[RFC] NISPOM audit rules - first draft

[Steve Grubb <sgrubb@redhat.com>]

Hi,

Posting this in case anyone has comments good or bad. This is aimed at current
upstream kernels as of 2.6.19 or later.

-Steve


##
## This file contains the a sample audit configuration intended to
## meet the NISPOM Chapter 8 rules.
##
## This file should be saved as /etc/audit/audit.rules.
##

## Remove any existing rules
-D

## Increase buffer size to handle the increased number of messages.
## Feel free to increase this if the machine panic's
-b 8192

## Audit 1, 1(a) (a) Enough information to determine the date and time
## of action (e.g., common network time), the system locale of the action,
## the system entity that initiated or completed the action, the resources
## involved, and the action involved.

## changes to the time
-a entry,always -S adjtimex -S settimeofday -k time-change
-w /etc/localtime -p wa -k time-change

## system locale
-a exit,always -S sethostname -k system-locale
-w /etc/issue -p wa -k CFG_issue -k system-locale
-w /etc/issue.net -p wa -k CFG_issue.net -k system-locale

## Audit 1, 1(b) Successful and unsuccessful logons and logoffs.
## This is covered by patches to login, gdm, and openssh

## Audit 1, 1(c) Successful and unsuccessful accesses to
## security-relevant objects and directories, including
## creation, open, close, modification, and deletion.

## unsuccessful creation
-a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13 -k creation
-a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13 -k creation

## unsuccessful open
-a exit,always -S open -F exit=-13 -k open

## unsuccessful close
-a exit,always -S close -F exit=-13 -k close

## unsuccessful modifications
-a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods
-a exit,always -S renameat -F exit=-13 -k mods
-a exit,always -F perm=a -F exit=-13 -k mods

## unsuccessful deletion
-a exit,always -S rmdir -S unlink -F exit=-13 -k delete 
-a exit,always -S unlinkat -F exit=-13 -k delete

## Audit 1, 1(d) Changes in user authenticators.
## Covered by patches to libpam

## Audit 1, 1(e) The blocking or blacklisting of a user ID,
## terminal, or access port and the reason for the action.
## Covered by patches to pam_tally

## Audit 1, 1(f) Denial of access resulting from an excessive
## number of unsuccessful logon attempts.
## Covered by patches to pam_tally

## Audit 1, 2 Audit Trail Protection. The contents of audit trails
## shall be protected against unauthorized access, modification,
## or deletion.
## This should be covered by file permissions, but we can watch it
## to see any activity
-w /var/log/audit/ -k audit-logs
-w /var/log/audit/audit.log -k audit-logs
#-w /var/log/audit/audit.log.1 -k audit-logs
#-w /var/log/audit/audit.log.2 -k audit-logs
#-w /var/log/audit/audit.log.3 -k audit-logs
#-w /var/log/audit/audit.log.4 -k audit-logs

## Put your own watches after this point
# -w /your-file -p rwxa -k mykey