Mapping auditd rules to compliance requirements

Tue, 26 Nov 2024 07:29:07 -0800 

I am reviewing the auditd rules here
<https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules>,
and for example the rules block below lists the rules for Group add delete
modify:

## Group add delete modify. This is covered by pam. However, someone could
## open a file and directly create or modify a user, so we'll watch group
and
## gshadow for writes
-a always,exit -F arch=b32 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F
auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F
auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F
auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F
auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -F path=/etc/group -F perm=wa -F auid>=1000 -F
auid!=unset -F key=group-modify
-a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F auid>=1000 -F
auid!=unset -F key=group-modify
-a always,exit -F arch=b32 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F
auid!=unset -F key=group-modify
-a always,exit -F arch=b64 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F
auid!=unset -F key=group-modify

I was looking to see if there was a doc that lists the individual auditd
rules and the compliance requirement it would validate. So taking those
rules above and dumping them into a spreadsheet as follows:

User and Group Management Events
Compliance Requirement Rules
Group/Role Add, Delete, Modify (Success/Failure) -a always,exit -F arch=b32
-F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F
key=user-modify
Group/Role Add, Delete, Modify (Success/Failure) -a always,exit -F arch=b64
-F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F
key=user-modify
Group/Role Add, Delete, Modify (Success/Failure) -a always,exit -F arch=b32
-F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F
key=user-modify
Group/Role Add, Delete, Modify (Success/Failure) -a always,exit -F arch=b64
-F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F
key=user-modify
Group/Role Add, Delete, Modify (Success/Failure) -a always,exit -F arch=b32
-F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F
key=group-modify
Group/Role Add, Delete, Modify (Success/Failure) -a always,exit -F arch=b64
-F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F
key=group-modify
Group/Role Add, Delete, Modify (Success/Failure) -a always,exit -F arch=b32
-F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F
key=group-modify
Group/Role Add, Delete, Modify (Success/Failure) -a always,exit -F arch=b64
-F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F
key=group-modify

Basically a mapping of compliance requirements and the rules associated
that would be used to validate the compliance requirement.

Thx

-- 
_______________________________________________
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to