG_at >--w /etc/at.allow -k CFG_at.allow >--w /etc/at.deny -k CFG_at.deny >+## >+## Security Databases >+## > > ## cron configuration & scheduled jobs > -w /etc/cron.allow -p wa -k CFG_cron.allow >@@ -189,9 +255,10 @@ > > ## login configuration and information > -w /etc/login.defs -p wa -k CFG_login.defs >--w /etc/securetty -k CFG_securetty >--w /var/log/faillog -k LOG_faillog >--w /var/log/lastlog -k LOG_lastlog >+-w /etc/securetty -p wa -k CFG_securetty >+-w /var/log/faillog -p wa -k LOG_faillog >+-w /var/log/lastlog -p wa -k LOG_lastlog >+-w /var/log/tallylog -p wa -k LOG_tallylog > > ## network configuration > -w /etc/hosts -p wa -k CFG_hosts >@@ -216,9 +283,10 @@ > > ## pam configuration > -w /etc/pam.d/ >--w /etc/security/limits.conf >--w /etc/security/pam_env.conf >--w /etc/security/namespace.conf >+-w /etc/security/limits.conf -p wa -k CFG_pam >+-w /etc/security/pam_env.conf -p wa -k CFG_pam >+-w /etc/security/namespace.conf -p wa -k CFG_pam >+-w /etc/security/namespace.init -p wa -k CFG_pam > > ## postfix configuration > -w /etc/aliases -p wa -k CFG_aliases >@@ -240,12 +308,12 @@ > -w /etc/issue -p wa -k CFG_issue > -w /etc/issue.net -p wa -k CFG_issue.net > >-## >-## FDP_ETC.2 >-## Overriding of human-readable output marketing. >-## >--w /etc/cups/ -p wa -k CFG_cups >-#-w /etc/cups/cupsd.conf -p wa -k CFG_cupsd.conf >-#-w /etc/cups/client.conf -p wa -k CFG_client.conf >--w /etc/init.d/cups -p wa -k CFG_initd_cups >+## Optional - could indicate someone trying to do something bad or >+## just debugging >+#-a entry,always -S ptrace >+ >+## Optional - could be an attempt to bypass audit or simply legacy program >+#-a exit,always -S personality > >+## Put your own watches after this point >+# -w /your-file -p rwxa -k mykey
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=153459">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 234923
:
153459
|
153513