Re: [RFC] NISPOM audit rules - first draft

["Timothy R. Chavez" <tim.chavez@linux.vnet.ibm.com>]

On Thu, 1 Mar 2007 13:33:10 -0500
Steve Grubb <sgrubb@redhat.com> wrote:

> Hi,
> 
> Posting this in case anyone has comments good or bad. This is aimed at current
> upstream kernels as of 2.6.19 or later.
> 
> -Steve
> 

Steve,

Wow... finally just getting to these.  Just a couple quick comments below.

-tim

> 
> ##
> ## This file contains the a sample audit configuration intended to
> ## meet the NISPOM Chapter 8 rules.
> ##
> ## This file should be saved as /etc/audit/audit.rules.
> ##
> 
> ## Remove any existing rules
> -D
> 
> ## Increase buffer size to handle the increased number of messages.
> ## Feel free to increase this if the machine panic's
> -b 8192
> 
> ## Audit 1, 1(a) (a) Enough information to determine the date and time
> ## of action (e.g., common network time), the system locale of the action,
> ## the system entity that initiated or completed the action, the resources
> ## involved, and the action involved.
> 
> ## changes to the time
> -a entry,always -S adjtimex -S settimeofday -k time-change
> -w /etc/localtime -p wa -k time-change
> 
> ## system locale
> -a exit,always -S sethostname -k system-locale
> -w /etc/issue -p wa -k CFG_issue -k system-locale
> -w /etc/issue.net -p wa -k CFG_issue.net -k system-locale
>

These are invalid rules due to the fact you specify -k twice, right?  That
should probably be fixed since we're able to do things like '-S open -S close'
and '-F exit=-13 -F perm=a'

[..]
 
> ## Audit 1, 1(b) Successful and unsuccessful logons and logoffs.
> ## This is covered by patches to login, gdm, and openssh
> 
> ## Audit 1, 1(c) Successful and unsuccessful accesses to
> ## security-relevant objects and directories, including
> ## creation, open, close, modification, and deletion.
> 
> ## unsuccessful creation
> -a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13 -k creation
> -a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13 -k creation
> 
> ## unsuccessful open
> -a exit,always -S open -F exit=-13 -k open
> 
> ## unsuccessful close
> -a exit,always -S close -F exit=-13 -k close
> 
> ## unsuccessful modifications
> -a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods
> -a exit,always -S renameat -F exit=-13 -k mods
> -a exit,always -F perm=a -F exit=-13 -k mods

No system call specified...

> 
> ## unsuccessful deletion
> -a exit,always -S rmdir -S unlink -F exit=-13 -k delete 
> -a exit,always -S unlinkat -F exit=-13 -k delete
> 
> ## Audit 1, 1(d) Changes in user authenticators.
> ## Covered by patches to libpam
> 
> ## Audit 1, 1(e) The blocking or blacklisting of a user ID,
> ## terminal, or access port and the reason for the action.
> ## Covered by patches to pam_tally
> 
> ## Audit 1, 1(f) Denial of access resulting from an excessive
> ## number of unsuccessful logon attempts.
> ## Covered by patches to pam_tally
> 
> ## Audit 1, 2 Audit Trail Protection. The contents of audit trails
> ## shall be protected against unauthorized access, modification,
> ## or deletion.
> ## This should be covered by file permissions, but we can watch it
> ## to see any activity
> -w /var/log/audit/ -k audit-logs
> -w /var/log/audit/audit.log -k audit-logs
> #-w /var/log/audit/audit.log.1 -k audit-logs
> #-w /var/log/audit/audit.log.2 -k audit-logs
> #-w /var/log/audit/audit.log.3 -k audit-logs
> #-w /var/log/audit/audit.log.4 -k audit-logs
> 
> ## Put your own watches after this point
> # -w /your-file -p rwxa -k mykey
>