Attachment 299935 Details for Bug 440075 – /etc/audit/audit.rules

/etc/audit/audit.rules

audit.rules (text/plain), 8.82 KB, created by Joe Nall on 2008-04-01 18:03:52 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Joe Nall

Created: 2008-04-01 18:03:52 UTC

Size: 8.82 KB

patch

obsolete

># This file contains the auditctl rules that are loaded
># whenever the audit daemon is started via the initscripts.
># The rules are simply the parameters that would be passed
># to auditctl.
>
># First rule - delete all
>-D
>
># Increase the buffers to survive stress events.
># Make this bigger for busy systems
>-b 8192
>
># Feel free to add below this line. See auditctl man page
>
># JCDX Audit Rules Start
># JCDX Audit Rules Version:0.14
>
># These rules take a lot from the capp.rules from audit-1.0.14.  This file
># isn't going to be used directly as there are some marks to customize it on
># architecture.
># ##x86_64## -- remove for 64 bit x86 machines
># ##x86## -- remove for 32 bit x86 machines
># ##JCDX_File_Watch_Adds##:/var/log/audit/:LOG_audit -- signify files that need to be added, in
>#   some cases files may be created after install.  Eventually we may need
>#   automatically add files to watches.
>
># login are already logged by default as well as some logouts
># need to find exactly how to configure it and what logouts are auditted
>
>## Set failure mode to panic
>-f 2
>
>##
>## FAU_SAR.1, FAU_SAR.2, FMT_MTD.1
>## successful and unsuccessful attempts to read information from the
>## audit records; all modifications to the audit trail
>##
>-w /var/log/audit/ -k LOG_audit
>##JCDX_File_Watch_Adds##:/var/log/audit/:LOG_audit_log
>-w /var/log/audit/audit.log -k LOG_audit_log
>#-w /var/log/audit/audit_log -k LOG_audit_log
>#-w /var/log/audit/audit_log.1 -k LOG_audit_log
>#-w /var/log/audit/audit_log.2 -k LOG_audit_log
>#-w /var/log/audit/audit_log.3 -k LOG_audit_log
>#-w /var/log/audit/audit_log.4 -k LOG_audit_log
>
>## 
>## FAU_SEL.1, FMT_MTD.1
>## modifications to audit configuration that occur while the audit
>## collection functions are operating; all modications to the set of
>## audited events
>##
>-w /etc/auditd.conf -k CFG_auditd.conf
>-w /etc/audit.rules -k CFG_audit.rules
>
>## Changes in ownership and permissions 
>##DEPRECATED?##
>##x86##-a entry,possible -S chmod -S fchmod -S chown -S chown32 -S fchown -S fchown32 -S lchown -S lchown32
>## For x86_64,ia64 architectures, disable any *32 rules above
>-a entry,possible -S chmod -S fchmod -S chown -S fchown -S lchown
>
>## File content modification. Permissions are checked at open time,
>## monitoring individual read/write calls is not useful.
>##DEPRECATED?##
>##x86##-a entry,possible -S creat -S open -S truncate -S truncate64 -S ftruncate -S ftruncate64
>## For x86_64,ia64 architectures, disable any *64 rules above
>-a entry,possible -S creat -S open -S truncate -S ftruncate
>
>## directory operations
>##DEPRECATED?##
>-a entry,possible -S mkdir -S rmdir
>
>## moving, removing, and linking
>##DEPRECATED?##
>-a entry,possible -S unlink -S rename -S link -S symlink
>
>## Security context changes 
>## this should catch any context changes
>-a entry,always -S setxattr
>-a entry,always -S lsetxattr
>-a entry,always -S fsetxattr
>-a entry,always -S removexattr
>-a entry,always -S lremovexattr
>-a entry,always -S fremovexattr
>
>## special files
>-a entry,always -S mknod
>
>## Other file system operations
>##x86##-a entry,always -S mount -S umount -S umount2
>## For x86_64 architecture, disable umount rule
>## For ia64 architecture, disable umount rule
>## ia64 support would require a new tag and corresponding changes
>## to update_audit.rules.sh
>-a entry,always -S mount -S umount2
>
>## SYSV message queues
>## Enable if you are interested in these events (x86)
>## msgctl
>#-a entry,always -S ipc -F a0=14
>## msgget
>#-a entry,always -S ipc -F a0=13
>## Enable if you are interested in these events (x86_64,ia64)
>#-a entry,always -S msgctl
>#-a entry,always -S msgget
>
>## SYSV semaphores
>## Enable if you are interested in these events (x86)
>## semctl
>#-a entry,always -S ipc -F a0=3
>## semget
>#-a entry,always -S ipc -F a0=2
>## semop
>#-a entry,always -S ipc -F a0=1
>## semtimedop
>#-a entry,always -S ipc -F a0=4
>## Enable if you are interested in these events (x86_64, ia64)
>#-a entry,always -S semctl
>#-a entry,always -S semget
>#-a entry,always -S semop
>#-a entry,always -S semtimedop
>
>## SYSV shared memory
>## Enable if you are interested in these events (x86)
>## shmctl
>#-a entry,always -S ipc -F a0=24
>## shmget
>#-a entry,always -S ipc -F a0=23
>## Enable if you are interested in these events (x86_64, ia64)
>#-a entry,always -S shmctl
>#-a entry,always -S shmget
>
>##
>## FIA_USB.1
>## success and failure of binding user security attributes to a subject
>##
>## Enable if you are interested in these events
>##
>#-a entry,always -S clone
>#-a entry,always -S fork
>#-a entry,always -S vfork
>## For ia64 architecture, disable fork and vfork rules above, and
>## enable the following:
>#-a entry,always -S clone2
>
>##
>## FMT_MSA.3
>## modifications of the default setting of permissive or restrictive
>## rules, all modifications of the initial value of security attributes
>##
>## Enable if you are interested in these events
>##
>#-a entry,always -S umask
>
>##
>## FPT_STM.1
>## changes to the time
>##
>-a entry,always -S adjtimex -S settimeofday
>
>##JCDX## Don't have stunnel
>##
>## FTP_ITC.1
>## set-up of trusted channel
>##
>#-w /usr/sbin/stunnel -p x
>#-a entry,possible -S execve
>
>##
>## Security Databases
>##
>
>## at configuration & scheduled jobs
>-w /var/spool/at -k LOG_at
>-w /etc/at.allow -k CFG_at.allow
>-w /etc/at.deny -k CFG_at.deny
>
>## cron configuration & scheduled jobs
>-w /etc/cron.allow -p wa -k CFG_cron.allow
>-w /etc/cron.deny -p wa -k CFG_cron.deny
>-w /etc/cron.d/ -p wa -k CFG_cron.d
>##JCDX_File_Watch_Adds##:/etc/cron.d/:CFG_cron.d:wa
>-w /etc/cron.d/smolt -p wa -k CFG_cron.d
>-w /etc/cron.d/sysstat -p wa -k CFG_cron.d
>-w /etc/cron.daily/ -p wa -k CFG_cron.daily
>##JCDX_File_Watch_Adds##:/etc/cron.daily/:CFG_cron.daily:wa
>-w /etc/cron.daily/000-delay.cron -p wa -k CFG_cron.daily
>-w /etc/cron.daily/0anacron -p wa -k CFG_cron.daily
>-w /etc/cron.daily/0logwatch -p wa -k CFG_cron.daily
>-w /etc/cron.daily/cups -p wa -k CFG_cron.daily
>-w /etc/cron.daily/logrotate -p wa -k CFG_cron.daily
>-w /etc/cron.daily/makewhatis.cron -p wa -k CFG_cron.daily
>-w /etc/cron.daily/mlocate.cron -p wa -k CFG_cron.daily
>-w /etc/cron.daily/prelink -p wa -k CFG_cron.daily
>-w /etc/cron.daily/rpm -p wa -k CFG_cron.daily
>-w /etc/cron.daily/texlive.cron -p wa -k CFG_cron.daily
>-w /etc/cron.daily/tmpwatch -p wa -k CFG_cron.daily
>-w /etc/cron.hourly/ -p wa -k CFG_cron.hourly
>##JCDX_File_Watch_Adds##:/etc/cron.hourly/:CFG_cron.hourly:wa
>-w /etc/cron.hourly/mcelog.cron -p wa -k CFG_cron.hourly
>-w /etc/cron.monthly/ -p wa -k CFG_cron.monthly
>##JCDX_File_Watch_Adds##:/etc/cron.monthly/:CFG_cron.monthly:wa
>-w /etc/cron.monthly/000-delay.cron -p wa -k CFG_cron.monthly
>-w /etc/cron.monthly/0anacron -p wa -k CFG_cron.monthly
>-w /etc/cron.weekly/ -p wa -k CFG_cron.weekly 
>##JCDX_File_Watch_Adds##:/etc/cron.weekly/:CFG_cron.weekly:wa
>-w /etc/cron.weekly/000-delay.cron -p wa -k CFG_cron.weekly
>-w /etc/cron.weekly/0anacron -p wa -k CFG_cron.weekly
>-w /etc/cron.weekly/makewhatis.cron -p wa -k CFG_cron.weekly
>-w /etc/crontab -p wa -k CFG_crontab
>-w /var/spool/cron/root -k CFG_crontab_root
>
>##JCDX## Audit access to files: /etc/passwd /etc/shadow, what other files?
>##JCDX## Additional option is to use something like aide, or fcheck (or tripwire) as well as watches
>##JCDX##  watches require the right version of audit, audit-lib, and probably the kernel as well
>##JCDX##
>## user, group, password databases
>-w /etc/group -p wa -k CFG_group
>-w /etc/passwd -p wa -k CFG_passwd
>-w /etc/gshadow -k CFG_gshadow
>-w /etc/shadow -k CFG_shadow
>-w /etc/security/opasswd -k CFG_opasswd
>
>## login configuration and information
>-w /etc/login.defs -p wa -k CFG_login.defs
>-w /etc/securetty -k CFG_securetty
>-w /var/log/faillog -k LOG_faillog
>-w /var/log/lastlog -k LOG_lastlog
>
>## network configuration
>-w /etc/hosts -p wa -k CFG_hosts
>-w /etc/sysconfig/
>
>## system startup scripts
>-w /etc/inittab -p wa -k CFG_inittab
>-w /etc/rc.d/init.d/
>-w /etc/rc.d/init.d/auditd -p wa -k CFG_initd_auditd
>
>## library search paths
>-w /etc/ld.so.conf -p wa -k CFG_ld.so.conf
>
>## local time zone
>-w /etc/localtime -p wa -k CFG_localtime
>
>## kernel parameters
>-w /etc/sysctl.conf -p wa -k CFG_sysctl.conf
>
>## modprobe configuration
>-w /etc/modprobe.conf -p wa -k CFG_modprobe.conf
>
>## pam configuration
>-w /etc/pam.d/
>
>## postfix configuration
>-w /etc/aliases -p wa -k CFG_aliases
>-w /etc/postfix/ -p wa -k CFG_postfix
>##JCDX_File_Watch_Adds##:/etc/postfix/:CFG_postfix:wa
>##JCDX## Do we even have postfix installed?
>
>## ssh configuration
>-w /etc/ssh/sshd_config -k CFG_sshd_config
>
>## stunnel configuration
>-w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf
>-w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem
>
>## vsftpd configuration
>-w /etc/vsftpd.ftpusers -k CFG_vsftpd.ftpusers
>## We do not install this, and if a file watch is in a directory that
>## does not exist auditctl gives an error and stops loading the rules
>#-w /etc/vsftpd/vsftpd.conf -k CFG_vsftpd.conf
>
>## Not specifically required by CAPP; but common sense items
>-a exit,always -S sethostname
>-w /etc/issue -p wa -k CFG_issue
>-w /etc/issue.net -p wa -k CFG_issue.net
># JCDX Audit Rules End

Actions: View

Attachments on bug 440075: 299935 | 299936