* [RFC] NISPOM audit rules - first draft
@ 2007-03-01 18:33 Steve Grubb
2007-04-13 18:24 ` Timothy R. Chavez
0 siblings, 1 reply; 7+ messages in thread
From: Steve Grubb @ 2007-03-01 18:33 UTC (permalink / raw)
To: Linux Audit
Hi,
Posting this in case anyone has comments good or bad. This is aimed at current
upstream kernels as of 2.6.19 or later.
-Steve
##
## This file contains the a sample audit configuration intended to
## meet the NISPOM Chapter 8 rules.
##
## This file should be saved as /etc/audit/audit.rules.
##
## Remove any existing rules
-D
## Increase buffer size to handle the increased number of messages.
## Feel free to increase this if the machine panic's
-b 8192
## Audit 1, 1(a) (a) Enough information to determine the date and time
## of action (e.g., common network time), the system locale of the action,
## the system entity that initiated or completed the action, the resources
## involved, and the action involved.
## changes to the time
-a entry,always -S adjtimex -S settimeofday -k time-change
-w /etc/localtime -p wa -k time-change
## system locale
-a exit,always -S sethostname -k system-locale
-w /etc/issue -p wa -k CFG_issue -k system-locale
-w /etc/issue.net -p wa -k CFG_issue.net -k system-locale
## Audit 1, 1(b) Successful and unsuccessful logons and logoffs.
## This is covered by patches to login, gdm, and openssh
## Audit 1, 1(c) Successful and unsuccessful accesses to
## security-relevant objects and directories, including
## creation, open, close, modification, and deletion.
## unsuccessful creation
-a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13 -k creation
-a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13 -k creation
## unsuccessful open
-a exit,always -S open -F exit=-13 -k open
## unsuccessful close
-a exit,always -S close -F exit=-13 -k close
## unsuccessful modifications
-a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods
-a exit,always -S renameat -F exit=-13 -k mods
-a exit,always -F perm=a -F exit=-13 -k mods
## unsuccessful deletion
-a exit,always -S rmdir -S unlink -F exit=-13 -k delete
-a exit,always -S unlinkat -F exit=-13 -k delete
## Audit 1, 1(d) Changes in user authenticators.
## Covered by patches to libpam
## Audit 1, 1(e) The blocking or blacklisting of a user ID,
## terminal, or access port and the reason for the action.
## Covered by patches to pam_tally
## Audit 1, 1(f) Denial of access resulting from an excessive
## number of unsuccessful logon attempts.
## Covered by patches to pam_tally
## Audit 1, 2 Audit Trail Protection. The contents of audit trails
## shall be protected against unauthorized access, modification,
## or deletion.
## This should be covered by file permissions, but we can watch it
## to see any activity
-w /var/log/audit/ -k audit-logs
-w /var/log/audit/audit.log -k audit-logs
#-w /var/log/audit/audit.log.1 -k audit-logs
#-w /var/log/audit/audit.log.2 -k audit-logs
#-w /var/log/audit/audit.log.3 -k audit-logs
#-w /var/log/audit/audit.log.4 -k audit-logs
## Put your own watches after this point
# -w /your-file -p rwxa -k mykey
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [RFC] NISPOM audit rules - first draft
2007-03-01 18:33 [RFC] NISPOM audit rules - first draft Steve Grubb
@ 2007-04-13 18:24 ` Timothy R. Chavez
2007-04-13 18:31 ` Steve Grubb
0 siblings, 1 reply; 7+ messages in thread
From: Timothy R. Chavez @ 2007-04-13 18:24 UTC (permalink / raw)
To: Steve Grubb; +Cc: Linux Audit
On Thu, 1 Mar 2007 13:33:10 -0500
Steve Grubb <sgrubb@redhat.com> wrote:
> Hi,
>
> Posting this in case anyone has comments good or bad. This is aimed at current
> upstream kernels as of 2.6.19 or later.
>
> -Steve
>
Steve,
Wow... finally just getting to these. Just a couple quick comments below.
-tim
>
> ##
> ## This file contains the a sample audit configuration intended to
> ## meet the NISPOM Chapter 8 rules.
> ##
> ## This file should be saved as /etc/audit/audit.rules.
> ##
>
> ## Remove any existing rules
> -D
>
> ## Increase buffer size to handle the increased number of messages.
> ## Feel free to increase this if the machine panic's
> -b 8192
>
> ## Audit 1, 1(a) (a) Enough information to determine the date and time
> ## of action (e.g., common network time), the system locale of the action,
> ## the system entity that initiated or completed the action, the resources
> ## involved, and the action involved.
>
> ## changes to the time
> -a entry,always -S adjtimex -S settimeofday -k time-change
> -w /etc/localtime -p wa -k time-change
>
> ## system locale
> -a exit,always -S sethostname -k system-locale
> -w /etc/issue -p wa -k CFG_issue -k system-locale
> -w /etc/issue.net -p wa -k CFG_issue.net -k system-locale
>
These are invalid rules due to the fact you specify -k twice, right? That
should probably be fixed since we're able to do things like '-S open -S close'
and '-F exit=-13 -F perm=a'
[..]
> ## Audit 1, 1(b) Successful and unsuccessful logons and logoffs.
> ## This is covered by patches to login, gdm, and openssh
>
> ## Audit 1, 1(c) Successful and unsuccessful accesses to
> ## security-relevant objects and directories, including
> ## creation, open, close, modification, and deletion.
>
> ## unsuccessful creation
> -a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13 -k creation
> -a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13 -k creation
>
> ## unsuccessful open
> -a exit,always -S open -F exit=-13 -k open
>
> ## unsuccessful close
> -a exit,always -S close -F exit=-13 -k close
>
> ## unsuccessful modifications
> -a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods
> -a exit,always -S renameat -F exit=-13 -k mods
> -a exit,always -F perm=a -F exit=-13 -k mods
No system call specified...
>
> ## unsuccessful deletion
> -a exit,always -S rmdir -S unlink -F exit=-13 -k delete
> -a exit,always -S unlinkat -F exit=-13 -k delete
>
> ## Audit 1, 1(d) Changes in user authenticators.
> ## Covered by patches to libpam
>
> ## Audit 1, 1(e) The blocking or blacklisting of a user ID,
> ## terminal, or access port and the reason for the action.
> ## Covered by patches to pam_tally
>
> ## Audit 1, 1(f) Denial of access resulting from an excessive
> ## number of unsuccessful logon attempts.
> ## Covered by patches to pam_tally
>
> ## Audit 1, 2 Audit Trail Protection. The contents of audit trails
> ## shall be protected against unauthorized access, modification,
> ## or deletion.
> ## This should be covered by file permissions, but we can watch it
> ## to see any activity
> -w /var/log/audit/ -k audit-logs
> -w /var/log/audit/audit.log -k audit-logs
> #-w /var/log/audit/audit.log.1 -k audit-logs
> #-w /var/log/audit/audit.log.2 -k audit-logs
> #-w /var/log/audit/audit.log.3 -k audit-logs
> #-w /var/log/audit/audit.log.4 -k audit-logs
>
> ## Put your own watches after this point
> # -w /your-file -p rwxa -k mykey
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [RFC] NISPOM audit rules - first draft
2007-04-13 18:24 ` Timothy R. Chavez
@ 2007-04-13 18:31 ` Steve Grubb
2007-04-13 21:45 ` Brian K. Whatcott
0 siblings, 1 reply; 7+ messages in thread
From: Steve Grubb @ 2007-04-13 18:31 UTC (permalink / raw)
To: Timothy R. Chavez; +Cc: Linux Audit
On Friday 13 April 2007 14:24, Timothy R. Chavez wrote:
> Wow... finally just getting to these. Just a couple quick comments below.
The nispom.rules file has been updated several times since this was initially
posted.
> > ## unsuccessful modifications
> > -a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods
> > -a exit,always -S renameat -F exit=-13 -k mods
> > -a exit,always -F perm=a -F exit=-13 -k mods
>
> No system call specified...
That's what the magic of "perm" is. It selects all syscalls that match the
changing of attribute.
-Steve
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: [RFC] NISPOM audit rules - first draft
2007-04-13 18:31 ` Steve Grubb
@ 2007-04-13 21:45 ` Brian K. Whatcott
2007-04-13 21:54 ` Steve Grubb
0 siblings, 1 reply; 7+ messages in thread
From: Brian K. Whatcott @ 2007-04-13 21:45 UTC (permalink / raw)
To: Linux-audit
Steve,
I am a bit new at using mail lists, but I joined this one to get help on
setting up auditd for NISPOM chapter 8.
Below you say the nispom.rules has been updated several times. Where is the
latest version located?
In the nispom.rules version in your post in the archive, the comments said
several NISPOM audit requirements were met by other programs (1(b) by
patches to login, gdm, and openssh; 1(d) by patches to libpam; 1(e) & 1(f)
by patches to pam_tally). Can these patches be downloaded from somewhere?
Do the patches work with SuSE 10.1 or 10.2?
Sorry I come from a non-RH distro background. Our choice of SuSE came from
the long historic past. I rather not have to switch several machines to RH
in order to meet NISPOM requirements, but I could if absolutely necessary.
Brian K. Whatcott
Senior Software and Systems Engineer
Millennium Engineering Integration
(719) 264-4310, FAX (719) 264-4318
(719) 331-5100 (Cell)
bwhatcott@meicompany.com
-----Original Message-----
From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com]
On Behalf Of Steve Grubb
Sent: Friday, April 13, 2007 12:32 PM
To: Timothy R. Chavez
Cc: Linux Audit
Subject: Re: [RFC] NISPOM audit rules - first draft
On Friday 13 April 2007 14:24, Timothy R. Chavez wrote:
> Wow... finally just getting to these. Just a couple quick comments below.
The nispom.rules file has been updated several times since this was
initially posted.
> > ## unsuccessful modifications
> > -a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k
> > mods -a exit,always -S renameat -F exit=-13 -k mods -a exit,always
> > -F perm=a -F exit=-13 -k mods
>
> No system call specified...
That's what the magic of "perm" is. It selects all syscalls that match the
changing of attribute.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [RFC] NISPOM audit rules - first draft
2007-04-13 21:45 ` Brian K. Whatcott
@ 2007-04-13 21:54 ` Steve Grubb
2007-04-18 20:41 ` Wieprecht, Karen M.
0 siblings, 1 reply; 7+ messages in thread
From: Steve Grubb @ 2007-04-13 21:54 UTC (permalink / raw)
To: linux-audit
On Friday 13 April 2007 17:45, Brian K. Whatcott wrote:
> Below you say the nispom.rules has been updated several times. Where is
> the latest version located?
You can download the latest source code, open the archive and copy
nispom.rules to wherever you needed it.
http://people.redhat.com/sgrubb/audit/audit-1.5.2.tar.gz
The configuration takes advantage of some newer features. So, it may or may
not work with the exact version of audit/kernel that you have.
> In the nispom.rules version in your post in the archive, the comments said
> several NISPOM audit requirements were met by other programs (1(b) by
> patches to login, gdm, and openssh; 1(d) by patches to libpam; 1(e) & 1(f)
> by patches to pam_tally). Can these patches be downloaded from somewhere?
These patches have been sent upstream and hopefully your versions of those
apps are new enough to have the patches and audit is enabled for them. I did
not collect them up into one place, but rather tried to get them where they
ultimately needed to go so everyone benefits from the work. The one exception
might be util-linux which seems to be a dead project that each distro
maintains themselves.
> Do the patches work with SuSE 10.1 or 10.2?
I don't know.
-Steve
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: [RFC] NISPOM audit rules - first draft
2007-04-13 21:54 ` Steve Grubb
@ 2007-04-18 20:41 ` Wieprecht, Karen M.
2007-04-18 21:16 ` Steve Grubb
0 siblings, 1 reply; 7+ messages in thread
From: Wieprecht, Karen M. @ 2007-04-18 20:41 UTC (permalink / raw)
To: linux-audit
I downloaded the 1.5.2 source code, opened the archive and looked at the
nispom.rules. Two things:
1. auditd complained about using the -k (keyword) flag on lines that
were not file watch lines.
This could be a newer feature not supported by our audit subsystem (we
are running RHEL4 update 4 with audit-1.0.14 I believe). Can you verify
if this is a general syntax problem or a
your-audit-version-doesn't-support-this problem ? Thanks.
2. We had two additional lines in out audit.rules to capture failed
chown, chgrp, and chmod:
-a exit,always -S 90 -F exit=-1
-a exit,always -S 92 -F exit=-1
I think these capture a few other events that aren't necessarily chown,
chmod, or chgrp, so there may be a savvier way to write this so to
exclude those extraneous items, but I haven't played with it. Let me
know if these are picked up elsewhere in the sample NISPOM rules. If
these actions aren't already being captured by another NISPOM audit
rule, you might consider adding them since failed attempts to chown,
chgrp, chmod are indications of someone possibly trying to open up
access to files they don't have rights to which would fall into the
"failed file access attempts" category.
Let me know what you think.
Thanks,
Karen Wieprecht
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [RFC] NISPOM audit rules - first draft
2007-04-18 20:41 ` Wieprecht, Karen M.
@ 2007-04-18 21:16 ` Steve Grubb
0 siblings, 0 replies; 7+ messages in thread
From: Steve Grubb @ 2007-04-18 21:16 UTC (permalink / raw)
To: linux-audit; +Cc: Wieprecht, Karen M.
On Wednesday 18 April 2007 16:41, Wieprecht, Karen M. wrote:
> 1. auditd complained about using the -k (keyword) flag on lines that
> were not file watch lines.
Yes, this was mentioned on IRC last week and fixed in my development copy. It
will be in 1.5.3.
> This could be a newer feature not supported by our audit subsystem (we
> are running RHEL4 update 4 with audit-1.0.14 I believe). Can you verify
> if this is a general syntax problem or a
> your-audit-version-doesn't-support-this problem ? Thanks.
1.5.2 does not work with RHEL4.
> 2. We had two additional lines in out audit.rules to capture failed
> chown, chgrp, and chmod:
>
> -a exit,always -S 90 -F exit=-1
> -a exit,always -S 92 -F exit=-1
I think you want 90-94 on x86_64. I guess they do return -EPERM. The way that
we are doing this for 1.5.2 is using special syntax allowed by the newer
kernels:
-a exit,always -F perm=a -F exit=-13
This tells the kernel to select any syscall that changes file attributes. We
should probably add another line with -F exit=-1
> If these actions aren't already being captured by another NISPOM audit
> rule, you might consider adding them since failed attempts to chown,
> chgrp, chmod are indications of someone possibly trying to open up
> access to files they don't have rights to which would fall into the
> "failed file access attempts" category.
Yep, I'll add a line.
-Steve
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2007-04-18 21:16 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-03-01 18:33 [RFC] NISPOM audit rules - first draft Steve Grubb
2007-04-13 18:24 ` Timothy R. Chavez
2007-04-13 18:31 ` Steve Grubb
2007-04-13 21:45 ` Brian K. Whatcott
2007-04-13 21:54 ` Steve Grubb
2007-04-18 20:41 ` Wieprecht, Karen M.
2007-04-18 21:16 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox