Navigation

← Previous Change
Next Change →

conf

Timestamp:

04/29/08 10:35:18 (2 years ago)

Author:

slawrence

Message:

- Combined audit.conf and kickstart audit.rules
- Prevented RHEL4 from running stigs after rpm installation
- Fixed installation scripts to include cat4 stigs

Files:

trunk/RHEL5/conf/audit/audit.rules (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/RHEL5/conf/audit/audit.rules

r1	r192
1		# This is a sample rule set. The rules are executed from top
2		# to bottom. A '#' denotes comments. The rules are basically
3		# the auditctl commandline parameters.
4
5		# Remove existing rules
	1	# Remove any existing rules
6	2	-D
7	3
…	…
9	5	-e 1
10	6
11		# Increase ~~kernel buffer size~~
	7	# Increase buffer size to handle the increased number of messages.
12	8	-b 8192
13	9
…	…
15	11	-f 2
16	12
17		#
18		# Audit1: audit accesses to security relevant files
19		#
	13	-w /bin/login -p x
	14	-w /bin/logout -p x
20	15
21		# watch passwd databases
	16	# DAC permission changes
	17	-a exit,always -S chmod -S chown -S chown32 -S fchmod -S fchown -S fchown32 -S lchown -S lchown32
	18
	19	# unauthorized file access attempts
	20	-a exit,always -F success=0 -S open -S mknod -S pipe -S mkdir -S creat -S truncate -S truncate64 -S ftruncate -S ftruncate64
	21
	22	# privileged commands
	23	-a exit,always -S chroot -S mount -S umount -S umount2 -S adjtimex -S kill
	24	-w /usr/sbin/pwck
	25	-w /bin/chgrp
	26	-w /usr/bin/newgrp
	27	-w /usr/sbin/groupadd
	28	-w /usr/sbin/groupmod
	29	-w /usr/sbin/groupdel
	30	-w /usr/sbin/useradd
	31	-w /usr/sbin/userdel
	32	-w /usr/sbin/usermod
	33	-w /usr/bin/chage
	34	-w /usr/bin/setfacl
	35	-w /usr/bin/chacl
	36
	37	# deleting files
	38	-a exit,always -S unlink -S rmdir
	39
	40	# system administration actions
	41	# these two lines could be the cause of problems with filling audit logs and preventing system usage after installation
	42	-w /var/log/audit/audit.log
	43	-w /var/log/audit/audit[1-4].log
	44	-w /var/log/messages
	45	-w /var/log/lastlog
	46	-w /var/log/faillog
	47	-w /etc/audit/auditd.conf -p wa
	48	-w /etc/audit/audit.rules -p wa
	49	-w /etc/selinux/config -p wa
22	50	-w /etc/passwd -p wa
23	51	-w /etc/shadow -p wa
24	52	-w /etc/group -p wa
25
26		# pam configuration
	53	-w /etc/ssh/sshd_config
27	54	-w /etc/pam.d
28
29		# auditd configuration
30		#-w /etc/auditd.conf
31		#-w /etc/audit.rules
32
33		# watch utmp,wtmp
	55	-w /etc/login.defs
	56	-w /etc/rc.d/init.d
	57	-w /etc/inittab -p wa
34	58	-w /var/run/utmp
35	59	-w /var/run/wtmp
	60	-a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S stime -S swapon
36	61
37		# watch system log files
38		-w /var/log/messages
39		-w /var/log/audit/audit.log
40		-w /var/log/audit/audit[1-4].log
	62	# security personnel actions
	63	-a exit,always -S init_module -S delete_module -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
	64	-w /bin/su
41	65
42		~~# watch audit subsystem's configuration files~~
43		~~-w /etc/auditd.conf -p wa~~
44		~~-w /etc/audit.rules -p wa~~
45
46		~~# SELinux configuration~~
47		~~-w /etc/selinux/config -p wa~~
48
49		~~# login records~~
50		~~-w /var/log/lastlog~~
51		~~-w /var/log/faillog~~
52
53		~~# login configuration~~
54		~~-w /etc/login.defs~~
55
56		~~# init configuration~~
57		~~-w /etc/rc.d/init.d~~
58		~~-w /etc/inittab -p wa~~
59
60		~~# sshd configuration~~
61		~~-w /etc/ssh/sshd_config~~
62
63		~~# audit creating new directories~~
64		~~-a exit,always -S mkdir -F auid!=0~~
65
66		~~# audit chmod,chown for non-root users~~
67		~~-a exit,always -S chmod -S fchmod -F auid!=0~~
68		~~-a exit,always -S chown -S fchown -S lchown -F auid!=0~~
69
70		~~# changes to security labels~~
71		~~-a exit,always -S setxattr -S lsetxattr -S fsetxattr~~
72		~~-a exit,always -S removexattr -S lremovexattr -S fremovexattr~~

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.