[RFC] NISPOM audit rules - first draft
Timothy R. Chavez
tim.chavez at linux.vnet.ibm.com
Fri Apr 13 18:24:14 UTC 2007
On Thu, 1 Mar 2007 13:33:10 -0500
Steve Grubb <sgrubb at redhat.com> wrote:
> Hi,
>
> Posting this in case anyone has comments good or bad. This is aimed at current
> upstream kernels as of 2.6.19 or later.
>
> -Steve
>
Steve,
Wow... finally just getting to these. Just a couple quick comments below.
-tim
>
> ##
> ## This file contains the a sample audit configuration intended to
> ## meet the NISPOM Chapter 8 rules.
> ##
> ## This file should be saved as /etc/audit/audit.rules.
> ##
>
> ## Remove any existing rules
> -D
>
> ## Increase buffer size to handle the increased number of messages.
> ## Feel free to increase this if the machine panic's
> -b 8192
>
> ## Audit 1, 1(a) (a) Enough information to determine the date and time
> ## of action (e.g., common network time), the system locale of the action,
> ## the system entity that initiated or completed the action, the resources
> ## involved, and the action involved.
>
> ## changes to the time
> -a entry,always -S adjtimex -S settimeofday -k time-change
> -w /etc/localtime -p wa -k time-change
>
> ## system locale
> -a exit,always -S sethostname -k system-locale
> -w /etc/issue -p wa -k CFG_issue -k system-locale
> -w /etc/issue.net -p wa -k CFG_issue.net -k system-locale
>
These are invalid rules due to the fact you specify -k twice, right? That
should probably be fixed since we're able to do things like '-S open -S close'
and '-F exit=-13 -F perm=a'
[..]
> ## Audit 1, 1(b) Successful and unsuccessful logons and logoffs.
> ## This is covered by patches to login, gdm, and openssh
>
> ## Audit 1, 1(c) Successful and unsuccessful accesses to
> ## security-relevant objects and directories, including
> ## creation, open, close, modification, and deletion.
>
> ## unsuccessful creation
> -a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13 -k creation
> -a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13 -k creation
>
> ## unsuccessful open
> -a exit,always -S open -F exit=-13 -k open
>
> ## unsuccessful close
> -a exit,always -S close -F exit=-13 -k close
>
> ## unsuccessful modifications
> -a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods
> -a exit,always -S renameat -F exit=-13 -k mods
> -a exit,always -F perm=a -F exit=-13 -k mods
No system call specified...
>
> ## unsuccessful deletion
> -a exit,always -S rmdir -S unlink -F exit=-13 -k delete
> -a exit,always -S unlinkat -F exit=-13 -k delete
>
> ## Audit 1, 1(d) Changes in user authenticators.
> ## Covered by patches to libpam
>
> ## Audit 1, 1(e) The blocking or blacklisting of a user ID,
> ## terminal, or access port and the reason for the action.
> ## Covered by patches to pam_tally
>
> ## Audit 1, 1(f) Denial of access resulting from an excessive
> ## number of unsuccessful logon attempts.
> ## Covered by patches to pam_tally
>
> ## Audit 1, 2 Audit Trail Protection. The contents of audit trails
> ## shall be protected against unauthorized access, modification,
> ## or deletion.
> ## This should be covered by file permissions, but we can watch it
> ## to see any activity
> -w /var/log/audit/ -k audit-logs
> -w /var/log/audit/audit.log -k audit-logs
> #-w /var/log/audit/audit.log.1 -k audit-logs
> #-w /var/log/audit/audit.log.2 -k audit-logs
> #-w /var/log/audit/audit.log.3 -k audit-logs
> #-w /var/log/audit/audit.log.4 -k audit-logs
>
> ## Put your own watches after this point
> # -w /your-file -p rwxa -k mykey
>
More information about the Linux-audit
mailing list