Re: auditd configuration for PCI DSS 10.2.x Compliance

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: auditd configuration for PCI DSS 10.2.x Compliance
Date: Mon, 15 Jan 2018 10:45:13 -0500	[thread overview]
Message-ID: <1701815.EsT69oTLgZ@x2> (raw)
In-Reply-To: <DM3P100MB0140C09748B350F3F80FFE31F2EB0@DM3P100MB0140.NAMP100.PROD.OUTLOOK.COM>

On Monday, January 15, 2018 9:52:07 AM EST Joshua Ammons wrote:
> Hello All,
> 
> Just thought I'd give this one more shot to see if anyone had any comments
> on my prior message (see below)?  Any input you have would be greatly
> appreciated.  I won't bother the group any more on this topic.

Not sure if you noticed, but the audit system ships with a PCI set of rules.
# rpm -ql audit | grep pci
/usr/share/doc/audit/rules/30-pci-dss-v31.rules


> I was wondering if anyone had any experience putting together an auditd
> configuration to meet PCI DSS 10.2.x requirements?  Below are the
> requirements and my thoughts for each one...if anyone has anything that
> they have done I'd love to hear it!
> 
> 10.2.2    All actions taken by any individual with root or administrative
> privileges
> 
> *         Enable the pam_tty_audit.so shared library in
> /etc/pam.d/[su/sudo/sudo-i/su-l] files.
> 
> o   USER_TTY event type will contain all commands from privileged user.
> 
> *         Add following lines to /etc/audit/rules.d/audit.rules file:
> 
> o   # Audit all actions by any individual with root or administrative
> privileges
> 
> o   -a exit,always -F arch=b64 -F euid=0 -S execve -k root-commands
> 
> o   -a exit,always -F arch=b32 -F euid=0 -S execve -k root-commands

The above is best done by TTY auditing.

 
> ?  EXECVE event type will contain all commands from user with elevated
> privileges.
> 
> ?  Question: with the pam_tty_audit.so enabled, and those commands being
> logged to USER_TTY events...is this rule needed also? 

No. And you would want to add -F auid >= 1000  -F auid != -1 if you were 
keeping it.

> 10.2.3    Access to all audit trails
> *         I'm not sure the best route to cover this one.  If I add a rule
> to watch /var/log/* for 'wa' actions, those logs are constantly being
> written to so that would be too noisy I believe. Does anyone know how I
> would form a rule that would fire when a file within /var/log is accessed
> directly by a user?  Also, if the user makes any manual changes, such as
> deleting a file or modifying its contents? 

Its not too noisy. Check the rules for this in the pci file. It picks up 
everything.

> 10.2.4    Invalid logical access attempts
> 
> *         Based on my understanding, this wouldn't really be covered by
> auditd, but by the standard authpriv facility.  Anybody configure anything
> in auditd to cover this requirement? 

pam probably covers this.

> 10.2.5    Use of and changes to identification and authentication
> mechanisms-including but not limited to creation of new accounts and
> elevation of privileges-and all changes, additions, or deletions to
> accounts with root or administrative privileges

Put a watch on passwd & group and shadow-utils does the rest.
 
> *         CRED_ACQ (sudo) and USER_AUTH (su) events should contain when a
> user sudo's or su's to privileged account.  My understanding is that these
> would not require any extra rules to be written.  However, I'm not quite
> sure how to handle the requirements to log creation of new accounts, and
> all changes, or deletions to accounts with root/admin privileges...any
> ideas?

Shadow utils covers this.

> 10.2.6.   Initialization, stopping, or pausing of the audit logs
> 
> *         Auditd:
> 
> o   DAEMON_END events would indicate auditd was stopped.
> 
> o   DAEMON_START and SERVICE_START events would indicate when auditd
> initialized.
> 
> o   Anything else anybody would add here?
> 
> *         Rsyslog:
> 
> o   SERVICE_START event (unit=rsyslog) when rsyslog is initialized
> 
> o   SERVICE_STOP event (unit=rsyslog) when rsyslog is stopped
> 
> o   Anything else anybody would add here?
> 10.2.7    Creation and deletion of system- level objects
> 
> *         -w [DIRECTORY] -p wa rules for the directories below:
> 
> o   /bin
> 
> o   /sbin
> 
> o   /usr/bin
> 
> o   /usr/sbin
> 
> o   /var/lib
> 
> o   /usr/lib
> 
> o   /usr/libexec
> 
> o   /lib64
> 
> o   /usr/lib64
> 
> ?  Would the above cover this requirement?  Any other suggestions here?

This will probably make you very unhappy when you do yum update. But you can 
add those rules.

-Steve

next prev parent reply	other threads:[~2018-01-15 15:45 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-01-15 14:52 auditd configuration for PCI DSS 10.2.x Compliance Joshua Ammons
2018-01-15 15:14 ` Boyce, Kevin P [US] (AS)
2018-01-15 15:27   ` Joshua Ammons
2018-01-15 15:45 ` Steve Grubb [this message]
2018-01-15 15:55   ` Joshua Ammons
2018-01-16  8:49 ` Shinoj Gangadharan
  -- strict thread matches above, loose matches on Subject: below --
2018-01-11 22:33 Joshua Ammons

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1701815.EsT69oTLgZ@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.