Navigation

← Previous Change
Next Change →

Changeset 192 for trunk/RHEL4

Timestamp:

04/29/08 10:35:18 (9 months ago)

Author:

slawrence

Message:

- Combined audit.conf and kickstart audit.rules
- Prevented RHEL4 from running stigs after rpm installation
- Fixed installation scripts to include cat4 stigs

Files:

trunk/RHEL4/conf/audit/audit.rules (modified) (3 diffs)
trunk/RHEL4/kickstart/clip.ks (modified) (9 diffs)
trunk/RHEL4/scripts/Makefile (modified) (2 diffs)
trunk/RHEL4/scripts/installer.in (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen002660.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen002720.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen002740.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen002760.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen002780.sh (modified) (2 diffs)
trunk/RHEL4/scripts/stig-fix/cat2/gen002800.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen002820.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen002840.sh (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/RHEL4/conf/audit/audit.rules

r1	r192
1		~~# This is a sample rule set. The rules are executed from top~~
2		~~# to bottom. A '#' denotes comments. The rules are basically~~
3		~~# the auditctl commandline parameters.~~
4
5	1	# Remove existing rules
6	2	-D
…	…
9	5	-e 1
10	6
11		# Increase ~~kernel buffer size~~
	7	# Increase buffer size to handle the increased number of messages.
12	8	-b 8192
13	9
…	…
15	11	-f 2
16	12
17		#
18		# Audit1: audit accesses to security relevant files
19		#
	13	-w /bin/login -p x
	14	-w /bin/logout -p x
20	15
21		# watch passwd databases
	16	# DAC permission changes
	17	-a exit,always -S chmod -S chown -S chown32 -S fchmod -S fchown -S fchown32 -S lchown -S lchown32
	18
	19	# unauthorized file access attempts
	20	-a exit,always -F success=0 -S open -S mknod -S pipe -S mkdir -S creat -S truncate -S truncate64 -S ftruncate -S ftruncate64
	21
	22	# privileged commands
	23	-a exit,always -S chroot -S mount -S umount -S umount2 -S adjtimex -S kill
	24	-w /usr/sbin/pwck
	25	-w /bin/chgrp
	26	-w /usr/bin/newgrp
	27	-w /usr/sbin/groupadd
	28	-w /usr/sbin/groupmod
	29	-w /usr/sbin/groupdel
	30	-w /usr/sbin/useradd
	31	-w /usr/sbin/userdel
	32	-w /usr/sbin/usermod
	33	-w /usr/bin/chage
	34	-w /usr/bin/setfacl
	35	-w /usr/bin/chacl
	36
	37	# deleting files
	38	-a exit,always -S unlink -S rmdir
	39
	40	# system administration actions
	41	# these two lines could be the cause of problems with filling audit logs and preventing system usage after installation
	42	-w /var/log/audit/audit.log
	43	-w /var/log/audit/audit[1-4].log
	44	-w /var/log/messages
	45	-w /var/log/lastlog
	46	-w /var/log/faillog
	47	-w /etc/auditd.conf -p wa
	48	-w /etc/audit.rules -p wa
	49	-w /etc/selinux/config -p wa
22	50	-w /etc/passwd -p wa
23	51	-w /etc/shadow -p wa
24	52	-w /etc/group -p wa
25
26		# pam configuration
	53	-w /etc/ssh/sshd_config
27	54	-w /etc/pam.d
28
29		# auditd configuration
30		#-w /etc/auditd.conf
31		#-w /etc/audit.rules
32
33		# watch utmp,wtmp
	55	-w /etc/login.defs
	56	-w /etc/rc.d/init.d
	57	-w /etc/inittab -p wa
34	58	-w /var/run/utmp
35	59	-w /var/run/wtmp
	60	-a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S stime -S swapon
36	61
37		# watch system log files
38		-w /var/log/messages
39		-w /var/log/audit/audit.log
40		-w /var/log/audit/audit[1-4].log
41
42		# watch audit subsystem's configuration files
43		-w /etc/auditd.conf -p wa
44		-w /etc/audit.rules -p wa
45
46		# SELinux configuration
47		-w /etc/selinux/config -p wa
48
49		# login records
50		-w /var/log/lastlog
51		-w /var/log/faillog
52
53		# login configuration
54		-w /etc/login.defs
55
56		# init configuration
57		-w /etc/rc.d/init.d
58		-w /etc/inittab -p wa
59
60		# sshd configuration
61		-w /etc/ssh/sshd_config
62
63		# audit creating new directories
64		-a exit,always -S mkdir -F auid!=0
65
66		# audit chmod,chown for non-root users
67		-a exit,always -S chmod -S fchmod -F auid!=0
68		-a exit,always -S chown -S fchown -S lchown -F auid!=0
69
70		# changes to security labels
71		-a exit,always -S setxattr -S lsetxattr -S fsetxattr
72		-a exit,always -S removexattr -S lremovexattr -S fremovexattr
	62	# security personnel actions
	63	-a exit,always -S init_module -S delete_module -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
	64	-w /bin/su

trunk/RHEL4/kickstart/clip.ks

r186	r192
632	632	# Remove any existing rules
633	633	-D
	634
	635	# Enable auditing
	636	-e 1
	637
634	638	# Increase buffer size to handle the increased number of messages.
635	639	-b 8192
	640
	641	# Failure of auditd causes a kernel panic
	642	-f 2
	643
636	644	EOF
637	645
…	…
651	659	-w /bin/login -p x
652	660	-w /bin/logout -p x
	661
653	662	EOF
654	663
…	…
657	666	## successful use of chown/chmod)
658	667	cat <<-EOF >> /etc/audit.rules
	668	# DAC permission changes
659	669	-a exit,always -S chmod -S chown -S chown32 -S fchmod -S fchown -S fchown32 -S lchown -S lchown32
	670
660	671	EOF
661	672
…	…
663	674	## unauthorized access attempts to files (unsuccessful)
664	675	cat <<-EOF >> /etc/audit.rules
	676	# unauthorized file access attempts
665	677	-a exit,always -F success=0 -S open -S mknod -S pipe -S mkdir -S creat -S truncate -S truncate64 -S ftruncate -S ftruncate64
	678
666	679	EOF
667	680
…	…
669	682	## use of privileged commands (unsuccessful and successful)
670	683	cat <<-EOF >> /etc/audit.rules
	684	# privileged commands
671	685	-a exit,always -S chroot -S mount -S umount -S umount2 -S adjtimex -S kill
672	686	-w /usr/sbin/pwck
…	…
682	696	-w /usr/bin/setfacl
683	697	-w /usr/bin/chacl
	698
684	699	EOF
685	700
…	…
687	702	## files and programs deleted by the user (successful and unsuccessful)
688	703	cat <<-EOF >> /etc/audit.rules
	704	# deleting files
689	705	-a exit,always -S unlink -S rmdir
	706
690	707	EOF
691	708
…	…
693	710	## all system administration actions
694	711	cat <<-EOF >> /etc/audit.rules
695		# This line could be the cause of problems with filling audit logs and preventing system usage after installation
696		-w /var/log/audit/
697		-w /etc/auditd.conf
698		-w /etc/audit.rules
	712	# system administration actions
	713	# these two lines could be the cause of problems with filling audit logs and preventing system usage after installation
	714	-w /var/log/audit/audit.log
	715	-w /var/log/audit/audit[1-4].log
	716	-w /var/log/messages
	717	-w /var/log/lastlog
	718	-w /var/log/faillog
	719	-w /etc/auditd.conf -p wa
	720	-w /etc/audit.rules -p wa
	721	-w /etc/selinux/config -p wa
	722	-w /etc/passwd -p wa
	723	-w /etc/shadow -p wa
	724	-w /etc/group -p wa
	725	-w /etc/ssh/sshd_config
	726	-w /etc/pam.d
	727	-w /etc/login.defs
	728	-w /etc/rc.d/init.d
	729	-w /etc/inittab -p wa
	730	-w /var/run/utmp
	731	-w /var/run/wtmp
699	732	-a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S stime -S swapon
	733
700	734	EOF
701	735
…	…
703	737	## all security personnel actions
704	738	cat <<-EOF >> /etc/audit.rules
705		-a exit,always -S init_module -S delete_module
	739	# security personnel actions
	740	-a exit,always -S init_module -S delete_module -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
706	741	-w /bin/su
	742
707	743	EOF
708	744

trunk/RHEL4/scripts/Makefile

r100	r192
22	22	test -d $(DESTDIR)$(SHAREDIR)/scripts/stig-fix/cat3 \|\| install -m 755 -d \
23	23	$(DESTDIR)$(SHAREDIR)/scripts/stig-fix/cat3
	24	test -d $(DESTDIR)$(SHAREDIR)/scripts/stig-fix/cat4 \|\| install -m 755 -d \
	25	$(DESTDIR)$(SHAREDIR)/scripts/stig-fix/cat4
24	26
25	27
…	…
41	43	install -m 700 stig-fix/cat2/*.sh $(DESTDIR)$(SHAREDIR)/scripts/stig-fix/cat2
42	44	install -m 700 stig-fix/cat3/*.sh $(DESTDIR)$(SHAREDIR)/scripts/stig-fix/cat3
	45	install -m 700 stig-fix/cat4/*.sh $(DESTDIR)$(SHAREDIR)/scripts/stig-fix/cat4
43	46
44	47	# Patch installer

trunk/RHEL4/scripts/installer.in

r100 r192

93 93 InstallMan
94 94 InstallStig
95 RunStigFixes
95 #RunStigFixes

trunk/RHEL4/scripts/stig-fix/cat2/gen002660.sh

r179	r192
10	10	# Remove any existing rules
11	11	-D
	12
	13	# Enable auditing
	14	-e 1
	15
12	16	# Increase buffer size to handle the increased number of messages.
13	17	-b 8192
	18
	19	# Failure of auditd causes a kernel panic
	20	-f 2
	21
14	22	EOF
15	23

trunk/RHEL4/scripts/stig-fix/cat2/gen002720.sh

r179 r192

9 9 -w /bin/login -p x
10 10 -w /bin/logout -p x
11
11 12 EOF

trunk/RHEL4/scripts/stig-fix/cat2/gen002740.sh

r187	r192
8	8	echo '==================================================='
9	9	cat <<-EOF >> /etc/audit.rules
	10	# DAC permission changes
10	11	-a exit,always -S chmod -S chown -S chown32 -S fchmod -S fchown -S fchown32 -S lchown -S lchown32
	12
11	13	EOF

trunk/RHEL4/scripts/stig-fix/cat2/gen002760.sh

r187	r192
7	7	echo '==================================================='
8	8	cat <<-EOF >> /etc/audit.rules
	9	# unauthorized file access attempts
9	10	-a exit,always -F success=0 -S open -S mknod -S pipe -S mkdir -S creat -S truncate -S truncate64 -S ftruncate -S ftruncate64
	11
10	12	EOF

trunk/RHEL4/scripts/stig-fix/cat2/gen002780.sh

r187	r192
7	7	echo '==================================================='
8	8	cat <<-EOF >> /etc/audit.rules
	9	# privileged commands
9	10	-a exit,always -S chroot -S mount -S umount -S umount2 -S adjtimex -S kill
10	11	-w /usr/sbin/pwck
…	…
20	21	-w /usr/bin/setfacl
21	22	-w /usr/bin/chacl
	23
22	24	EOF

trunk/RHEL4/scripts/stig-fix/cat2/gen002800.sh

r187	r192
7	7	echo '==================================================='
8	8	cat <<-EOF >> /etc/audit.rules
	9	# deleting files
9	10	-a exit,always -S unlink -S rmdir
	11
10	12	EOF

trunk/RHEL4/scripts/stig-fix/cat2/gen002820.sh

r187	r192
7	7	echo '==================================================='
8	8	cat <<-EOF >> /etc/audit.rules
9		-w /var/log/audit/
10		-w /etc/auditd.conf
11		-w /etc/audit.rules
	9	# system administration actions
	10	# these two lines could be the cause of problems with filling audit logs and preventing system usage after installation
	11	-w /var/log/audit/audit.log
	12	-w /var/log/audit/audit[1-4].log
	13	-w /var/log/messages
	14	-w /var/log/lastlog
	15	-w /var/log/faillog
	16	-w /etc/auditd.conf -p wa
	17	-w /etc/audit.rules -p wa
	18	-w /etc/selinux/config -p wa
	19	-w /etc/passwd -p wa
	20	-w /etc/shadow -p wa
	21	-w /etc/group -p wa
	22	-w /etc/ssh/sshd_config
	23	-w /etc/pam.d
	24	-w /etc/login.defs
	25	-w /etc/rc.d/init.d
	26	-w /etc/inittab -p wa
	27	-w /var/run/utmp
	28	-w /var/run/wtmp
12	29	-a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S stime -S swapon
	30
13	31	EOF

trunk/RHEL4/scripts/stig-fix/cat2/gen002840.sh

r187	r192
7	7	echo '==================================================='
8	8	cat <<-EOF >> /etc/audit.rules
9		-a exit,always -S init_module -S delete_module
	9	# security personnel actions
	10	-a exit,always -S init_module -S delete_module -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
10	11	-w /bin/su
	12
11	13	EOF

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.

r100	r192
93	93	InstallMan
94	94	InstallStig
95		RunStigFixes
	95	#RunStigFixes