## Remove any existing rules -D

Size: px

Start display at page:

Download "## Remove any existing rules -D"

Hugh Davidson
8 years ago
Views:

1 This file contains a sample audit configuration. Combined with the system events that are audited by default, this set of rules causes audit to generate records for the auditable events specified by the Controlled Access Protection Profile (CAPP). It should be noted that this set of rules identifies directories by leaving a / at the end of the path. These need to be updated to be a watch for each file in that directory. This is because a watch on a directory only triggers when the directory s inode is updated with meta data. To have accurate events, a watch should be place on each file. Because each installation is different, we leave that as a site customization. Remove any existing rules -D Increase buffer size to handle the increased number of messages. Feel free to increase this if the machine panic s -b 8192 Set failure mode to panic -f 2 FAU_SAR.1, FAU_SAR.2, FMT_MTD.1 successful and unsuccessful attempts to read information from the audit records; all modifications to the audit trail -w /var/log/audit/ -k LOG_audit #-w /var/log/audit/audit_log -k LOG_audit_log #-w /var/log/audit/audit_log.1 -k LOG_audit_log #-w /var/log/audit/audit_log.2 -k LOG_audit_log #-w /var/log/audit/audit_log.3 -k LOG_audit_log #-w /var/log/audit/audit_log.4 -k LOG_audit_log FAU_SEL.1, FMT_MTD.1 modifications to audit configuration that occur while the audit collection functions are operating; all modications to the set of audited events -w /etc/auditd.conf -k CFG_auditd.conf -w /etc/audit.rules -k CFG_audit.rules FDP_ACF.1, FMT_MSA.1, FMT_MTD.1, FMT_REV.1 all requests to perform an operation on an object covered by the SFP; all modifications of the values of security attributes; modifications to TSF data; attempts to revoke security attributes Objects covered by the Security Functional Policy (SFP) are: - File system objects (files, directories, special files, extended attributes) - IPC objects (SYSV shared memory, message queues, and semaphores) Operations on file system objects - by default, only monitor files and directories covered by filesystem watches. Replace "possible" with "always" to create audit records for all uses of this

It should be noted that this set of rules identifies directories by leaving a / at the end of the path. These need to be updated to be a watch for each file in that directory.

2 syscall. Changes in ownership and permissions -a entry,possible -S chmod -S fchmod -S chown -S chown32 -S fchown -S fchown32 -S lchown -S lc For x86_64,ia64 architectures, disable any *32 rules above File content modification. Permissions are checked at open time, monitoring individual read/write calls is not useful. -a entry,possible -S creat -S open -S truncate -S truncate64 -S ftruncate -S ftruncate64 For x86_64,ia64 architectures, disable any *64 rules above directory operations -a entry,possible -S mkdir -S rmdir moving, removing, and linking -a entry,possible -S unlink -S rename -S link -S symlink Extended attribute operations Enable if you are interested in these events - combine where possible #-a entry,always -S setxattr #-a entry,always -S lsetxattr #-a entry,always -S fsetxattr #-a entry,always -S removexattr #-a entry,always -S lremovexattr #-a entry,always -S fremovexattr special files -a entry,always -S mknod Other file system operations -a entry,always -S mount -S umount -S umount2 For x86_64 architecture, disable umount rule For ia64 architecture, disable umount2 rule SYSV message queues Enable if you are interested in these events (x86) msgctl #-a entry,always -S ipc -F a0=14 msgget #-a entry,always -S ipc -F a0=13 Enable if you are interested in these events (x86_64,ia64) #-a entry,always -S msgctl #-a entry,always -S msgget SYSV semaphores Enable if you are interested in these events (x86) semctl #-a entry,always -S ipc -F a0=3 semget #-a entry,always -S ipc -F a0=2 semop #-a entry,always -S ipc -F a0=1 semtimedop #-a entry,always -S ipc -F a0=4 Enable if you are interested in these events (x86_64, ia64) #-a entry,always -S semctl #-a entry,always -S semget #-a entry,always -S semop #-a entry,always -S semtimedop

content modification. Permissions are checked at open time, monitoring individual read/write calls is not useful.

3 SYSV shared memory Enable if you are interested in these events (x86) shmctl #-a entry,always -S ipc -F a0=24 shmget #-a entry,always -S ipc -F a0=23 Enable if you are interested in these events (x86_64, ia64) #-a entry,always -S shmctl #-a entry,always -S shmget FIA_USB.1 success and failure of binding user security attributes to a subject Enable if you are interested in these events #-a entry,always -S clone #-a entry,always -S fork #-a entry,always -S vfork For ia64 architecture, disable fork and vfork rules above, and enable the following: #-a entry,always -S clone2 FMT_MSA.3 modifications of the default setting of permissive or restrictive rules, all modifications of the initial value of security attributes Enable if you are interested in these events #-a entry,always -S umask FPT_STM.1 changes to the time -a entry,always -S adjtimex -S settimeofday FTP_ITC.1 set-up of trusted channel -w /usr/sbin/stunnel -p x -a entry,possible -S execve Security Databases at configuration & scheduled jobs -w /var/spool/at -k LOG_at -w /etc/at.allow -k CFG_at.allow -w /etc/at.deny -k CFG_at.deny cron configuration & scheduled jobs -w /etc/cron.allow -p wa -k CFG_cron.allow -w /etc/cron.deny -p wa -k CFG_cron.deny -w /etc/cron.d/ -p wa -k CFG_cron.d -w /etc/cron.daily/ -p wa -k CFG_cron.daily -w /etc/cron.hourly/ -p wa -k CFG_cron.hourly

1 success and failure of binding user security attributes to a subject Enable if you are interested in these events #-a entry,always -S clone #-a entry,always -S fork #-a entry,always -S vfork For

4 -w /etc/cron.monthly/ -p wa -k CFG_cron.monthly -w /etc/cron.weekly/ -p wa -k CFG_cron.weekly -w /etc/crontab -p wa -k CFG_crontab -w /var/spool/cron/root -k CFG_crontab_root user, group, password databases -w /etc/group -p wa -k CFG_group -w /etc/passwd -p wa -k CFG_passwd -w /etc/gshadow -k CFG_gshadow -w /etc/shadow -k CFG_shadow -w /etc/security/opasswd -k CFG_opasswd login configuration and information -w /etc/login.defs -p wa -k CFG_login.defs -w /etc/securetty -k CFG_securetty -w /var/log/faillog -k LOG_faillog -w /var/log/lastlog -k LOG_lastlog network configuration -w /etc/hosts -p wa -k CFG_hosts -w /etc/sysconfig/ system startup scripts -w /etc/inittab -p wa -k CFG_inittab -w /etc/rc.d/init.d/ -w /etc/rc.d/init.d/auditd -p wa -k CFG_initd_auditd library search paths -w /etc/ld.so.conf -p wa -k CFG_ld.so.conf local time zone -w /etc/localtime -p wa -k CFG_localtime kernel parameters -w /etc/sysctl.conf -p wa -k CFG_sysctl.conf modprobe configuration -w /etc/modprobe.conf -p wa -k CFG_modprobe.conf pam configuration -w /etc/pam.d/ postfix configuration -w /etc/aliases -p wa -k CFG_aliases -w /etc/postfix/ -p wa -k CFG_postfix ssh configuration -w /etc/ssh/sshd_config -k CFG_sshd_config stunnel configuration -w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf -w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem vsftpd configuration -w /etc/vsftpd.ftpusers -k CFG_vsftpd.ftpusers -w /etc/vsftpd/vsftpd.conf -k CFG_vsftpd.conf Not specifically required by CAPP; but common sense items -a exit,always -S sethostname -w /etc/issue -p wa -k CFG_issue

/etc/gshadow -k CFG_gshadow -w /etc/shadow -k CFG_shadow -w /etc/security/opasswd -k CFG_opasswd login configuration and information -w /etc/login.defs -p wa -k CFG_login.

5 -w /etc/issue.net -p wa -k CFG_issue.net Put your own watches after this point # -w /your-file -p rwxa -k mykey This is a demo version of txt2pdf v.10.1 Developed by SANFACE Software Available at

In this post we ll lock down the server even more, adding google authenticator and auditd.

In this post we ll lock down the server even more, adding google authenticator and auditd. 1 of 7 12/1/2014 1:14 PM This is some sort of part two of Creating a baseline Ubuntu 14.04 server (http://konstruktoid.net/2014/04/25/creating a baseline ubuntu 14 04 server/), so read that first and check