Navigation

← Previous Changeset
Next Changeset →

Changeset 185

Timestamp:

04/24/08 09:25:28 (7 months ago)

Author:

slawrence

Message:

Fix audit rules to be more efficient and to not watch the audit log dir. Sync RHEL5 ks with RHEL5.1

Files:

trunk/RHEL4/kickstart/clip.ks (modified) (7 diffs)
trunk/RHEL5.1/kickstart/clip.ks (modified) (8 diffs)
trunk/RHEL5/kickstart/clip.ks (modified) (18 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/RHEL4/kickstart/clip.ks

r179	r185
116	116	logvol /var --fstype ext3 --name=varVol --vgname=VolGroup00 --size=1024 --grow
117	117	logvol /home --fstype ext3 --name=homeVol --vgname=VolGroup00 --size=256 --grow
118		logvol /tmp --fstype ext3 --name=tmpVol --vgname=VolGroup00 --size=1024 ~~--grow~~
	118	logvol /tmp --fstype ext3 --name=tmpVol --vgname=VolGroup00 --size=1024
119	119
120	120
…	…
657	657	## successful use of chown/chmod)
658	658	cat <<-EOF >> /etc/audit.rules
659		-a exit,always -S chmod
660		-a exit,always -S chown
661		-a exit,always -S chown32
662		-a exit,always -S fchmod
663		-a exit,always -S fchown
664		-a exit,always -S fchown32
665		-a exit,always -S lchown
666		-a exit,always -S lchown32
	659	-a exit,always -S chmod -S chown -S chown32 -S fchmod -S fchown -S fchown32 -S lchown -S lchown32
667	660	EOF
668	661
…	…
670	663	## unauthorized access attempts to files (unsuccessful)
671	664	cat <<-EOF >> /etc/audit.rules
672		-a exit,always -S open -F success=0
673		-a exit,always -S mknod -F success=0
674		-a exit,always -S pipe -F success=0
675		-a exit,always -S mkdir -F success=0
676		-a exit,always -S creat -F success=0
677		-a exit,always -S truncate -F success=0
678		-a exit,always -S truncate64 -F success=0
679		-a exit,always -S ftruncate -F success=0
680		-a exit,always -S ftruncate64 -F success=0
	665	-a exit,always -F success=0 -S open -S mknod -S pipe -S mkdir -S creat -S truncate -S truncate64 -S ftruncate -S ftruncate64
681	666	EOF
682	667
…	…
684	669	## use of privileged commands (unsuccessful and successful)
685	670	cat <<-EOF >> /etc/audit.rules
686		-a exit,always -S chroot
687		-a exit,always -S mount
688		-a exit,always -S umount
689		-a exit,always -S umount2
690		-a exit,always -S adjtimex
691		-a exit,always -S kill
	671	-a exit,always -S chroot -S mount -S umount -S umount2 -S adjtimex -S kill
692	672	-w /usr/sbin/pwck
693	673	-w /bin/chgrp
…	…
707	687	## files and programs deleted by the user (successful and unsuccessful)
708	688	cat <<-EOF >> /etc/audit.rules
709		-a exit,always -S unlink
710		-a exit,always -S rmdir
	689	-a exit,always -S unlink -S rmdir
711	690	EOF
712	691
…	…
714	693	## all system administration actions
715	694	cat <<-EOF >> /etc/audit.rules
716		-w /var/log/audit/
	695	-w /var/log/audit/ -F success=0
717	696	-w /etc/auditd.conf
718	697	-w /etc/audit.rules
719		-a exit,always -S acct
720		-a exit,always -S reboot
721		-a exit,always -S sched_setparam
722		-a exit,always -S sched_setscheduler
723		-a exit,always -S setdomainname
724		-a exit,always -S setrlimit
725		-a exit,always -S settimeofday
726		-a exit,always -S stime
727		-a exit,always -S swapon
	698	-a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S stime -S swapon
728	699	EOF
729	700
…	…
731	702	## all security personnel actions
732	703	cat <<-EOF >> /etc/audit.rules
733		-a exit,always -S init_module
734		-a exit,always -S delete_module
	704	-a exit,always -S init_module -S delete_module
735	705	-w /bin/su
736	706	EOF

trunk/RHEL5.1/kickstart/clip.ks

r184	r185
12	12	# - 2008-02-13: Changed grub password to be standard. Deny
13	13	# all icmp requests.
14		~~# procedures. [Tresys]~~
15	14	#
16	15	#
…	…
661	660	## logon (unsuccessful and successful) and logout (successful)
662	661	cat <<-EOF >> /etc/audit/audit.rules
663		-~~a exit,always -~~w /bin/login -p x
664		-~~a exit,always -~~w /bin/logout -F success=0
	662	-w /bin/login -p x
	663	-w /bin/logout -F success=0
665	664	EOF
666	665
…	…
669	668	## successful use of chown/chmod)
670	669	cat <<-EOF >> /etc/audit/audit.rules
671		-a exit,always -S chmod
672		-a exit,always -S chown
673		-a exit,always -S chown32
674		-a exit,always -S fchmod
675		-a exit,always -S fchown
676		-a exit,always -S fchown32
677		-a exit,always -S lchown
678		-a exit,always -S lchown32
	670	-a exit,always -S chmod -S chown -S chown32 -S fchmod -S fchown -S fchown32 -S lchown -S lchown32
679	671	EOF
680	672
…	…
682	674	## unauthorized access attempts to files (unsuccessful)
683	675	cat <<-EOF >> /etc/audit/audit.rules
684		-a exit,always -S open -F success=0
685		-a exit,always -S mknod -F success=0
686		-a exit,always -S pipe -F success=0
687		-a exit,always -S mkdir -F success=0
688		-a exit,always -S creat -F success=0
689		-a exit,always -S truncate -F success=0
690		-a exit,always -S truncate64 -F success=0
691		-a exit,always -S ftruncate -F success=0
692		-a exit,always -S ftruncate64 -F success=0
	676	-a exit,always -F success=0 -S open -S mknod -S pipe -S mkdir -S creat -S truncate -S truncate64 -S ftruncate -S ftruncate64
693	677	EOF
694	678
…	…
696	680	## use of privileged commands (unsuccessful and successful)
697	681	cat <<-EOF >> /etc/audit/audit.rules
698		-a exit,always -S chroot
699		-a exit,always -S mount
700		-a exit,always -S umount
701		-a exit,always -S umount2
702		-a exit,always -S adjtimex
703		-a exit,always -S kill
704		-a exit,always -w /usr/sbin/pwck
705		-a exit,always -w /bin/chgrp
706		-a exit,always -w /usr/bin/newgrp
707		-a exit,always -w /usr/sbin/groupadd
708		-a exit,always -w /usr/sbin/groupmod
709		-a exit,always -w /usr/sbin/groupdel
710		-a exit,always -w /usr/sbin/useradd
711		-a exit,always -w /usr/sbin/userdel
712		-a exit,always -w /usr/sbin/usermod
713		-a exit,always -w /usr/bin/chage
714		-a exit,always -w /usr/bin/setfacl
715		-a exit,always -w /usr/bin/chacl
	682	-a exit,always -S chroot -S mount -S umount -S umount2 -S adjtimex -S kill
	683	-w /usr/sbin/pwck
	684	-w /bin/chgrp
	685	-w /usr/bin/newgrp
	686	-w /usr/sbin/groupadd
	687	-w /usr/sbin/groupmod
	688	-w /usr/sbin/groupdel
	689	-w /usr/sbin/useradd
	690	-w /usr/sbin/userdel
	691	-w /usr/sbin/usermod
	692	-w /usr/bin/chage
	693	-w /usr/bin/setfacl
	694	-w /usr/bin/chacl
716	695	EOF
717	696
…	…
719	698	## files and programs deleted by the user (successful and unsuccessful)
720	699	cat <<-EOF >> /etc/audit/audit.rules
721		-a exit,always -S unlink
722		-a exit,always -S rmdir
	700	-a exit,always -S unlink -S rmdir
723	701	EOF
724	702
…	…
726	704	## all system administration actions
727	705	cat <<-EOF >> /etc/audit/audit.rules
728		-w /var/log/audit/
	706	-w /var/log/audit/ -F success=0
729	707	-w /etc/auditd.conf
730	708	-w /etc/audit
731		-a exit,always -S acct
732		-a exit,always -S reboot
733		-a exit,always -S sched_setparam
734		-a exit,always -S sched_setscheduler
735		-a exit,always -S setdomainname
736		-a exit,always -S setrlimit
737		-a exit,always -S settimeofday
738		-a exit,always -S stime
739		-a exit,always -S swapon
	709	-a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S stime -S swapon
740	710	EOF
741	711
…	…
743	713	## all security personnel actions
744	714	cat <<-EOF >> /etc/audit/audit.rules
745		-a exit,always -S init_module
746		-a exit,always -S delete_module
747		-a exit,always -w /bin/su
	715	-a exit,always -S init_module -S delete_module
	716	-w /bin/su
748	717	EOF
749	718

trunk/RHEL5/kickstart/clip.ks

r175	r185
113	113	logvol /var --fstype ext3 --name=varVol --vgname=VolGroup00 --size=1024 --grow
114	114	logvol /home --fstype ext3 --name=homeVol --vgname=VolGroup00 --size=256 --grow
115		logvol /tmp --fstype ext3 --name=tmpVol --vgname=VolGroup00 --size=1024 ~~--grow~~
	115	logvol /tmp --fstype ext3 --name=tmpVol --vgname=VolGroup00 --size=1024
116	116
117	117
…	…
119	119	# Set a password to prevent any non-stadard boot options.
120	120	# The password should be changed after installation.
121		bootloader --location mbr --password ~~Dodiis_Redhat4321~~
	121	bootloader --location mbr --password 123)(*qweASD
122	122
123	123	# Set the root password.
…	…
158	158
159	159	#####################################
160		# Remove Packages per Red Hat's PL3 #
161		# Kickstart file #
	160	# Remove Packages for PL4 compliance#
162	161	#####################################
163	162	-xdelta
…	…
199	198	-gaim
200	199	-gnome-pilot
	200	-bluez-utils
	201	-bluez-utils-cups
	202	-bluez-hcidump
	203	-bluez-gnome
	204	-yum-updatesd
	205	-wpa_supplicant
	206	-ypbind
	207	-NetworkManager
	208	-NetworkManagerDispatcher
	209	-setools
	210	-telnet
	211	-wireless-tools
201	212	#@ office
202	213	#@ admin-tools
…	…
254	265	-rcs
255	266	-perl-XML-NamespaceSupport
256
	267	#get rid of rlogin
	268	-rsh
	269
	270	# needed to compile policy
	271	rpm-build
	272	gcc
	273	checkpolicy
257	274
258	275	%pre
…	…
331	348	## failed logon attempts for an account, the account is locked for 15 minutes or until
332	349	## the SA unlocks the account.
333		sed -i '/^auth.*pam_deny/ a\
334		auth\t required\t /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root' /etc/pam.d/system-auth
335		sed -i '/^account.*pam_unix/ a\
336		account\t required\t /lib/security/$ISA/pam_tally.so per_user deny=3 no_magic_root reset' /etc/pam.d/system-auth
	350	cat <<-EOF > /etc/pam.d/system-auth
	351	#%PAM-1.0
	352	auth required pam_tally.so deny=3 onerr=fail unlock_time=900 quiet
	353
	354	auth required pam_env.so
	355	auth required pam_unix.so nullok try_first_pass audit
	356
	357	account required pam_unix.so
	358	account required pam_tally.so
	359	password required pam_cracklib.so try_first_pass retry=3 minlen=12 difok=3 dcredit=-2 ucredit=-2 ocredit=-2 lcredit=-2
	360	password required pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=12
	361
	362	session optional pam_keyinit.so revoke
	363	session required pam_limits.so
	364	session required pam_unix.so
	365	EOF
	366	chmod ugo-x /usr/sbin/authconfig
337	367
338	368	## (GEN000480: CAT II) (Previously â G015) The SA will ensure the logon delay between
…	…
368	398	## (GEN000600: CAT II) (Previously â G019) The IAO will ensure passwords include at
369	399	## least two alphabetic characters, one of which must be capitalized.
370		sed -i s/minlen\=8/minlen\=9/ /etc/pam.d/system-auth
371		sed -i "s/difok\=3/difok\=3 dcredit\=-2 ucredit\=-2 ocredit\=-2 lcredit\=-2/" /etc/pam.d/system-auth
372		# Running the authconfig tool WILL clobber these changes!
373		# Taking the executable permissions off of /usr/sbin/authconfig
374		chmod ugo-x /usr/sbin/authconfig
	400	# See GEN000460
375	401
376	402	## (GEN000700: CAT II) (Previously â G020) The SA will ensure passwords are
…	…
380	406	## (GEN000800: CAT II) (Previously â G606) The SA will ensure passwords will not be
381	407	## reused within the last ten changes.
382		sed -i "s/shadow/shadow remember\=10/" /etc/pam.d/system-auth
	408	# See GEN000460
383	409
384	410	## (GEN000920: CAT II) (Previously â G023) The SA will ensure the root account
…	…
396	422	## user to root.
397	423	# Configure sshd and login to consult pam_access.so
398		sed -i '/^account/ a\account\t\trequired\tpam_access.so' /etc/pam.d/sshd
399		sed -i '/^account.*auth$/ a\account\t required\tpam_access.so' /etc/pam.d/login
400		# Configure pam_access to refuse direct logins for accounts not in users group
401		sed -i '/^# All other/d' /etc/security/access.conf
402		echo "# Restrict direct login to accounts in the users group" >> /etc/security/access.conf
	424	sed -i '/^account.*auth$/ a\account\t\trequired\tpam_access.so' /etc/pam.d/sshd
	425	sed -i '/^account.*auth$/ a\account\t\trequired\tpam_access.so' /etc/pam.d/login
403	426	echo "-:ALL EXCEPT users :ALL" >> /etc/security/access.conf
404		~~# Add a User who is in the users group allowing access to the system~~
405	427	adduser -G users,wheel clipuser
406	428	echo "123)(*qweASD" \| passwd --stdin clipuser
407		~~# Cron was previously set to use /etc/security/access.conf, which did~~
408		~~# nothing by default. We don't want to block root from using cron.~~
409		~~# So, we create a blank config file and direct crond to use that instead.~~
410		~~touch /etc/security/access-cron.conf~~
411		~~chmod 644 /etc/security/access-cron.conf~~
412		~~sed -i 's/pam_access.so/pam_access.so\ accessfile=\/etc\/security\/access-cron.conf/' /etc/pam.d/crond~~
413	429
414	430	## (GEN001080: CAT III) (Previously â G229) The SA will ensure the root shell
…	…
635	651	## logon (unsuccessful and successful) and logout (successful)
636	652	cat <<-EOF >> /etc/audit/audit.rules
637		-~~a exit,always -~~w /bin/login -p x
638		-~~a exit,always -~~w /bin/logout -F success=0
	653	-w /bin/login -p x
	654	-w /bin/logout -F success=0
639	655	EOF
640	656
…	…
643	659	## successful use of chown/chmod)
644	660	cat <<-EOF >> /etc/audit/audit.rules
645		-a exit,always -S chmod
646		-a exit,always -S chown
647		-a exit,always -S chown32
648		-a exit,always -S fchmod
649		-a exit,always -S fchown
650		-a exit,always -S fchown32
651		-a exit,always -S lchown
652		-a exit,always -S lchown32
	661	-a exit,always -S chmod -S chown -S chown32 -S fchmod -S fchown -S fchown32 -S lchown -S lchown32
653	662	EOF
654	663
…	…
656	665	## unauthorized access attempts to files (unsuccessful)
657	666	cat <<-EOF >> /etc/audit/audit.rules
658		-a exit,always -S open -F success!=0
659		-a exit,always -S mknod -F success=0
660		-a exit,always -S pipe -F success=0
661		-a exit,always -S mkdir -F success=0
662		-a exit,always -S creat -F success=0
663		-a exit,always -S truncate -F success=0
664		-a exit,always -S truncate64 -F success=0
665		-a exit,always -S ftruncate -F success=0
666		-a exit,always -S ftruncate64 -F success=0
	667	-a exit,always -F success=0 -S open -S mknod -S pipe -S mkdir -S creat -S truncate -S truncate64 -S ftruncate -S ftruncate64
667	668	EOF
668	669
…	…
670	671	## use of privileged commands (unsuccessful and successful)
671	672	cat <<-EOF >> /etc/audit/audit.rules
672		-a exit,always -S chroot
673		-a exit,always -S mount
674		-a exit,always -S umount
675		-a exit,always -S umount2
676		-a exit,always -S adjtimex
677		-a exit,always -S kill
678		-a exit,always -w /usr/sbin/pwck
679		-a exit,always -w /bin/chgrp
680		-a exit,always -w /usr/bin/newgrp
681		-a exit,always -w /usr/sbin/groupadd
682		-a exit,always -w /usr/sbin/groupmod
683		-a exit,always -w /usr/sbin/groupdel
684		-a exit,always -w /usr/sbin/useradd
685		-a exit,always -w /usr/sbin/userdel
686		-a exit,always -w /usr/sbin/usermod
687		-a exit,always -w /usr/bin/chage
688		-a exit,always -w /usr/bin/setfacl
689		-a exit,always -w /usr/bin/chacl
	673	-a exit,always -S chroot -S mount -S umount -S umount2 -S adjtimex -S kill
	674	-w /usr/sbin/pwck
	675	-w /bin/chgrp
	676	-w /usr/bin/newgrp
	677	-w /usr/sbin/groupadd
	678	-w /usr/sbin/groupmod
	679	-w /usr/sbin/groupdel
	680	-w /usr/sbin/useradd
	681	-w /usr/sbin/userdel
	682	-w /usr/sbin/usermod
	683	-w /usr/bin/chage
	684	-w /usr/bin/setfacl
	685	-w /usr/bin/chacl
690	686	EOF
691	687
…	…
693	689	## files and programs deleted by the user (successful and unsuccessful)
694	690	cat <<-EOF >> /etc/audit/audit.rules
695		-a exit,always -S unlink
696		-a exit,always -S rmdir
	691	-a exit,always -S unlink -S rmdir
697	692	EOF
698	693
…	…
700	695	## all system administration actions
701	696	cat <<-EOF >> /etc/audit/audit.rules
702		-w /var/log/audit/
	697	-w /var/log/audit/ -F success=0
703	698	-w /etc/auditd.conf
704	699	-w /etc/audit
705		-a exit,always -S acct
706		-a exit,always -S reboot
707		-a exit,always -S sched_setparam
708		-a exit,always -S sched_setscheduler
709		-a exit,always -S setdomainname
710		-a exit,always -S setrlimit
711		-a exit,always -S settimeofday
712		-a exit,always -S stime
713		-a exit,always -S swapon
	700	-a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S stime -S swapon
714	701	EOF
715	702
…	…
717	704	## all security personnel actions
718	705	cat <<-EOF >> /etc/audit/audit.rules
719		-a exit,always -S init_module
720		-a exit,always -S delete_module
721		-a exit,always -w /bin/su
	706	-a exit,always -S init_module -S delete_module
	707	-w /bin/su
722	708	EOF
723	709
…	…
857	843	net.ipv4.tcp_max_syn_backlog = 1280
858	844	net.ipv4.icmp_echo_ignore_broadcasts = 1
	845	net.ipv4.icmp_echo_ignore_all = 1
859	846	EOF
860	847
…	…
875	862	/sbin/chkconfig sendmail off
876	863	/sbin/chkconfig xinetd off
	864	/sbin/chkconfig cups off
	865	/sbin/chkconfig rhnsd off
	866	/sbin/chkconfig autofs off
877	867
878	868	## (GEN003740: CAT II) (Previously â G108) The SA will ensure the inetd.conf

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.