RE: questions about auditing on a new RH 6 box

-----Original Message----- From: Eric Paris [mailto:eparis@redhat.com] Sent: Friday, January 14, 2011 11:42 AM To: Tangren, Bill Cc: linux-audit(a)redhat.com Subject: Re: questions about auditing on a new RH 6 box On Fri, 2011-01-14 at 16:21 +0000, Tangren, Bill wrote: This is probably the best forum there is. Let us know your troubles. -Eric OK, here goes. These are the audit rules. And before you read them, please don't shoot the messenger. This is what I was told to audit, according to regulations. If it is misconfigured, or if something causes excessive logging to no good purpose, I can modify them some. I've used these rules on RH 5 systems with no problems. Also, I've left in the comments. *********************** -f 2 # Ensures that any access or modifications to the password file is audited -w /etc/passwd -p rwa # Ensures that any access or modifications to the shadow file is audited -w /etc/shadow -p rwa # Ensures that any reads of the audit log by the current user that's logged is # audited. It might be beneficial to create a rule for each of the 5 logs # that are generated. -w /var/log/audit/audit.log -k LOG_audit # Ensures that the user who is logged in and fails to access a file or process # is audited. Note: this will prevent kernel panics if you have a web server running # because it will not log apache file accesses -a exit,always -F arch=b64 -S open -S openat -F exit=EACCES -F uid!=apache -k access -a exit,always -F arch=b64 -S open -S openat -F exit=EPERM -F uid!=apache -k access # Ensures that any user who fails to change permissions of a file or directory is # audited -a exit,always -F arch=b64 -S chmod -S lchown -S chown -F success=0 -F exit!=-11 # Ensures that any user who mounts or unmounts a device is audited # ensures that mounting and dismounting are audited -a exit,always -F arch=b64 -S mount -S umount2 # Ensures that when anything is written to CD or DVD is audited # This rule MUST be edited to reflect the device path that is specific to # the system that the rules are being written for. -w /dev/cdrom -p w # AUDITING THE EXECVE FUNCTION # Ensures any user that properly executes a process is audited. # Since the open command is being audited, this rule causes # redundancy. Since any command must be opened prior to execution, with this # in affect, the system will have duplicate entries for every time something is # executed. This is noted in case the desire to audit both comes up. -a exit,always -F arch=b64 -S execve -F auid=-1 -F success=0 # AUDITING SHUTDOWNS AND REBOOTS # Red Hat ensures auditing whenever the reboot command is sent to the kernel -a exit,always -F arch=b64 -S socket -F a0=13 # AUDITING THE ROOT DIRECTORY IN FEDORA # Ensures auditing of any unauthorized access to roots home directory. -w /root -p rw -F uid!=0 # AUDITING THE ROOT DIRECTORY IN FEDORA # Ensures auditing of any failed unauthorized access to roots home directory. -w /root -p rw -F uid!=0 -F success=0 #Auditing configuration changes to the audit.conf and audit.rules files -w /etc/audit.conf -k wa -w /etc/audit.rules -k wa #Ensure that the following system calls are audited for the current logged in #user and for root -a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=0 -F auid=0 -F exit!=-11 -a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=0 -F auid=-1 -F exit!=-11 #Ensure that failed attempts at using the following system calls are audited -a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=1 -F exit!=-11 #Ensure that failed deletion of files and processes by anyone is audited -a exit,always -F arch=b64 -S rmdir -S unlink -F success=0 -F exit!=-11 #Ensure that failed use of the following system calls is audited -a exit,always -F arch=b64 -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S fdatasync -S setdomainname -F success=0 -F auid=0 -F exit!=-11 -a exit,always -F arch=b64 -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S fdatasync -S setdomainname -F success=0 -F auid=-1 -F exit!=-11 #Ensure that successful use of the following system calls is audited -a exit,always -F arch=b64 -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S fdatasync -S setdomainname -F success=1 -F auid=0 -F exit!=-11 -a exit,always -F arch=b64 -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S fdatasync -S setdomainname -F success=1 -F auid=-1 -F exit!=-11 #Ensure that failed use of the following system calls is audited -a exit,always -F arch=b64 -S quotactl -S mount -S kill -S chroot -F success=0 -F auid=0 -F exit!=-11 -a exit,always -F arch=b64 -S quotactl -S mount -S kill -S chroot -F success=0 -F auid=-1 -F exit!=-11 #Ensure that successful use of the following system calls is audited -a exit,always -F arch=b64 -S quotactl -S mount -S kill -S chroot -F success=1 -F auid=0 -F exit!=-11 -a exit,always -F arch=b64 -S quotactl -S mount -S kill -S chroot -F success=1 -F auid=-1 -F exit!=-11 #Ensure that when a failed login is recorded by syslog to the faillog file is #audited -w /var/log/faillog -k wa -w /var/log/lastlog -k wa #Ensure that when a login in recorded by syslog to the appropriate file is #audited -w /var/log/wtmp -k wa