## Remove any existing rules -D



Similar documents
In this post we ll lock down the server even more, adding google authenticator and auditd.

Installation and Configuration Guide. NetIQ Sentinel UNIX Agent

Linux Audit Quick Start SUSE Linux Enterprise 10 SP1

AUTOMATED SECURITY HARDENING OF RED HAT ENTERPRISE LINUX V5 IN ACCORDANCE WITH DISA STANDARDS OF RED HAT ENTERPRISE LINUX V5 IN ABSTRACT INTRODUCTION

Red Hat Linux Administration II Installation, Configuration, Software and Troubleshooting

Linux System Administration. System Administration Tasks

Apple's Sandbox Guide

Author: Roger French Version: 1.2 Date:

Using an Open Source Framework to Catch the Bad Guy. Norman Mark St. Laurent Senior Solutions Architect, Red Hat

Linux System Administration on Red Hat

UNISOL SysAdmin. SysAdmin helps systems administrators manage their UNIX systems and networks more effectively.

Red Hat Enterprise Linux 3 (running on specified Dell and Hewlett-Packard hardware) Security Target

Security Target SQL Server 2012 Team

Guide. Operating System Security Hardening Guide for SAP HANA. Developed for SAP HANA Running on SUSE Linux Enterprise Server. Solution Guide Server

LWIOD Access Audit Module

System Administration and your Bio-Linux Machine

IT6204 Systems & Network Administration. (Optional)

FTP Server Configuration

Introduction to AIX 6L System Administration Course Summary

EMC Documentum. EMC Documentum Content Server TM V5.3. and EMC Documentum Administrator TM V5.3. Security Target V2.0

COURCE TITLE DURATION LPI-202 Advanced Linux Professional Institute 40 H.

The Linux Audit Subsystem Deep Dive. SHARE Denver Colorado Convention Center, Korbel 4b 24-Aug Noon

Unit objectives IBM Power Systems

Installing MooseFS Step by Step Tutorial

IPC. Semaphores were chosen for synchronisation (out of several options).

Some basic features of UNIX

Red Hat Enterprise Linux Version 5.6 Security Target for CAPP Compliance on DELL 11 th Generation PowerEdge Servers

Cray Lustre File System Monitoring

Teradata Database Version 2 Release (V2R6.1.0) Security Target

GL254 - RED HAT ENTERPRISE LINUX SYSTEMS ADMINISTRATION III

Local File Sharing in Linux

Network Infrastructure Security Recommendations

Backing up AIR to Microsoft Windows

Using a login script for deployment of Kaspersky Network Agent to Mac OS X clients

USEFUL UNIX COMMANDS

Tutorial Objectives. Vulnerability Assessment and Secure Coding Practices for Middleware. Roadmap. Security Problems Are Real

Linux Audit Quick Start

C2 Security: Is Big Brother Watching?

Audit Trail Administration

Operating System Components and Services

Commercial Database Management System Protection Profile (C.DBMS PP)

Distributed File Systems. NFS Architecture (1)

TFS UnixControl White Paper

Linux Extension for AIDA64

Amon Agent. User Guide

SUSE Manager in the Public Cloud. SUSE Manager Server in the Public Cloud

System administration basics

Intrusion Detection using the Linux Audit Framework. Stephen Quinney School of Informatics University of Edinburgh

Auditing and Hardening Unix Systems Using CIS benchmarks on SUSE Linux

An Introduction to Securing Linux with Apache, ProFTPd, and Samba by Zach Riggle

We mean.network File System

Vulnerability Assessment and Secure Coding Practices for Middleware

Unix System Calls. Dept. CSIE

HADOOP. Installation and Deployment of a Single Node on a Linux System. Presented by: Liv Nguekap And Garrett Poppe

New and Improved Lustre Performance Monitoring Tool. Torben Kling Petersen, PhD Principal Engineer. Chris Bloxham Principal Architect

Chapter 7: Unix Security. Chapter 7: 1

RedHat (RHEL) System Administration Course Summary

stub (Private Switch) Solaris 11 Operating Environment In the Solaris 11 Operating Environment, four zones are created namely:

PVFS High Availability Clustering using Heartbeat 2.0

The Rule Set Based Access Control (RSBAC) Framework for Linux

Ubuntu Professional Training Course Overview (E-learning, Ubuntu LTS)

IMPP. Identity Management Protection Profile BSI-PP-0024

RH033 Red Hat Linux Essentials or equivalent experience with Red Hat Linux..

Acronis Backup & Recovery 10 Server for Linux. Command Line Reference

A candidate following a programme of learning leading to this unit will be able to:

SCP - Strategic Infrastructure Security

128 CERT Exercises Toolset Document for students

Sun Cobalt Migration Utility. User Manual

REMUS: A Security-Enhanced Operating System

SSH-FTP Peach Pit Datasheet

Recent security features and issues in embedded systems. NEC OSS Promotion Center KaiGai Kohei

Configuring the Active Directory Plug-in

1Z Oracle Weblogic Server 11g: System Administration I. Version: Demo. Page <<1/7>>

NAStorage. Administrator Guide. Security Policy Of NAStorage Under UNIX/LINUX Environment

WEB2CS INSTALLATION GUIDE

Allion Ingrasys Europe. NAStorage. Security policy under a UNIX/LINUX environment. Version 2.01

Connectivity using ssh, rsync & vsftpd

How to Tunnel Remote Desktop using SSH (Cygwin) for Windows XP (SP2)

Basic Installation of the Cisco Collection Manager

A SHORT INTRODUCTION TO DUPLICITY WITH CLOUD OBJECT STORAGE. Version

EZcast Installation guide

How To Backup On Myroster Idataagent

How to Push CDR Files from Asterisk to SDReporter. September 27, 2013

COBALT Migration Utility. User Manual

WSO2 Business Process Server Clustering Guide for 3.2.0

QuickBooks Enterprise Solutions. Linux Database Server Manager Installation and Configuration Guide

1. Introduction to the UNIX File System: logical vision

SAP HANA Disaster Recovery with Asynchronous Storage Replication Using Snap Creator and SnapMirror

IBM Security Access Manager for Enterprise Single Sign-On Version 8.2 with IMS Server Interim Fix 4 and AccessAgent Fix Pack 22 Security Target

CAPP-Compliant Security Event Audit System for Mac OS X and FreeBSD

Likewise Security Benefits

Firewall Protection Profile V

Dataworks System Services Guide

Lecture 24 Systems Programming in C

Microsoft Forefront UAG 2010 Common Criteria Evaluation Security Target Microsoft Forefront Unified Access Gateway Team

Laboration 3 - Administration

User Manual of the Pre-built Ubuntu Virutal Machine

How to Backup XenServer VM with VirtualIQ

Linux (Debian) Distros Hard Drives & File Systems

Transcription:

This file contains a sample audit configuration. Combined with the system events that are audited by default, this set of rules causes audit to generate records for the auditable events specified by the Controlled Access Protection Profile (CAPP). It should be noted that this set of rules identifies directories by leaving a / at the end of the path. These need to be updated to be a watch for each file in that directory. This is because a watch on a directory only triggers when the directory s inode is updated with meta data. To have accurate events, a watch should be place on each file. Because each installation is different, we leave that as a site customization. Remove any existing rules -D Increase buffer size to handle the increased number of messages. Feel free to increase this if the machine panic s -b 8192 Set failure mode to panic -f 2 FAU_SAR.1, FAU_SAR.2, FMT_MTD.1 successful and unsuccessful attempts to read information from the audit records; all modifications to the audit trail -w /var/log/audit/ -k LOG_audit #-w /var/log/audit/audit_log -k LOG_audit_log #-w /var/log/audit/audit_log.1 -k LOG_audit_log #-w /var/log/audit/audit_log.2 -k LOG_audit_log #-w /var/log/audit/audit_log.3 -k LOG_audit_log #-w /var/log/audit/audit_log.4 -k LOG_audit_log FAU_SEL.1, FMT_MTD.1 modifications to audit configuration that occur while the audit collection functions are operating; all modications to the set of audited events -w /etc/auditd.conf -k CFG_auditd.conf -w /etc/audit.rules -k CFG_audit.rules FDP_ACF.1, FMT_MSA.1, FMT_MTD.1, FMT_REV.1 all requests to perform an operation on an object covered by the SFP; all modifications of the values of security attributes; modifications to TSF data; attempts to revoke security attributes Objects covered by the Security Functional Policy (SFP) are: - File system objects (files, directories, special files, extended attributes) - IPC objects (SYSV shared memory, message queues, and semaphores) Operations on file system objects - by default, only monitor files and directories covered by filesystem watches. Replace "possible" with "always" to create audit records for all uses of this

syscall. Changes in ownership and permissions -a entry,possible -S chmod -S fchmod -S chown -S chown32 -S fchown -S fchown32 -S lchown -S lc For x86_64,ia64 architectures, disable any *32 rules above File content modification. Permissions are checked at open time, monitoring individual read/write calls is not useful. -a entry,possible -S creat -S open -S truncate -S truncate64 -S ftruncate -S ftruncate64 For x86_64,ia64 architectures, disable any *64 rules above directory operations -a entry,possible -S mkdir -S rmdir moving, removing, and linking -a entry,possible -S unlink -S rename -S link -S symlink Extended attribute operations Enable if you are interested in these events - combine where possible #-a entry,always -S setxattr #-a entry,always -S lsetxattr #-a entry,always -S fsetxattr #-a entry,always -S removexattr #-a entry,always -S lremovexattr #-a entry,always -S fremovexattr special files -a entry,always -S mknod Other file system operations -a entry,always -S mount -S umount -S umount2 For x86_64 architecture, disable umount rule For ia64 architecture, disable umount2 rule SYSV message queues Enable if you are interested in these events (x86) msgctl #-a entry,always -S ipc -F a0=14 msgget #-a entry,always -S ipc -F a0=13 Enable if you are interested in these events (x86_64,ia64) #-a entry,always -S msgctl #-a entry,always -S msgget SYSV semaphores Enable if you are interested in these events (x86) semctl #-a entry,always -S ipc -F a0=3 semget #-a entry,always -S ipc -F a0=2 semop #-a entry,always -S ipc -F a0=1 semtimedop #-a entry,always -S ipc -F a0=4 Enable if you are interested in these events (x86_64, ia64) #-a entry,always -S semctl #-a entry,always -S semget #-a entry,always -S semop #-a entry,always -S semtimedop

SYSV shared memory Enable if you are interested in these events (x86) shmctl #-a entry,always -S ipc -F a0=24 shmget #-a entry,always -S ipc -F a0=23 Enable if you are interested in these events (x86_64, ia64) #-a entry,always -S shmctl #-a entry,always -S shmget FIA_USB.1 success and failure of binding user security attributes to a subject Enable if you are interested in these events #-a entry,always -S clone #-a entry,always -S fork #-a entry,always -S vfork For ia64 architecture, disable fork and vfork rules above, and enable the following: #-a entry,always -S clone2 FMT_MSA.3 modifications of the default setting of permissive or restrictive rules, all modifications of the initial value of security attributes Enable if you are interested in these events #-a entry,always -S umask FPT_STM.1 changes to the time -a entry,always -S adjtimex -S settimeofday FTP_ITC.1 set-up of trusted channel -w /usr/sbin/stunnel -p x -a entry,possible -S execve Security Databases at configuration & scheduled jobs -w /var/spool/at -k LOG_at -w /etc/at.allow -k CFG_at.allow -w /etc/at.deny -k CFG_at.deny cron configuration & scheduled jobs -w /etc/cron.allow -p wa -k CFG_cron.allow -w /etc/cron.deny -p wa -k CFG_cron.deny -w /etc/cron.d/ -p wa -k CFG_cron.d -w /etc/cron.daily/ -p wa -k CFG_cron.daily -w /etc/cron.hourly/ -p wa -k CFG_cron.hourly

-w /etc/cron.monthly/ -p wa -k CFG_cron.monthly -w /etc/cron.weekly/ -p wa -k CFG_cron.weekly -w /etc/crontab -p wa -k CFG_crontab -w /var/spool/cron/root -k CFG_crontab_root user, group, password databases -w /etc/group -p wa -k CFG_group -w /etc/passwd -p wa -k CFG_passwd -w /etc/gshadow -k CFG_gshadow -w /etc/shadow -k CFG_shadow -w /etc/security/opasswd -k CFG_opasswd login configuration and information -w /etc/login.defs -p wa -k CFG_login.defs -w /etc/securetty -k CFG_securetty -w /var/log/faillog -k LOG_faillog -w /var/log/lastlog -k LOG_lastlog network configuration -w /etc/hosts -p wa -k CFG_hosts -w /etc/sysconfig/ system startup scripts -w /etc/inittab -p wa -k CFG_inittab -w /etc/rc.d/init.d/ -w /etc/rc.d/init.d/auditd -p wa -k CFG_initd_auditd library search paths -w /etc/ld.so.conf -p wa -k CFG_ld.so.conf local time zone -w /etc/localtime -p wa -k CFG_localtime kernel parameters -w /etc/sysctl.conf -p wa -k CFG_sysctl.conf modprobe configuration -w /etc/modprobe.conf -p wa -k CFG_modprobe.conf pam configuration -w /etc/pam.d/ postfix configuration -w /etc/aliases -p wa -k CFG_aliases -w /etc/postfix/ -p wa -k CFG_postfix ssh configuration -w /etc/ssh/sshd_config -k CFG_sshd_config stunnel configuration -w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf -w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem vsftpd configuration -w /etc/vsftpd.ftpusers -k CFG_vsftpd.ftpusers -w /etc/vsftpd/vsftpd.conf -k CFG_vsftpd.conf Not specifically required by CAPP; but common sense items -a exit,always -S sethostname -w /etc/issue -p wa -k CFG_issue

-w /etc/issue.net -p wa -k CFG_issue.net Put your own watches after this point # -w /your-file -p rwxa -k mykey This is a demo version of txt2pdf v.10.1 Developed by SANFACE Software http://www.sanface.com/ Available at http://www.sanface.com/txt2pdf.html

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information