NISPOM Auditing

corbin corbin at arlut.utexas.edu
Tue May 27 14:00:19 UTC 2008 

Can these rules apply to RHEL4 or just RHEL5?  I, too, have to create a
NISPOM compliant network and have written scripts to do so.  However, I am
just exploring the audit.rules settings in RHEL and wanted to know if these
changes are particular to a specific version of Red Hat. 

Thanks!
Starr

-----Original Message-----
From: linux-audit-bounces at redhat.com [mailto:linux-audit-bounces at redhat.com]
On Behalf Of Steve Grubb
Sent: Thursday, May 22, 2008 4:20 PM
To: linux-audit at redhat.com
Subject: Re: NISPOM Auditing

On Thursday 22 May 2008 16:28:41 Mathis, Jim wrote:
> I need to log file edit attempts when a user doesn't have permission to
> edit a specific file. For example, a non-root user attempts to edit
> "/var/log/audit/audit'log" which has a permission setting of 640.
> Although the user won't be able to edit the file (permission denied) -
> I'd still like to log the attempt. Here's a snippet of my audit.rules
> file:

Have you looked at the latest nispom.rules file in the audit package? I have
a 
set of rules that should meet NISPOM requirements. If it doesn't I'd like to

know what is wrong with it so we can fix it. This set of rules looks similar

to it, but there are differences. The main difference is adding -F arch=  to

each syscall rule to make sure the numbers are correct.


> ## unsuccessful creation
>
> -a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13
> -k creation
>
> -a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13
> -k creation

-a exit,always -F arch=b32 -S creat -S mkdir -S mknod -S link -S symlink -F 
exit=-EACCES -k creation
-a exit,always -F arch=b64 -S creat -S mkdir -S mknod -S link -S symlink -F 
exit=-EACCES -k creation
-a exit,always -F arch=b32 -S mkdirat -S mknodat -S linkat -S symlinkat -F 
exit=-EACCES -k creation
-a exit,always -F arch=b64 -S mkdirat -S mknodat -S linkat -S symlinkat -F 
exit=-EACCES -k creation



> ## unsuccessful open
>
> -a exit,always -S open -F exit=-13 -k open

-a exit,always -F arch=b32 -S open -F exit=-EACCES -k open
-a exit,always -F arch=b64 -S open -F exit=-EACCES -k open
-a exit,always -F arch=b32 -S open -F exit=-EPERM -k open
-a exit,always -F arch=b64 -S open -F exit=-EPERM -k open



> ## unsuccessful close
>
> -a exit,always -S close -F exit=-13 -k close
>
> ## unsuccessful modifications
>
> -a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods
>
> -a exit,always -S renameat -F exit=-13 -k mods
>
> ## unsuccessful deletion
>
> -a exit,always -S rmdir -S unlink -F exit=-13 -k delete
>
> -a exit,always -S unlinkat -F exit=-13 -k delete
>
> ## unauthorized change directory (cd)
>
> -a exit,always -S chdir -F path=/var/log/audit -k evil2-cd

:)

> ## Watch Files
>
> -w /var/log/audit/audit.log -p rwxa -k audit-log2

This rule only watches one file. There could be more. You might want a rule 
like:

-w /var/log/audit -k audit-logs

-Steve

--
Linux-audit mailing list
Linux-audit at redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

More information about the Linux-audit mailing list