source: trunk/contrib/capp.rules @ 947

Revision 584, 9.5 KB checked in by sgrubb, 2 years ago (diff)

Improved sample rules for recent syscall

Line 
1##
2## This file contains a sample audit configuration.  Combined with the
3## system events that are audited by default, this set of rules causes
4## audit to generate records for the auditable events specified by the
5## Controlled Access Protection Profile (CAPP).
6##
7## It should be noted that this set of rules identifies directories by
8## leaving a / at the end of the path.
9##
10## For audit 2.0.6 and higher
11##
12
13## Remove any existing rules
14-D
15
16## Increase buffer size to handle the increased number of messages.
17## Feel free to increase this if the machine panic's
18-b 8192
19
20## Set failure mode to panic
21-f 2
22
23##
24## FAU_SAR.1, FAU_SAR.2, FMT_MTD.1
25## successful and unsuccessful attempts to read information from the
26## audit records; all modifications to the audit trail
27##
28-w /var/log/audit/ -k LOG_audit
29
30##
31## FAU_SEL.1, FMT_MTD.1
32## modifications to audit configuration that occur while the audit
33## collection functions are operating; all modications to the set of
34## audited events
35##
36-w /etc/audit/ -p wa -k CFG_audit
37-w /etc/sysconfig/auditd  -p wa -k CFG_auditd.conf
38-w /etc/libaudit.conf -p wa -k CFG_libaudit.conf
39-w /etc/audisp/ -p wa -k CFG_audisp
40
41##
42## FDP_ACF.1, FMT_MSA.1, FMT_MTD.1, FMT_REV.1
43## all requests to perform an operation on an object covered by the
44## SFP; all modifications of the values of security attributes;
45## modifications to TSF data; attempts to revoke security attributes
46##
47
48## Objects covered by the Security Functional Policy (SFP) are:
49## -File system objects (files, directories, special files, extended attributes)
50## -IPC objects (SYSV shared memory, message queues, and semaphores)
51
52## Operations on file system objects - by default, only monitor
53## files and directories covered by filesystem watches.
54
55## Changes in ownership and permissions
56#-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat
57#-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat
58#-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown
59#-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown
60## Enable *32 rules if you are running on i386 or s390
61## Do not use for x86_64, ia64, ppc, ppc64, or s390x
62#-a always,exit -F arch=b32 -S fchown32 -S chown32 -S lchown32
63
64## File content modification. Permissions are checked at open time,
65## monitoring individual read/write calls is not useful.
66#-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -S fallocate
67#-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -S fallocate
68## Enable *64 rules if you are running on i386, ppc, ppc64, s390
69## Do not use for x86_64, ia64, or s390x
70#-a always,exit -F arch=b32 -S truncate64 -S ftruncate64
71
72## directory operations
73#-a always,exit -F arch=b32 -S mkdir -S mkdirat -S rmdir
74#-a always,exit -F arch=b64 -S mkdir -S mkdirat -S rmdir
75
76## moving, removing, and linking
77#-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat
78#-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat
79#-a always,exit -F arch=b32 -S link -S linkat -S symlink -S symlinkat
80#-a always,exit -F arch=b64 -S link -S linkat -S symlink -S symlinkat
81
82## Extended attribute operations
83## Enable if you are interested in these events
84#-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
85#-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
86
87## special files
88-a always,exit -F arch=b32 -S mknod -S mknodat
89-a always,exit -F arch=b64 -S mknod -S mknodat
90
91## Other file system operations
92## Enable if i386
93-a always,exit -F arch=b32 -S mount -S umount -S umount2
94## Enable if ppc, s390, or s390x
95#-a always,exit -F arch=b32 -S mount -S umount -S umount2
96#-a always,exit -F arch=b64 -S mount -S umount -S umount2
97## Enable if ia64
98#-a always,exit -F arch=b64 -S mount -S umount
99## Enable if x86_64
100#-a always,exit -F arch=b64 -S mount -S umount2
101#-a always,exit -F arch=b32 -S mount -S umount -S umount2
102
103## IPC SYSV message queues
104## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
105## msgctl
106#-a always,exit -S ipc -F a0=14
107## msgget
108#-a always,exit -S ipc -F a0=13
109## Enable if you are interested in these events (x86_64,ia64)
110#-a always,exit -S msgctl
111#-a always,exit -S msgget
112
113## IPC SYSV semaphores
114## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
115## semctl
116#-a always,exit -S ipc -F a0=3
117## semget
118#-a always,exit -S ipc -F a0=2
119## semop
120#-a always,exit -S ipc -F a0=1
121## semtimedop
122#-a always,exit -S ipc -F a0=4
123## Enable if you are interested in these events (x86_64, ia64)
124#-a always,exit -S semctl
125#-a always,exit -S semget
126#-a always,exit -S semop
127#-a always,exit -S semtimedop
128
129## IPC SYSV shared memory
130## Enable if you are interested in these events (x86,ppc,ppc64,s390,s390x)
131## shmctl
132#-a always,exit -S ipc -F a0=24
133## shmget
134#-a always,exit -S ipc -F a0=23
135## Enable if you are interested in these events (x86_64, ia64)
136#-a always,exit -S shmctl
137#-a always,exit -S shmget
138
139##
140## FIA_USB.1
141## success and failure of binding user security attributes to a subject
142##
143## Enable if you are interested in these events
144##
145#-a always,exit -F arch=b32 -S clone
146#-a always,exit -F arch=b64 -S clone
147#-a always,exit -F arch=b32 -S fork -S vfork
148#-a always,exit -F arch=b64 -S fork -S vfork
149## For ia64 architecture, disable fork and vfork rules above, and
150## enable the following:
151#-a always,exit -S clone2
152
153##
154## FMT_MSA.3
155## modifications of the default setting of permissive or restrictive
156## rules, all modifications of the initial value of security attributes
157##
158## Enable if you are interested in these events
159##
160#-a always,exit -F arch=b32 -S umask
161#-a always,exit -F arch=b64 -S umask
162
163##
164## FPT_STM.1
165## changes to the time
166##
167-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime
168-a always,exit -F arch=b64 -S adjtimex -S settimeofday
169-a always,exit -F arch=b32 -S clock_settime -F a0=0
170-a always,exit -F arch=b64 -S clock_settime -F a0=0
171# Introduced in 2.6.39, commented out because it can make false positives
172#-a always,exit -F arch=b32 -S clock_adjtime -k time-change
173#-a always,exit -F arch=b64 -S clock_adjtime -k time-change
174
175##
176## FTP_ITC.1
177## set-up of trusted channel
178##
179-w /usr/sbin/stunnel -p x
180
181##
182## Security Databases
183##
184
185## cron configuration & scheduled jobs
186-w /etc/cron.allow -p wa -k CFG_cron.allow
187-w /etc/cron.deny -p wa -k CFG_cron.deny
188-w /etc/cron.d/ -p wa -k CFG_cron.d
189-w /etc/cron.daily/ -p wa -k CFG_cron.daily
190-w /etc/cron.hourly/ -p wa -k CFG_cron.hourly
191-w /etc/cron.monthly/ -p wa -k CFG_cron.monthly
192-w /etc/cron.weekly/ -p wa -k CFG_cron.weekly
193-w /etc/crontab -p wa -k CFG_crontab
194-w /var/spool/cron/root -k CFG_crontab_root
195
196## user, group, password databases
197-w /etc/group -p wa -k CFG_group
198-w /etc/passwd -p wa -k CFG_passwd
199-w /etc/gshadow -k CFG_gshadow
200-w /etc/shadow -k CFG_shadow
201-w /etc/security/opasswd -k CFG_opasswd
202
203## login configuration and information
204-w /etc/login.defs -p wa -k CFG_login.defs
205-w /etc/securetty -p wa -k CFG_securetty
206-w /var/run/faillock/ -p wa -k LOG_faillock
207-w /var/log/lastlog -p wa -k LOG_lastlog
208-w /var/log/tallylog -p wa -k LOG_tallylog
209
210## network configuration
211-w /etc/hosts -p wa -k CFG_hosts
212-w /etc/sysconfig/network-scripts/ -p wa -k CFG_network
213
214## system startup scripts
215-w /etc/sysconfig/init -p wa -k CFG_init
216-w /etc/init/ -p wa -k CFG_init
217-w /etc/inittab -p wa -k CFG_inittab
218-w /etc/rc.d/init.d/ -p wa -k CFG_initscripts
219
220## library search paths
221-w /etc/ld.so.conf -p wa -k CFG_ld.so.conf
222
223## local time zone
224-w /etc/localtime -p wa -k CFG_localtime
225
226## kernel parameters
227-w /etc/sysctl.conf -p wa -k CFG_sysctl.conf
228
229## modprobe configuration
230-w /etc/modprobe.d/ -p wa -k CFG_modprobe
231
232## pam configuration
233-w /etc/pam.d/ -p wa -k CFG_pam
234-w /etc/security/access.conf -p wa  -k CFG_pam
235-w /etc/security/limits.conf -p wa  -k CFG_pam
236-w /etc/security/pam_env.conf -p wa -k CFG_pam
237-w /etc/security/namespace.conf -p wa -k CFG_pam
238-w /etc/security/namespace.d/ -p wa -k CFG_pam
239-w /etc/security/namespace.init -p wa -k CFG_pam
240-w /etc/security/sepermit.conf -p wa -k CFG_pam
241-w /etc/security/time.conf -p wa -k CFG_pam
242
243## postfix configuration
244-w /etc/aliases -p wa -k CFG_aliases
245-w /etc/postfix/ -p wa -k CFG_postfix
246
247## screen configuration
248-w /etc/screenrc -p wa -k CFG_screen
249
250## ssh configuration
251-w /etc/ssh/sshd_config -k CFG_sshd_config
252
253## stunnel configuration
254-w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf
255-w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem
256
257## sudo configuration
258-w /etc/sudoers -k CFG_sudoers
259-w /etc/sudoers.d/ -k CFG_sudoers
260
261## Not specifically required by CAPP; but common sense items
262-a always,exit -F arch=b32 -S sethostname -S setdomainname
263-a always,exit -F arch=b64 -S sethostname -S setdomainname
264-w /etc/issue -p wa -k CFG_issue
265-w /etc/issue.net -p wa -k CFG_issue.net
266
267## Optional - could indicate someone trying to do something bad or
268## just debugging
269#-a always,exit -F arch=b32 -S ptrace -k paranoid
270#-a always,exit -F arch=b64 -S ptrace -k paranoid
271
272## Optional - could be an attempt to bypass audit or simply legacy program
273#-a always,exit -F arch=b32 -S personality -F a0!=4294967295 -k paranoid
274#-a always,exit -F arch=b64 -S personality -F a0!=4294967295 -k paranoid
275
276## Optional - might want to watch module insertion
277#-w /sbin/insmod -p x -k modules
278#-w /sbin/rmmod -p x -k modules
279#-w /sbin/modprobe -p x -k modules
280#-a always,exit -F arch=b32 -S init_module -S delete_module -k modules
281#-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
282
283## Put your own watches after this point
284# -w /your-file -p rwxa -k mykey
285
286## Make the configuration immutable
287#-e 2
Note: See TracBrowser for help on using the repository browser.