Navigation

← Previous Changeset
Next Changeset →

Changeset 233

Timestamp:

08/05/08 09:48:35 (4 months ago)

Author:

slawrence

Message:

Increase audit buffer size and max log size before rotating.
Watch ld.so.conf and more system calls
Change some spaces to tabs that should be stripped in heredoc in stigs
Update readme

Files:

trunk/RHEL5.2/README (modified) (1 diff)
trunk/RHEL5.2/conf/audit/audit-i386.rules (modified) (4 diffs)
trunk/RHEL5.2/conf/audit/audit-x86_64.rules (modified) (4 diffs)
trunk/RHEL5.2/conf/audit/auditd.conf (modified) (1 diff)
trunk/RHEL5.2/kickstart/clip.ks (modified) (5 diffs)
trunk/RHEL5.2/scripts/stig-fix/cat2/gen002660.sh (modified) (3 diffs)
trunk/RHEL5.2/scripts/stig-fix/cat2/gen002740.sh (modified) (1 diff)
trunk/RHEL5.2/scripts/stig-fix/cat2/gen002760.sh (modified) (2 diffs)
trunk/RHEL5.2/scripts/stig-fix/cat2/gen002780.sh (modified) (1 diff)
trunk/RHEL5.2/scripts/stig-fix/cat2/gen002800.sh (modified) (1 diff)
trunk/RHEL5.2/scripts/stig-fix/cat2/gen002820.sh (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/RHEL5.2/README

r177	r233
1		To build RHEL 5.1 CLIP instance use the following steps:
	1	To build RHEL 5.2 CLIP instance use the following steps:
2	2
3		1. Run ~~make~~
	3	1. Run rpmify
4	4
5		2. R~~un rpmif~~y
	5	2. RPMs are copied to the RPM directory
6	6
7		~~3. Copy the RPM files to the OSS.Tresys.com website~~
8
9		~~4. Update the Download Page's SHA values from the SHA1_<$ARCH>.txt file.~~
10
11

trunk/RHEL5.2/conf/audit/audit-i386.rules

r217	r233
	1	## Add keys to the audit rules below using the -k option to allow for more
	2	## organized and quicker searches with the ausearch tool. See auditctl(8)
	3	## and ausearch(8) for more information.
	4
1	5	# Remove any existing rules
2	6	-D
…	…
6	10
7	11	# Increase buffer size to handle the increased number of messages.
8		-b ~~8192~~
	12	-b 16384
9	13
10	14	# Failure of auditd causes a kernel panic
…	…
37	41
38	42	# deleting files
39		-a exit,always -S unlink -S rmdir
	43	-a exit,always -S unlink -S rmdir -S rename -S link -S symlink
40	44
41	45	# system administration actions
…	…
51	55	-w /etc/shadow -p wa
52	56	-w /etc/group -p wa
	57	-w /etc/ld.so.conf -p wa
	58	-w /etc/ld.so.conf.d -p wa
53	59	-w /etc/ssh/sshd_config
54	60	-w /etc/pam.d

trunk/RHEL5.2/conf/audit/audit-x86_64.rules

r217	r233
	1	## Add keys to the audit rules below using the -k option to allow for more
	2	## organized and quicker searches with the ausearch tool. See auditctl(8)
	3	## and ausearch(8) for more information.
	4
1	5	# Remove any existing rules
2	6	-D
…	…
6	10
7	11	# Increase buffer size to handle the increased number of messages.
8		-b ~~8192~~
	12	-b 16384
9	13
10	14	# Failure of auditd causes a kernel panic
…	…
37	41
38	42	# deleting files
39		-a exit,always -S unlink -S rmdir
	43	-a exit,always -S unlink -S rmdir -S rename -S link -S symlink
40	44
41	45	# system administration actions
…	…
51	55	-w /etc/shadow -p wa
52	56	-w /etc/group -p wa
	57	-w /etc/ld.so.conf -p wa
	58	-w /etc/ld.so.conf.d -p wa
53	59	-w /etc/ssh/sshd_config
54	60	-w /etc/pam.d

trunk/RHEL5.2/conf/audit/auditd.conf

r232	r233
10	10	num_logs = 4
11	11	#dispatcher = /sbin/audispd
12		max_log_file = 5
	12	max_log_file = 256
13	13	max_log_file_action = ROTATE
14	14	space_left = 75

trunk/RHEL5.2/kickstart/clip.ks

r232	r233
661	661	chkconfig auditd on
662	662	cat <<-EOF > /etc/audit/audit.rules
	663	## Add keys to the audit rules below using the -k option to allow for more
	664	## organized and quicker searches with the ausearch tool. See auditctl(8)
	665	## and ausearch(8) for more information.
	666
663	667	# Remove any existing rules
664	668	-D
…	…
668	672
669	673	# Increase buffer size to handle the increased number of messages.
670		-b ~~8192~~
	674	-b 16384
671	675
672	676	# Failure of auditd causes a kernel panic
…	…
683	687	num_logs = 4
684	688	#dispatcher = /sbin/audispd
685		max_log_file = 5
	689	max_log_file = 256
686	690	max_log_file_action = ROTATE
687	691	space_left = 75
…	…
766	770	cat <<-EOF >> /etc/audit/audit.rules
767	771	# deleting files
768		-a exit,always -S unlink -S rmdir
	772	-a exit,always -S unlink -S rmdir -S rename -S link -S symlink
769	773
770	774	EOF
…	…
785	789	-w /etc/shadow -p wa
786	790	-w /etc/group -p wa
	791	-w /etc/ld.so.conf -p wa
	792	-w /etc/ld.so.conf.d -p wa
787	793	-w /etc/ssh/sshd_config
788	794	-w /etc/pam.d

trunk/RHEL5.2/scripts/stig-fix/cat2/gen002660.sh

r232	r233
8	8	/sbin/chkconfig auditd on
9	9	cat <<-EOF > /etc/audit/audit.rules
	10	## Add keys to the audit rules below using the -k option to allow for more
	11	## organized and quicker searches with the ausearch tool. See auditctl(8)
	12	## and ausearch(8) for more information.
	13
10	14	# Remove any existing rules
11	15	-D
…	…
15	19
16	20	# Increase buffer size to handle the increased number of messages.
17		-b ~~8192~~
	21	-b 16384
18	22
19	23	# Failure of auditd causes a kernel panic
…	…
30	34	num_logs = 4
31	35	#dispatcher = /sbin/audispd
32		max_log_file = 5
	36	max_log_file = 256
33	37	max_log_file_action = ROTATE
34	38	space_left = 75

trunk/RHEL5.2/scripts/stig-fix/cat2/gen002740.sh

r197	r233
8	8	echo '==================================================='
9	9	cat <<-EOF >> /etc/audit/audit.rules
10		# DAC permission changes
	10	# DAC permission changes
11	11	EOF
12	12	echo -n "-a exit,always -S chmod -S chown -S fchmod -S fchown -S lchown" >> /etc/audit/audit.rules
13	13	if [ "$(uname -i)" != "x86_64" ]
14	14	then
15		echo -n " -S chown32 -S fchown32 -S lchown32" >> /etc/audit/audit.rules
	15	echo -n " -S chown32 -S fchown32 -S lchown32" >> /etc/audit/audit.rules
16	16	fi
17	17	echo -e "\n" >> /etc/audit/audit.rules

trunk/RHEL5.2/scripts/stig-fix/cat2/gen002760.sh

r200	r233
7	7	echo '==================================================='
8	8	cat <<-EOF >> /etc/audit/audit.rules
9		# unauthorized file access attempts
	9	# unauthorized file access attempts
10	10	EOF
11	11	echo "-a exit,always -S open -F success=0" >> /etc/audit/audit.rules
…	…
13	13	if [ "$(uname -i)" != "x86_64" ]
14	14	then
15		echo -n " -S truncate64 -S ftruncate64" >> /etc/audit/audit.rules
	15	echo -n " -S truncate64 -S ftruncate64" >> /etc/audit/audit.rules
16	16	fi
17	17	echo -e "\n" >> /etc/audit/audit.rules

trunk/RHEL5.2/scripts/stig-fix/cat2/gen002780.sh

r197	r233
7	7	echo '==================================================='
8	8	cat <<-EOF >> /etc/audit/audit.rules
9		# privileged commands
10		-w /usr/sbin/pwck
11		-w /bin/chgrp
12		-w /usr/bin/newgrp
13		-w /usr/sbin/groupadd
14		-w /usr/sbin/groupmod
15		-w /usr/sbin/groupdel
16		-w /usr/sbin/useradd
17		-w /usr/sbin/userdel
18		-w /usr/sbin/usermod
19		-w /usr/bin/chage
20		-w /usr/bin/setfacl
21		-w /usr/bin/chacl
	9	# privileged commands
	10	-w /usr/sbin/pwck
	11	-w /bin/chgrp
	12	-w /usr/bin/newgrp
	13	-w /usr/sbin/groupadd
	14	-w /usr/sbin/groupmod
	15	-w /usr/sbin/groupdel
	16	-w /usr/sbin/useradd
	17	-w /usr/sbin/userdel
	18	-w /usr/sbin/usermod
	19	-w /usr/bin/chage
	20	-w /usr/bin/setfacl
	21	-w /usr/bin/chacl
22	22	EOF
23	23	echo -n "-a exit,always -S chroot -S mount -S umount2 -S adjtimex -S kill" >> /etc/audit/audit.rules
24	24	if [ "$(uname -i)" != "x86_64" ]
25	25	then
26		echo -n " -S umount" >> /etc/audit/audit.rules
	26	echo -n " -S umount" >> /etc/audit/audit.rules
27	27	fi
28	28	echo -e "\n" >> /etc/audit/audit.rules

trunk/RHEL5.2/scripts/stig-fix/cat2/gen002800.sh

r192	r233
8	8	cat <<-EOF >> /etc/audit/audit.rules
9	9	# deleting files
10		-a exit,always -S unlink -S rmdir
	10	-a exit,always -S unlink -S rmdir -S rename -S link -S symlink
11	11
12	12	EOF

trunk/RHEL5.2/scripts/stig-fix/cat2/gen002820.sh

r217	r233
7	7	echo '==================================================='
8	8	cat <<-EOF >> /etc/audit/audit.rules
9		# system administration actions
10		-w /var/log/audit/audit.log
11		-w /var/log/audit/audit[1-4].log
12		-w /var/log/messages
13		-w /var/log/lastlog
14		-w /var/log/faillog
15		-w /etc/audit/auditd.conf -p wa
16		-w /etc/audit/audit.rules -p wa
17		-w /etc/selinux/config -p wa
18		-w /etc/passwd -p wa
19		-w /etc/shadow -p wa
20		-w /etc/group -p wa
21		-w /etc/ssh/sshd_config
22		-w /etc/pam.d
23		-w /etc/login.defs
24		-w /etc/rc.d/init.d
25		-w /etc/inittab -p wa
26		-w /var/run/utmp
27		-w /var/run/wtmp
	9	# system administration actions
	10	-w /var/log/audit/audit.log
	11	-w /var/log/audit/audit[1-4].log
	12	-w /var/log/messages
	13	-w /var/log/lastlog
	14	-w /var/log/faillog
	15	-w /etc/audit/auditd.conf -p wa
	16	-w /etc/audit/audit.rules -p wa
	17	-w /etc/selinux/config -p wa
	18	-w /etc/passwd -p wa
	19	-w /etc/shadow -p wa
	20	-w /etc/group -p wa
	21	-w /etc/ld.so.conf -p wa
	22	-w /etc/ld.so.conf.d -p wa
	23	-w /etc/ssh/sshd_config
	24	-w /etc/pam.d
	25	-w /etc/login.defs
	26	-w /etc/rc.d/init.d
	27	-w /etc/inittab -p wa
	28	-w /var/run/utmp
	29	-w /var/run/wtmp
28	30	EOF
29	31	echo -n "-a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S swapon" >> /etc/audit/ audit.rules
30	32	if [ "$(uname -i)" != "x86_64" ]
31	33	then
32		echo -n " -S stime" >> /etc/audit/audit.rules
	34	echo -n " -S stime" >> /etc/audit/audit.rules
33	35	fi
34	36	echo -e "\n" >> /etc/audit/audit.rules

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.