Changeset 192

Timestamp:

04/29/08 10:35:18 (7 months ago)

Author:

slawrence

Message:

- Combined audit.conf and kickstart audit.rules
- Prevented RHEL4 from running stigs after rpm installation
- Fixed installation scripts to include cat4 stigs

Files:

• trunk/RHEL4/conf/audit/audit.rules (modified) (3 diffs)
• trunk/RHEL4/kickstart/clip.ks (modified) (9 diffs)
• trunk/RHEL4/scripts/Makefile (modified) (2 diffs)
• trunk/RHEL4/scripts/installer.in (modified) (1 diff)
• trunk/RHEL4/scripts/stig-fix/cat2/gen002660.sh (modified) (1 diff)
• trunk/RHEL4/scripts/stig-fix/cat2/gen002720.sh (modified) (1 diff)
• trunk/RHEL4/scripts/stig-fix/cat2/gen002740.sh (modified) (1 diff)
• trunk/RHEL4/scripts/stig-fix/cat2/gen002760.sh (modified) (1 diff)
• trunk/RHEL4/scripts/stig-fix/cat2/gen002780.sh (modified) (2 diffs)
• trunk/RHEL4/scripts/stig-fix/cat2/gen002800.sh (modified) (1 diff)
• trunk/RHEL4/scripts/stig-fix/cat2/gen002820.sh (modified) (1 diff)
• trunk/RHEL4/scripts/stig-fix/cat2/gen002840.sh (modified) (1 diff)
• trunk/RHEL5.1/conf/audit/audit.rules (modified) (3 diffs)
• trunk/RHEL5.1/kickstart/clip.ks (modified) (9 diffs)
• trunk/RHEL5.1/scripts/Makefile (modified) (1 diff)
• trunk/RHEL5.1/scripts/installer.in (modified) (1 diff)
• trunk/RHEL5.1/scripts/stig-fix/cat2/gen002660.sh (modified) (1 diff)
• trunk/RHEL5.1/scripts/stig-fix/cat2/gen002720.sh (modified) (1 diff)
• trunk/RHEL5.1/scripts/stig-fix/cat2/gen002740.sh (modified) (1 diff)
• trunk/RHEL5.1/scripts/stig-fix/cat2/gen002760.sh (modified) (1 diff)
• trunk/RHEL5.1/scripts/stig-fix/cat2/gen002780.sh (modified) (2 diffs)
• trunk/RHEL5.1/scripts/stig-fix/cat2/gen002800.sh (modified) (1 diff)
• trunk/RHEL5.1/scripts/stig-fix/cat2/gen002820.sh (modified) (1 diff)
• trunk/RHEL5.1/scripts/stig-fix/cat2/gen002840.sh (modified) (1 diff)
• trunk/RHEL5/conf/audit/audit.rules (modified) (3 diffs)
• trunk/RHEL5/kickstart/clip.ks (modified) (9 diffs)
• trunk/RHEL5/scripts/Makefile (modified) (1 diff)
• trunk/RHEL5/scripts/installer.in (modified) (1 diff)
• trunk/RHEL5/scripts/stig-fix/cat2/gen002660.sh (modified) (1 diff)
• trunk/RHEL5/scripts/stig-fix/cat2/gen002720.sh (modified) (1 diff)
• trunk/RHEL5/scripts/stig-fix/cat2/gen002740.sh (modified) (1 diff)
• trunk/RHEL5/scripts/stig-fix/cat2/gen002760.sh (modified) (1 diff)
• trunk/RHEL5/scripts/stig-fix/cat2/gen002780.sh (modified) (2 diffs)
• trunk/RHEL5/scripts/stig-fix/cat2/gen002800.sh (modified) (1 diff)
• trunk/RHEL5/scripts/stig-fix/cat2/gen002820.sh (modified) (1 diff)
• trunk/RHEL5/scripts/stig-fix/cat2/gen002840.sh (modified) (1 diff)

trunk/RHEL4/conf/audit/audit.rules

@@ -1 @@
-# This is a sample rule set. The rules are executed from top
-# to bottom. A '#' denotes comments. The rules are basically
-# the auditctl commandline parameters.
-
-# Remove existing rules
--D
@@ -9 +5 @@
--e 1
-
-kernel buffer size
+buffer size to handle the increased number of messages.
--b 8192
-
@@ -15 +11 @@
--f 2
-
-
-
-
+
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
--w /etc/passwd -p wa
--w /etc/shadow -p wa
--w /etc/group  -p wa
-
-
+
--w /etc/pam.d
-
-
-
-
-
-
+
+
+
--w /var/run/utmp
--w /var/run/wtmp
+-a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S stime -S swapon
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+

trunk/RHEL4/kickstart/clip.ks

@@ -632 +632 @@
-        # Remove any existing rules
-        -D
+
+        # Enable auditing
+        -e 1
+
-        # Increase buffer size to handle the increased number of messages.
-        -b 8192
+
+        # Failure of auditd causes a kernel panic
+        -f 2
+
-EOF
-
@@ -651 +659 @@
-        -w /bin/login -p x
-        -w /bin/logout -p x 
+
-EOF
-
@@ -657 +666 @@
-## successful use of chown/chmod)
-cat <<-EOF >> /etc/audit.rules
+        # DAC permission changes
-        -a exit,always -S chmod -S chown -S chown32 -S fchmod -S fchown -S fchown32 -S lchown -S lchown32
+
-EOF
-
@@ -663 +674 @@
-## unauthorized access attempts to files (unsuccessful)
-cat <<-EOF >> /etc/audit.rules
+        # unauthorized file access attempts
-        -a exit,always -F success=0 -S open -S mknod -S pipe -S mkdir -S creat -S truncate -S truncate64 -S ftruncate -S ftruncate64
+
-EOF
-
@@ -669 +682 @@
-## use of privileged commands (unsuccessful and successful)
-cat <<-EOF >> /etc/audit.rules
+        # privileged commands
-        -a exit,always -S chroot -S mount -S umount -S umount2 -S adjtimex -S kill
-        -w /usr/sbin/pwck
@@ -682 +696 @@
-        -w /usr/bin/setfacl
-        -w /usr/bin/chacl
+
-EOF
-
@@ -687 +702 @@
-## files and programs deleted by the user (successful and unsuccessful)
-cat <<-EOF >> /etc/audit.rules
+        # deleting files
-        -a exit,always -S unlink -S rmdir
+
-EOF
-
@@ -693 +710 @@
-## all system administration actions
-cat <<-EOF >> /etc/audit.rules
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-        -a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S stime -S swapon
+
-EOF
-
@@ -703 +737 @@
-## all security personnel actions
-cat <<-EOF >> /etc/audit.rules
-
+
+
-        -w /bin/su
+
-EOF
-

trunk/RHEL4/scripts/Makefile

@@ -22 +22 @@
-        test -d $(DESTDIR)$(SHAREDIR)/scripts/stig-fix/cat3 || install -m 755 -d \
-                $(DESTDIR)$(SHAREDIR)/scripts/stig-fix/cat3
+        test -d $(DESTDIR)$(SHAREDIR)/scripts/stig-fix/cat4 || install -m 755 -d \
+                $(DESTDIR)$(SHAREDIR)/scripts/stig-fix/cat4
-
-
@@ -41 +43 @@
-        install -m 700 stig-fix/cat2/*.sh $(DESTDIR)$(SHAREDIR)/scripts/stig-fix/cat2 
-        install -m 700 stig-fix/cat3/*.sh $(DESTDIR)$(SHAREDIR)/scripts/stig-fix/cat3 
+        install -m 700 stig-fix/cat4/*.sh $(DESTDIR)$(SHAREDIR)/scripts/stig-fix/cat4 
-
-        # Patch installer 

trunk/RHEL4/scripts/installer.in

@@ -93 +93 @@
-InstallMan
-InstallStig
-
+#

trunk/RHEL4/scripts/stig-fix/cat2/gen002660.sh

@@ -10 +10 @@
-        # Remove any existing rules
-        -D
+
+        # Enable auditing
+        -e 1
+
-        # Increase buffer size to handle the increased number of messages.
-        -b 8192
+
+        # Failure of auditd causes a kernel panic
+        -f 2
+
-EOF
-

trunk/RHEL4/scripts/stig-fix/cat2/gen002720.sh

@@ -9 +9 @@
-        -w /bin/login -p x
-        -w /bin/logout -p x
+
-EOF

trunk/RHEL4/scripts/stig-fix/cat2/gen002740.sh

@@ -8 +8 @@
-echo '==================================================='
-cat <<-EOF >> /etc/audit.rules
+        # DAC permission changes
-        -a exit,always -S chmod -S chown -S chown32 -S fchmod -S fchown -S fchown32 -S lchown -S lchown32
+
-EOF

trunk/RHEL4/scripts/stig-fix/cat2/gen002760.sh

@@ -7 +7 @@
-echo '==================================================='
-cat <<-EOF >> /etc/audit.rules
+        # unauthorized file access attempts
-        -a exit,always -F success=0 -S open -S mknod -S pipe -S mkdir -S creat -S truncate -S truncate64 -S ftruncate -S ftruncate64
+
-EOF

trunk/RHEL4/scripts/stig-fix/cat2/gen002780.sh

@@ -7 +7 @@
-echo '==================================================='
-cat <<-EOF >> /etc/audit.rules
+        # privileged commands
-        -a exit,always -S chroot -S mount -S umount -S umount2 -S adjtimex -S kill
-        -w /usr/sbin/pwck
@@ -20 +21 @@
-        -w /usr/bin/setfacl
-        -w /usr/bin/chacl
+
-EOF

trunk/RHEL4/scripts/stig-fix/cat2/gen002800.sh

@@ -7 +7 @@
-echo '==================================================='
-cat <<-EOF >> /etc/audit.rules
+        # deleting files
-        -a exit,always -S unlink -S rmdir
+
-EOF

trunk/RHEL4/scripts/stig-fix/cat2/gen002820.sh

@@ -7 +7 @@
-echo '==================================================='
-cat <<-EOF >> /etc/audit.rules
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-        -a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S stime -S swapon
+
-EOF

trunk/RHEL4/scripts/stig-fix/cat2/gen002840.sh

@@ -7 +7 @@
-echo '==================================================='
-cat <<-EOF >> /etc/audit.rules
-
+
+
-        -w /bin/su
+
-EOF

trunk/RHEL5.1/conf/audit/audit.rules

@@ -1 @@
-
-
-
-
-
+
--D
-
@@ -9 +5 @@
--e 1
-
-kernel buffer size
+buffer size to handle the increased number of messages.
--b 8192
-
@@ -15 +11 @@
--f 2
-
-
-
-
+
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
--w /etc/passwd -p wa
--w /etc/shadow -p wa
--w /etc/group  -p wa
-
-
+
--w /etc/pam.d
-
-
-
-
-
-
+
+
+
--w /var/run/utmp
--w /var/run/wtmp
+-a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S stime -S swapon
-
-
-
-
-
+
+
+
-
-# watch audit subsystem's configuration files
--w /etc/auditd.conf -p wa
--w /etc/audit.rules -p wa
-
-# SELinux configuration
--w /etc/selinux/config -p wa
-
-# login records
--w /var/log/lastlog
--w /var/log/faillog
-
-# login configuration
--w /etc/login.defs
-
-# init configuration
--w /etc/rc.d/init.d
--w /etc/inittab -p wa
-
-# sshd configuration
--w /etc/ssh/sshd_config
-
-# audit creating new directories
--a exit,always -S mkdir -F auid!=0
-
-# audit chmod,chown for non-root users
--a exit,always -S chmod -S fchmod -F auid!=0
--a exit,always -S chown -S fchown -S lchown -F auid!=0
-
-# changes to security labels
--a exit,always -S setxattr -S lsetxattr -S fsetxattr
--a exit,always -S removexattr -S lremovexattr -S fremovexattr

trunk/RHEL5.1/kickstart/clip.ks

@@ -643 +643 @@
-        # Remove any existing rules
-        -D
+
+        # Enable auditing
+        -e 1
+
-        # Increase buffer size to handle the increased number of messages.
-        -b 8192
+
+        # Failure of auditd causes a kernel panic
+        -f 2
+
-EOF
-
@@ -662 +670 @@
-        -w /bin/login -p x
-        -w /bin/logout -p x
+
-EOF
-
@@ -668 +677 @@
-## successful use of chown/chmod)
-cat <<-EOF >> /etc/audit/audit.rules
+        # DAC permission changes
-        -a exit,always -S chmod -S chown -S chown32 -S fchmod -S fchown -S fchown32 -S lchown -S lchown32
+
-EOF
-
@@ -674 +685 @@
-## unauthorized access attempts to files (unsuccessful)
-cat <<-EOF >> /etc/audit/audit.rules
+        # unauthorized file access attempts
-        -a exit,always -F success=0 -S open -S mknod -S pipe -S mkdir -S creat -S truncate -S truncate64 -S ftruncate -S ftruncate64
+
-EOF
-
@@ -680 +693 @@
-## use of privileged commands (unsuccessful and successful)
-cat <<-EOF >> /etc/audit/audit.rules
+        # privileged commands
-        -a exit,always -S chroot -S mount -S umount -S umount2 -S adjtimex -S kill
-        -w /usr/sbin/pwck
@@ -693 +707 @@
-        -w /usr/bin/setfacl
-        -w /usr/bin/chacl
+
-EOF
-
@@ -698 +713 @@
-## files and programs deleted by the user (successful and unsuccessful)
-cat <<-EOF >> /etc/audit/audit.rules
+        # deleting files
-        -a exit,always -S unlink -S rmdir
+
-EOF
-
@@ -704 +721 @@
-## all system administration actions
-cat <<-EOF >> /etc/audit/audit.rules
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-        -a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S stime -S swapon
+
-EOF
-
@@ -714 +748 @@
-## all security personnel actions
-cat <<-EOF >> /etc/audit/audit.rules
-
+
+
-        -w /bin/su
+
-EOF
-

trunk/RHEL5.1/scripts/Makefile

@@ -22 +22 @@
-        test -d $(DESTDIR)$(SHAREDIR)/scripts/stig-fix/cat3 || install -m 755 -d \
-                $(DESTDIR)$(SHAREDIR)/scripts/stig-fix/cat3
+        test -d $(DESTDIR)$(SHAREDIR)/scripts/stig-fix/cat4 || install -m 755 -d \
+                $(DESTDIR)$(SHAREDIR)/scripts/stig-fix/cat4
-#               test -d *.conf || install -m 644 *.conf \ 
-#$(DESTDIR)$(SYSCONFDIR)

trunk/RHEL5.1/scripts/installer.in

@@ -38 +38 @@
-
-InstallAudit() {
-
-
+/audit
+/audit
-    auditctl -R /etc/audit.rules
-}

trunk/RHEL5.1/scripts/stig-fix/cat2/gen002660.sh

@@ -10 +10 @@
-        # Remove any existing rules
-        -D
+
+        # Enable auditing
+        -e 1
+
-        # Increase buffer size to handle the increased number of messages.
-        -b 8192
+
+        # Failure of auditd causes a kernel panic
+        -f 2
+
-EOF
-

trunk/RHEL5.1/scripts/stig-fix/cat2/gen002720.sh

@@ -9 +9 @@
-        -w /bin/login -p x
-        -w /bin/logout -p x 
+
-EOF

trunk/RHEL5.1/scripts/stig-fix/cat2/gen002740.sh

@@ -8 +8 @@
-echo '==================================================='
-cat <<-EOF >> /etc/audit/audit.rules
+        # DAC permission changes
-        -a exit,always -S chmod -S chown -S chown32 -S fchmod -S fchown -S fchown32 -S lchown -S lchown32
+
-EOF

trunk/RHEL5.1/scripts/stig-fix/cat2/gen002760.sh

@@ -7 +7 @@
-echo '==================================================='
-cat <<-EOF >> /etc/audit/audit.rules
+        # unauthorized file access attempts
-        -a exit,always -F success=0 -S open -S mknod -S pipe -S mkdir -S creat -S truncate -S truncate64 -S ftruncate -S ftruncate64
+
-EOF

trunk/RHEL5.1/scripts/stig-fix/cat2/gen002780.sh

@@ -7 +7 @@
-echo '==================================================='
-cat <<-EOF >> /etc/audit/audit.rules
+        # privileged commands
-        -a exit,always -S chroot -S mount -S umount -S umount2 -S adjtimex -S kill
-        -w /usr/sbin/pwck
@@ -20 +21 @@
-        -w /usr/bin/setfacl
-        -w /usr/bin/chacl
+
-EOF

trunk/RHEL5.1/scripts/stig-fix/cat2/gen002800.sh

@@ -7 +7 @@
-echo '==================================================='
-cat <<-EOF >> /etc/audit/audit.rules
+        # deleting files
-        -a exit,always -S unlink -S rmdir
+
-EOF

trunk/RHEL5.1/scripts/stig-fix/cat2/gen002820.sh

@@ -7 +7 @@
-echo '==================================================='
-cat <<-EOF >> /etc/audit/audit.rules
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-        -a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S stime -S swapon
+
-EOF

trunk/RHEL5.1/scripts/stig-fix/cat2/gen002840.sh

@@ -7 +7 @@
-echo '==================================================='
-cat <<-EOF >> /etc/audit/audit.rules
-
+
+
-        -w /bin/su
+
-EOF

trunk/RHEL5/conf/audit/audit.rules

@@ -1 @@
-
-
-
-
-
+
--D
-
@@ -9 +5 @@
--e 1
-
-kernel buffer size
+buffer size to handle the increased number of messages.
--b 8192
-
@@ -15 +11 @@
--f 2
-
-
-
-
+
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
--w /etc/passwd -p wa
--w /etc/shadow -p wa
--w /etc/group  -p wa
-
-
+
--w /etc/pam.d
-
-
-
-
-
-
+
+
+
--w /var/run/utmp
--w /var/run/wtmp
+-a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S stime -S swapon
-
-
-
-
-
+
+
+
-
-# watch audit subsystem's configuration files
--w /etc/auditd.conf -p wa
--w /etc/audit.rules -p wa
-
-# SELinux configuration
--w /etc/selinux/config -p wa
-
-# login records
--w /var/log/lastlog
--w /var/log/faillog
-
-# login configuration
--w /etc/login.defs
-
-# init configuration
--w /etc/rc.d/init.d
--w /etc/inittab -p wa
-
-# sshd configuration
--w /etc/ssh/sshd_config
-
-# audit creating new directories
--a exit,always -S mkdir -F auid!=0
-
-# audit chmod,chown for non-root users
--a exit,always -S chmod -S fchmod -F auid!=0
--a exit,always -S chown -S fchown -S lchown -F auid!=0
-
-# changes to security labels
--a exit,always -S setxattr -S lsetxattr -S fsetxattr
--a exit,always -S removexattr -S lremovexattr -S fremovexattr

trunk/RHEL5/kickstart/clip.ks

@@ -634 +634 @@
-        # Remove any existing rules
-        -D
+
+        # Enable auditing
+        -e 1
+
-        # Increase buffer size to handle the increased number of messages.
-        -b 8192
+
+        # Failure of auditd causes a kernel panic
+        -f 2
+
-EOF
-
@@ -653 +661 @@
-        -w /bin/login -p x
-        -w /bin/logout -p x 
+
-EOF
-
@@ -659 +668 @@
-## successful use of chown/chmod)
-cat <<-EOF >> /etc/audit/audit.rules
+        # DAC permission changes
-        -a exit,always -S chmod -S chown -S chown32 -S fchmod -S fchown -S fchown32 -S lchown -S lchown32
+
-EOF
-
@@ -665 +676 @@
-## unauthorized access attempts to files (unsuccessful)
-cat <<-EOF >> /etc/audit/audit.rules
+        # unauthorized file access attempts
-        -a exit,always -F success=0 -S open -S mknod -S pipe -S mkdir -S creat -S truncate -S truncate64 -S ftruncate -S ftruncate64
+
-EOF
-
@@ -671 +684 @@
-## use of privileged commands (unsuccessful and successful)
-cat <<-EOF >> /etc/audit/audit.rules
+        # privileged commands
-        -a exit,always -S chroot -S mount -S umount -S umount2 -S adjtimex -S kill
-        -w /usr/sbin/pwck
@@ -684 +698 @@
-        -w /usr/bin/setfacl
-        -w /usr/bin/chacl
+
-EOF
-
@@ -689 +704 @@
-## files and programs deleted by the user (successful and unsuccessful)
-cat <<-EOF >> /etc/audit/audit.rules
+        # deleting files
-        -a exit,always -S unlink -S rmdir
+
-EOF
-
@@ -695 +712 @@
-## all system administration actions
-cat <<-EOF >> /etc/audit/audit.rules
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-        -a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S stime -S swapon
+
-EOF
-
@@ -705 +739 @@
-## all security personnel actions
-cat <<-EOF >> /etc/audit/audit.rules
-