Attempting to copy and paste the auditing rules as is into /etc/audit/audit.rules won't work if the '\' characters are left in. Experienced sysadmins MIGHT catch this and remove them, but in my opinion, the benefit of having tidier printouts of auditing rules doesn't outweigh the risk that users will be unable to correctly diagnose the resulting errors if they copy and paste from the HTML version of the guide. No mention is given anywhere in the prose that these line extension characters should be removed, and users that are unfamiliar with audit rule formatting might assume that the '\' characters are a required field.
- Maura Dailey Signed-off-by: Maura Dailey <[email protected]> --- RHEL6/input/system/auditing.xml | 107 +++++++++++++-------------------------- 1 files changed, 35 insertions(+), 72 deletions(-) diff --git a/RHEL6/input/system/auditing.xml b/RHEL6/input/system/auditing.xml index 1c907bd..e9cac2c 100644 --- a/RHEL6/input/system/auditing.xml +++ b/RHEL6/input/system/auditing.xml @@ -750,22 +750,14 @@ calls. Additionally, these rules can be configured in a number of ways while still achieving the desired effect. An example of this is that the "-S" calls could be split up and placed on separate lines, however, this is less efficient. Add the following to <tt>/etc/audit/audit.rules</tt>: -<pre>-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat \ - -F auid>=500 -F auid!=4294967295 -k perm_mod - -a always,exit -F arch=b32 -S chown -S fchown -S fchownat \ - -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod - -a always,exit -F arch=b32 -S setxattr -S lsetxattr \ - -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr \ - -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> +<pre>-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod + -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod + -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> If your system is 64 bit then these lines should be duplicated and the arch=b32 replaced with arch=b64 as follows: -<pre>-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat \ - -F auid>=500 -F auid!=4294967295 -k perm_mod - -a always,exit -F arch=b64 -S chown -S fchown -S fchownat \ - -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod - -a always,exit -F arch=b64 -S setxattr -S lsetxattr \ - -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr \ - -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> +<pre>-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod + -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod + -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> </description> <rationale>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. @@ -777,11 +769,9 @@ abuse among both authorized and unauthorized users.</rationale> <description>At a minimum the audit system should collect file permission changes for all users and root. Add the following to <tt>/etc/audit/audit.rules</tt>: -<pre>-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 \ - -k perm_mod</pre> +<pre>-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> If the system is 64 bit then also add the following: -<pre>-a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 \ - -k perm_mod</pre> +<pre>-a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> </description> <rationale>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications @@ -805,11 +795,9 @@ calls with others as identifying earlier in this guide is more efficient. <description>At a minimum the audit system should collect file permission changes for all users and root. Add the following to <tt>/etc/audit/audit.rules</tt>: -<pre>-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 \ - -k perm_mod</pre> +<pre>-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> If the system is 64 bit then also add the following: -<pre>-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 \ - -k perm_mod</pre> +<pre>-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> </description> <ocil> <audit-syscall-check-macro syscall="chown" /> @@ -833,11 +821,9 @@ calls with others as identifying earlier in this guide is more efficient. <description>At a minimum the audit system should collect file permission changes for all users and root. Add the following to <tt>/etc/audit/audit.rules</tt>: -<pre>-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 \ - -k perm_mod</pre> +<pre>-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> If the system is 64 bit then also add the following: -<pre>-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 \ - -k perm_mod</pre> +<pre>-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> </description> <ocil> <audit-syscall-check-macro syscall="fchmod" /> @@ -861,11 +847,9 @@ calls with others as identifying earlier in this guide is more efficient. <description>At a minimum the audit system should collect file permission changes for all users and root. Add the following to <tt>/etc/audit/audit.rules</tt>: -<pre>-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 \ - -k perm_mod</pre> +<pre>-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> If the system is 64 bit then also add the following: -<pre>-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 \ - -k perm_mod</pre> +<pre>-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> </description> <ocil> <audit-syscall-check-macro syscall="fchmodat" /> @@ -889,11 +873,9 @@ calls with others as identifying earlier in this guide is more efficient. <description>At a minimum the audit system should collect file permission changes for all users and root. Add the following to <tt>/etc/audit/audit.rules</tt>: -<pre>-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 \ - -k perm_mod</pre> +<pre>-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> If the system is 64 bit then also add the following: -<pre>-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 \ - -k perm_mod</pre> +<pre>-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> </description> <ocil> <audit-syscall-check-macro syscall="fchown" /> @@ -917,11 +899,9 @@ calls with others as identifying earlier in this guide is more efficient. <description>At a minimum the audit system should collect file permission changes for all users and root. Add the following to <tt>/etc/audit/audit.rules</tt>: -<pre>-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 \ - -k perm_mod</pre> +<pre>-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> If the system is 64 bit then also add the following: -<pre>-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 \ - -k perm_mod</pre> +<pre>-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> </description> <ocil> <audit-syscall-check-macro syscall="fchownat" /> @@ -945,11 +925,9 @@ calls with others as identifying earlier in this guide is more efficient. <description>At a minimum the audit system should collect file permission changes for all users and root. Add the following to <tt>/etc/audit/audit.rules</tt>: -<pre>-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ - -k perm_mod</pre> +<pre>-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> If the system is 64 bit then also add the following: -<pre>-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ - -k perm_mod</pre> +<pre>-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> </description> <ocil> <audit-syscall-check-macro syscall="fremovexattr" /> @@ -973,11 +951,9 @@ calls with others as identifying earlier in this guide is more efficient. <description>At a minimum the audit system should collect file permission changes for all users and root. Add the following to <tt>/etc/audit/audit.rules</tt>: -<pre>-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ - -k perm_mod</pre> +<pre>-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> If the system is 64 bit then also add the following: -<pre>-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ - -k perm_mod</pre> +<pre>-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> </description> <ocil> <audit-syscall-check-macro syscall="fsetxattr" /> @@ -1001,11 +977,9 @@ calls with others as identifying earlier in this guide is more efficient. <description>At a minimum the audit system should collect file permission changes for all users and root. Add the following to <tt>/etc/audit/audit.rules</tt>: -<pre>-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 \ - -k perm_mod</pre> +<pre>-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> If the system is 64 bit then also add the following: -<pre>-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 \ - -k perm_mod</pre> +<pre>-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> </description> <ocil> <audit-syscall-check-macro syscall="lchown" /> @@ -1029,11 +1003,9 @@ calls with others as identifying earlier in this guide is more efficient. <description>At a minimum the audit system should collect file permission changes for all users and root. Add the following to <tt>/etc/audit/audit.rules</tt>: -<pre>-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ - -k perm_mod</pre> +<pre>-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> If the system is 64 bit then also add the following: -<pre>-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ - -k perm_mod</pre> +<pre>-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> </description> <ocil> <audit-syscall-check-macro syscall="lremovexattr" /> @@ -1057,11 +1029,9 @@ calls with others as identifying earlier in this guide is more efficient. <description>At a minimum the audit system should collect file permission changes for all users and root. Add the following to <tt>/etc/audit/audit.rules</tt>: -<pre>-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ - -k perm_mod</pre> +<pre>-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> If the system is 64 bit then also add the following: -<pre>-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ - -k perm_mod</pre> +<pre>-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> </description> <ocil> <audit-syscall-check-macro syscall="lsetxattr" /> @@ -1085,11 +1055,9 @@ calls with others as identifying earlier in this guide is more efficient. <description>At a minimum the audit system should collect file permission changes for all users and root. Add the following to <tt>/etc/audit/audit.rules</tt>: -<pre>-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 \ - -k perm_mod</pre> +<pre>-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> If the system is 64 bit then also add the following: -<pre>-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 \ - -k perm_mod</pre> +<pre>-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> </description> <ocil> <audit-syscall-check-macro syscall="removexattr" /> @@ -1113,11 +1081,9 @@ calls with others as identifying earlier in this guide is more efficient. <description>At a minimum the audit system should collect file permission changes for all users and root. Add the following to <tt>/etc/audit/audit.rules</tt>: -<pre>-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 \ - -k perm_mod</pre> +<pre>-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> If the system is 64 bit then also add the following: -<pre>-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 \ - -k perm_mod</pre> +<pre>-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> </description> <ocil> <audit-syscall-check-macro syscall="setxattr" /> @@ -1176,10 +1142,8 @@ as an attacker attempting to remove evidence of an intrusion.</rationale> unauthorized file accesses for all users and root. Add the following to <tt>/etc/audit/audit.rules</tt>, setting ARCH to either b32 or b64 as appropriate for your system: -<pre>-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \ - -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access --a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \ - -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access</pre> +<pre>-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access +-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access</pre> </description> <ocil clause="either command lacks output"> To verify that the audit system collects unauthorized file accesses, run the following commands: @@ -1250,8 +1214,7 @@ loss.</rationale> deletion events for all users and root. Add the following to <tt>/etc/audit/audit.rules</tt>, setting ARCH to either b32 or b64 as appropriate for your system: -<pre>-a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat \ - -F auid>=500 -F auid!=4294967295 -k delete</pre> +<pre>-a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete</pre> </description> <ocil> <audit-syscall-check-macro syscall="unlink" /> -- 1.7.1 _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
