On Thu, 1 Mar 2007 13:33:10 -0500 Steve Grubb <[EMAIL PROTECTED]> wrote:
> Hi, > > Posting this in case anyone has comments good or bad. This is aimed at current > upstream kernels as of 2.6.19 or later. > > -Steve > Steve, Wow... finally just getting to these. Just a couple quick comments below. -tim > > ## > ## This file contains the a sample audit configuration intended to > ## meet the NISPOM Chapter 8 rules. > ## > ## This file should be saved as /etc/audit/audit.rules. > ## > > ## Remove any existing rules > -D > > ## Increase buffer size to handle the increased number of messages. > ## Feel free to increase this if the machine panic's > -b 8192 > > ## Audit 1, 1(a) (a) Enough information to determine the date and time > ## of action (e.g., common network time), the system locale of the action, > ## the system entity that initiated or completed the action, the resources > ## involved, and the action involved. > > ## changes to the time > -a entry,always -S adjtimex -S settimeofday -k time-change > -w /etc/localtime -p wa -k time-change > > ## system locale > -a exit,always -S sethostname -k system-locale > -w /etc/issue -p wa -k CFG_issue -k system-locale > -w /etc/issue.net -p wa -k CFG_issue.net -k system-locale > These are invalid rules due to the fact you specify -k twice, right? That should probably be fixed since we're able to do things like '-S open -S close' and '-F exit=-13 -F perm=a' [..] > ## Audit 1, 1(b) Successful and unsuccessful logons and logoffs. > ## This is covered by patches to login, gdm, and openssh > > ## Audit 1, 1(c) Successful and unsuccessful accesses to > ## security-relevant objects and directories, including > ## creation, open, close, modification, and deletion. > > ## unsuccessful creation > -a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13 -k > creation > -a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13 -k > creation > > ## unsuccessful open > -a exit,always -S open -F exit=-13 -k open > > ## unsuccessful close > -a exit,always -S close -F exit=-13 -k close > > ## unsuccessful modifications > -a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods > -a exit,always -S renameat -F exit=-13 -k mods > -a exit,always -F perm=a -F exit=-13 -k mods No system call specified... > > ## unsuccessful deletion > -a exit,always -S rmdir -S unlink -F exit=-13 -k delete > -a exit,always -S unlinkat -F exit=-13 -k delete > > ## Audit 1, 1(d) Changes in user authenticators. > ## Covered by patches to libpam > > ## Audit 1, 1(e) The blocking or blacklisting of a user ID, > ## terminal, or access port and the reason for the action. > ## Covered by patches to pam_tally > > ## Audit 1, 1(f) Denial of access resulting from an excessive > ## number of unsuccessful logon attempts. > ## Covered by patches to pam_tally > > ## Audit 1, 2 Audit Trail Protection. The contents of audit trails > ## shall be protected against unauthorized access, modification, > ## or deletion. > ## This should be covered by file permissions, but we can watch it > ## to see any activity > -w /var/log/audit/ -k audit-logs > -w /var/log/audit/audit.log -k audit-logs > #-w /var/log/audit/audit.log.1 -k audit-logs > #-w /var/log/audit/audit.log.2 -k audit-logs > #-w /var/log/audit/audit.log.3 -k audit-logs > #-w /var/log/audit/audit.log.4 -k audit-logs > > ## Put your own watches after this point > # -w /your-file -p rwxa -k mykey > -- Linux-audit mailing list [EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/linux-audit
