## ## This file contains a sample audit configuration. Combined with the ## system events that are audited by default, this set of rules causes ## audit to generate records for the auditable events specified by the ## Controlled Access Protection Profile (CAPP). ## ## It should be noted that this set of rules identifies directories by ## leaving a / at the end of the path. ## ## For audit 1.6.5 and higher ## ## Remove any existing rules -D ## Increase buffer size to handle the increased number of messages. ## Feel free to increase this if the machine panic's -b 8192 ## Set failure mode to panic -f 2 ## ## FAU_SAR.1, FAU_SAR.2, FMT_MTD.1 ## successful and unsuccessful attempts to read information from the ## audit records; all modifications to the audit trail ## -w /var/log/audit/ -k LOG_audit ## ## FAU_SEL.1, FMT_MTD.1 ## modifications to audit configuration that occur while the audit ## collection functions are operating; all modications to the set of ## audited events ## -w /etc/audit/ -p wa -k CFG_audit -w /etc/sysconfig/auditd -p wa -k CFG_audit -w /etc/libaudit.conf -p wa -k CFG_libaudit.conf -w /etc/audisp/ -p wa -k CFG_audisp ## ## FDP_ACF.1, FMT_MSA.1, FMT_MTD.1, FMT_REV.1 ## all requests to perform an operation on an object covered by the ## SFP; all modifications of the values of security attributes; ## modifications to TSF data; attempts to revoke security attributes ## ## Objects covered by the Security Functional Policy (SFP) are: ## -File system objects (files, directories, special files, extended attributes) ## -IPC objects (SYSV shared memory, message queues, and semaphores) ## Operations on file system objects - by default, only monitor ## files and directories covered by filesystem watches. ## Changes in ownership and permissions #-a exit,always -F arch=b32 -S chmod -S fchmod -S fchmodat #-a exit,always -F arch=b64 -S chmod -S fchmod -S fchmodat #-a exit,always -F arch=b32 -S chown -S fchown -S fchownat -S lchown #-a exit,always -F arch=b64 -S chown -S fchown -S fchownat -S lchown ## Enable *32 rules if you are running on i386 or s390 ## Do not use for x86_64, ia64, ppc, ppc64, or s390x #-a exit,always -F arch=b32 -S fchown32 -S chown32 -S lchown32 ## File content modification. Permissions are checked at open time, ## monitoring individual read/write calls is not useful. #-a exit,always -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate #-a exit,always -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate ## Enable *64 rules if you are running on i386, ppc, ppc64, s390 ## Do not use for x86_64, ia64, or s390x #-a exit,always -F arch=b32 -S truncate64 -S ftruncate64 ## directory operations #-a exit,always -F arch=b32 -S mkdir -S mkdirat -S rmdir #-a exit,always -F arch=b64 -S mkdir -S mkdirat -S rmdir ## moving, removing, and linking #-a exit,always -F arch=b32 -S unlink -S unlinkat -S rename -S renameat #-a exit,always -F arch=b64 -S unlink -S unlinkat -S rename -S renameat #-a exit,always -F arch=b32 -S link -S linkat -S symlink -S symlinkat #-a exit,always -F arch=b64 -S link -S linkat -S symlink -S symlinkat ## Extended attribute operations ## Enable if you are interested in these events #-a exit,always -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr #-a exit,always -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr ## special files -a exit,always -F arch=b32 -S mknod -S mknodat -a exit,always -F arch=b64 -S mknod -S mknodat ## Other file system operations ## Enable if i386 -a exit,always -F arch=b32 -S mount -S umount -S umount2 ## Enable if ppc, s390, or s390x #-a exit,always -F arch=b32 -S mount -S umount -S umount2 #-a exit,always -F arch=b64 -S mount -S umount -S umount2 ## Enable if ia64 #-a exit,always -F arch=b64 -S mount -S umount ## Enable if x86_64 #-a exit,always -F arch=b64 -S mount -S umount2 #-a exit,always -F arch=b32 -S mount -S umount -S umount2 ## IPC SYSV message queues ## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) ## msgctl #-a exit,always -S ipc -F a0=14 ## msgget #-a exit,always -S ipc -F a0=13 ## Enable if you are interested in these events (x86_64,ia64) #-a exit,always -S msgctl #-a exit,always -S msgget ## IPC SYSV semaphores ## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) ## semctl #-a exit,always -S ipc -F a0=3 ## semget #-a exit,always -S ipc -F a0=2 ## semop #-a exit,always -S ipc -F a0=1 ## semtimedop #-a exit,always -S ipc -F a0=4 ## Enable if you are interested in these events (x86_64, ia64) #-a exit,always -S semctl #-a exit,always -S semget #-a exit,always -S semop #-a exit,always -S semtimedop ## IPC SYSV shared memory ## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x) ## shmctl #-a exit,always -S ipc -F a0=24 ## shmget #-a exit,always -S ipc -F a0=23 ## Enable if you are interested in these events (x86_64, ia64) #-a exit,always -S shmctl #-a exit,always -S shmget ## ## FIA_USB.1 ## success and failure of binding user security attributes to a subject ## ## Enable if you are interested in these events ## #-a exit,always -F arch=b32 -S clone #-a exit,always -F arch=b64 -S clone #-a exit,always -F arch=b32 -S fork -S vfork #-a exit,always -F arch=b64 -S fork -S vfork ## For ia64 architecture, disable fork and vfork rules above, and ## enable the following: #-a exit,always -S clone2 ## ## FMT_MSA.3 ## modifications of the default setting of permissive or restrictive ## rules, all modifications of the initial value of security attributes ## ## Enable if you are interested in these events ## #-a exit,always -F arch=b32 -S umask #-a exit,always -F arch=b64 -S umask ## ## FPT_STM.1 ## changes to the time ## -a exit,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime ## ## FTP_ITC.1 ## set-up of trusted channel ## -w /usr/sbin/stunnel -p x ## ## Security Databases ## ## cron configuration & scheduled jobs -w /etc/cron.allow -p wa -k CFG_cron.allow -w /etc/cron.deny -p wa -k CFG_cron.deny -w /etc/cron.d/ -p wa -k CFG_cron.d -w /etc/cron.daily/ -p wa -k CFG_cron.daily -w /etc/cron.hourly/ -p wa -k CFG_cron.hourly -w /etc/cron.monthly/ -p wa -k CFG_cron.monthly -w /etc/cron.weekly/ -p wa -k CFG_cron.weekly -w /etc/crontab -p wa -k CFG_crontab -w /var/spool/cron/root -k CFG_crontab_root ## user, group, password databases -w /etc/group -p wa -k CFG_group -w /etc/passwd -p wa -k CFG_passwd -w /etc/gshadow -k CFG_gshadow -w /etc/shadow -k CFG_shadow -w /etc/security/opasswd -k CFG_opasswd ## login configuration and information -w /etc/login.defs -p wa -k CFG_login.defs -w /etc/securetty -p wa -k CFG_securetty -w /var/log/faillog -p wa -k LOG_faillog -w /var/log/lastlog -p wa -k LOG_lastlog -w /var/log/tallylog -p wa -k LOG_tallylog ## network configuration -w /etc/hosts -p wa -k CFG_hosts -w /etc/sysconfig/network-scripts/ -p wa -k CFG_network ## system startup scripts -w /etc/inittab -p wa -k CFG_inittab -w /etc/rc.d/init.d/ -p wa -k CFG_initscripts ## library search paths -w /etc/ld.so.conf -p wa -k CFG_ld.so.conf ## local time zone -w /etc/localtime -p wa -k CFG_localtime ## kernel parameters -w /etc/sysctl.conf -p wa -k CFG_sysctl.conf ## modprobe configuration -w /etc/modprobe.conf -p wa -k CFG_modprobe.conf ## pam configuration -w /etc/pam.d/ -p wa -k CFG_pam -w /etc/security/limits.conf -p wa -k CFG_pam -w /etc/security/pam_env.conf -p wa -k CFG_pam -w /etc/security/namespace.conf -p wa -k CFG_pam -w /etc/security/namespace.init -p wa -k CFG_pam ## postfix configuration -w /etc/aliases -p wa -k CFG_aliases -w /etc/postfix/ -p wa -k CFG_postfix ## ssh configuration -w /etc/ssh/sshd_config -k CFG_sshd_config ## stunnel configuration -w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf -w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem ## vsftpd configuration -w /etc/vsftpd.ftpusers -k CFG_vsftpd.ftpusers -w /etc/vsftpd/vsftpd.conf -k CFG_vsftpd.conf ## Not specifically required by CAPP; but common sense items -a exit,always -F arch=b32 -S sethostname -a exit,always -F arch=b64 -S sethostname -w /etc/issue -p wa -k CFG_issue -w /etc/issue.net -p wa -k CFG_issue.net ## Optional - could indicate someone trying to do something bad or ## just debugging #-a exit,always -F arch=b32 -S ptrace -k paranoid #-a exit,always -F arch=b64 -S ptrace -k paranoid ## Optional - could be an attempt to bypass audit or simply legacy program #-a exit,always -F arch=b32 -S personality -k paranoid #-a exit,always -F arch=b64 -S personality -k paranoid ## Put your own watches after this point # -w /your-file -p rwxa -k mykey ## Make the configuration immutable #-e 2