Sophie

Sophie

distrib > Mageia > 3 > x86_64 > by-pkgid > 664ade76ebbff7b98d2a3f1f1441a6d7 > files > 27

audit-2.2.3-1.mga3.x86_64.rpm

##
## This file contains the a sample audit configuration intended to
## meet the NISPOM Chapter 8 rules.
##
## This file should be saved as /etc/audit/audit.rules.
##
## For audit 1.6.5 and higher
##

## Remove any existing rules
-D

## Increase buffer size to handle the increased number of messages.
## Feel free to increase this if the machine panic's
-b 8192

## Set failure mode to panic
-f 2

## Audit 1, 1(a) Enough information to determine the date and time of
## action (e.g., common network time), the system locale of the action,
## the system entity that initiated or completed the action, the resources
## involved, and the action involved.

## Things that could affect time
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S clock_settime -F a0=0 -k time-change
-a always,exit -F arch=b64 -S clock_settime -F a0=0 -k time-change
# Introduced in 2.6.39, commented out because it can make false positives
#-a always,exit -F arch=b32 -S clock_adjtime -k time-change
#-a always,exit -F arch=b64 -S clock_adjtime -k time-change
-w /etc/localtime -p wa -k time-change

## Things that could affect system locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale

## Audit 1, 1(b) Successful and unsuccessful logons and logoffs.
## This is covered by patches to login, gdm, and openssh
## Might also want to watch these files if needing extra information
#-w /var/log/tallylog -p wa -k logins
#-w /var/run/faillock/ -p wa -k logins
#-w /var/log/lastlog -p wa -k logins
#-w /var/log/btmp -p wa -k logins
#-w /var/run/utmp -p wa -k logins

## Audit 1, 1(c) Successful and unsuccessful accesses to
## security-relevant objects and directories, including
## creation, open, close, modification, and deletion.

## unsuccessful creation
-a always,exit -F arch=b32 -S creat -S mkdir -S mknod -S link -S symlink -S mknodat -S linkat -S symlinkat -F exit=-EACCES -k creation
-a always,exit -F arch=b64 -S creat -S mkdir -S mknod -S link -S symlink -S mknodat -S linkat -S symlinkat -F exit=-EACCES -k creation
-a always,exit -F arch=b32 -S mkdir -S mkdirat -S link -S symlink -F exit=-EPERM -k creation
-a always,exit -F arch=b64 -S mkdir -S mkdirat -S link -S symlink -F exit=-EPERM -k creation

## unsuccessful open
-a always,exit -F arch=b32 -S open -S openat -S open_by_handle_at -F exit=-EACCES -k open
-a always,exit -F arch=b64 -S open -S openat -S open_by_handle_at -F exit=-EACCES -k open
-a always,exit -F arch=b32 -S open -S openat -S open_by_handle_at -F exit=-EPERM -k open
-a always,exit -F arch=b64 -S open -S openat -S open_by_handle_at -F exit=-EPERM -k open

## unsuccessful close
-a always,exit -F arch=b32 -S close -F exit=-EIO -k close
-a always,exit -F arch=b64 -S close -F exit=-EIO -k close

## unsuccessful modifications
-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k mods
-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k mods
-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k mods
-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k mods

## unsuccessful deletion
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -F exit=-EACCES -k delete 
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -F exit=-EACCES -k delete 
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -F exit=-EPERM -k delete 
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -F exit=-EPERM -k delete 

## Audit 1, 1(d) Changes in user authenticators.
## Covered by patches to libpam, passwd, and shadow-utils
## Might also want to watch these files for changes
-w /etc/group -p wa -k auth
-w /etc/passwd -p wa -k auth
-w /etc/gshadow -p wa -k auth
-w /etc/shadow -p wa -k auth
-w /etc/security/opasswd -p wa -k auth

## Audit 1, 1(e) The blocking or blacklisting of a user ID,
## terminal, or access port and the reason for the action.
## Covered by patches to pam_tally2 or pam_faillock and pam_limits

## Audit 1, 1(f) Denial of access resulting from an excessive
## number of unsuccessful logon attempts.
## Covered by patches to pam_tally2 or pam_faillock

## Audit 1, 2 Audit Trail Protection. The contents of audit trails
## shall be protected against unauthorized access, modification,
## or deletion.
## This should be covered by file permissions, but we can watch it
## to see any activity
-w /var/log/audit/ -k audit-logs

## Not specifically required by NISPOM; but common sense items
## Optional - could indicate someone trying to do something bad or
## just debugging
#-a always,exit -F arch=b32 -S ptrace -k paranoid
#-a always,exit -F arch=b64 -S ptrace -k paranoid

## Optional - could be an attempt to bypass audit or simply legacy program
#-a always,exit -F arch=b32 -S personality -F a0!=4294967295 -k paranoid
#-a always,exit -F arch=b64 -S personality -F a0!=4294967295 -k paranoid

## Optional - might want to watch module insertion
#-w /sbin/insmod -p x -k modules
#-w /sbin/rmmod -p x -k modules
#-w /sbin/modprobe -p x -k modules
#-a always,exit -F arch=b32 -S init_module -S delete_module -k modules
#-a always,exit -F arch=b64 -S init_module -S delete_module -k modules

## Put your own watches after this point
# -w /your-file -p rwxa -k mykey

## Make the configuration immutable
#-e 2

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional