12:33 p.m.
Hi,
Posting this in case anyone has comments good or bad. This is aimed at current
upstream kernels as of 2.6.19 or later.
-Steve
##
## This file contains the a sample audit configuration intended to
## meet the NISPOM Chapter 8 rules.
##
## This file should be saved as /etc/audit/audit.rules.
##
## Remove any existing rules
-D
## Increase buffer size to handle the increased number of messages.
## Feel free to increase this if the machine panic's
-b 8192
## Audit 1, 1(a) (a) Enough information to determine the date and time
## of action (e.g., common network time), the system locale of the action,
## the system entity that initiated or completed the action, the resources
## involved, and the action involved.
## changes to the time
-a entry,always -S adjtimex -S settimeofday -k time-change
-w /etc/localtime -p wa -k time-change
## system locale
-a exit,always -S sethostname -k system-locale
-w /etc/issue -p wa -k CFG_issue -k system-locale
-w /etc/issue.net -p wa -k CFG_issue.net -k system-locale
## Audit 1, 1(b) Successful and unsuccessful logons and logoffs.
## This is covered by patches to login, gdm, and openssh
## Audit 1, 1(c) Successful and unsuccessful accesses to
## security-relevant objects and directories, including
## creation, open, close, modification, and deletion.
## unsuccessful creation
-a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13 -k creation
-a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13 -k creation
## unsuccessful open
-a exit,always -S open -F exit=-13 -k open
## unsuccessful close
-a exit,always -S close -F exit=-13 -k close
## unsuccessful modifications
-a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods
-a exit,always -S renameat -F exit=-13 -k mods
-a exit,always -F perm=a -F exit=-13 -k mods
## unsuccessful deletion
-a exit,always -S rmdir -S unlink -F exit=-13 -k delete
-a exit,always -S unlinkat -F exit=-13 -k delete
## Audit 1, 1(d) Changes in user authenticators.
## Covered by patches to libpam
## Audit 1, 1(e) The blocking or blacklisting of a user ID,
## terminal, or access port and the reason for the action.
## Covered by patches to pam_tally
## Audit 1, 1(f) Denial of access resulting from an excessive
## number of unsuccessful logon attempts.
## Covered by patches to pam_tally
## Audit 1, 2 Audit Trail Protection. The contents of audit trails
## shall be protected against unauthorized access, modification,
## or deletion.
## This should be covered by file permissions, but we can watch it
## to see any activity
-w /var/log/audit/ -k audit-logs
-w /var/log/audit/audit.log -k audit-logs
#-w /var/log/audit/audit.log.1 -k audit-logs
#-w /var/log/audit/audit.log.2 -k audit-logs
#-w /var/log/audit/audit.log.3 -k audit-logs
#-w /var/log/audit/audit.log.4 -k audit-logs
## Put your own watches after this point
# -w /your-file -p rwxa -k mykey
1:24 p.m.
On Thu, 1 Mar 2007 13:33:10 -0500
Steve Grubb <sgrubb(a)redhat.com> wrote:
Hi,
Posting this in case anyone has comments good or bad. This is aimed at current
upstream kernels as of 2.6.19 or later.
-Steve
Steve,
Wow... finally just getting to these. Just a couple quick comments below.
-tim
##
## This file contains the a sample audit configuration intended to
## meet the NISPOM Chapter 8 rules.
##
## This file should be saved as /etc/audit/audit.rules.
##
## Remove any existing rules
-D
## Increase buffer size to handle the increased number of messages.
## Feel free to increase this if the machine panic's
-b 8192
## Audit 1, 1(a) (a) Enough information to determine the date and time
## of action (e.g., common network time), the system locale of the action,
## the system entity that initiated or completed the action, the resources
## involved, and the action involved.
## changes to the time
-a entry,always -S adjtimex -S settimeofday -k time-change
-w /etc/localtime -p wa -k time-change
## system locale
-a exit,always -S sethostname -k system-locale
-w /etc/issue -p wa -k CFG_issue -k system-locale
-w /etc/issue.net -p wa -k CFG_issue.net -k system-locale
These are invalid rules due to the fact you specify -k twice, right? That
should probably be fixed since we're able to do things like '-S open -S
close'
and '-F exit=-13 -F perm=a'
[..]
## Audit 1, 1(b) Successful and unsuccessful logons and logoffs.
## This is covered by patches to login, gdm, and openssh
## Audit 1, 1(c) Successful and unsuccessful accesses to
## security-relevant objects and directories, including
## creation, open, close, modification, and deletion.
## unsuccessful creation
-a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13 -k creation
-a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13 -k creation
## unsuccessful open
-a exit,always -S open -F exit=-13 -k open
## unsuccessful close
-a exit,always -S close -F exit=-13 -k close
## unsuccessful modifications
-a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods
-a exit,always -S renameat -F exit=-13 -k mods
-a exit,always -F perm=a -F exit=-13 -k mods
No system call specified...
## unsuccessful deletion
-a exit,always -S rmdir -S unlink -F exit=-13 -k delete
-a exit,always -S unlinkat -F exit=-13 -k delete
## Audit 1, 1(d) Changes in user authenticators.
## Covered by patches to libpam
## Audit 1, 1(e) The blocking or blacklisting of a user ID,
## terminal, or access port and the reason for the action.
## Covered by patches to pam_tally
## Audit 1, 1(f) Denial of access resulting from an excessive
## number of unsuccessful logon attempts.
## Covered by patches to pam_tally
## Audit 1, 2 Audit Trail Protection. The contents of audit trails
## shall be protected against unauthorized access, modification,
## or deletion.
## This should be covered by file permissions, but we can watch it
## to see any activity
-w /var/log/audit/ -k audit-logs
-w /var/log/audit/audit.log -k audit-logs
#-w /var/log/audit/audit.log.1 -k audit-logs
#-w /var/log/audit/audit.log.2 -k audit-logs
#-w /var/log/audit/audit.log.3 -k audit-logs
#-w /var/log/audit/audit.log.4 -k audit-logs
## Put your own watches after this point
# -w /your-file -p rwxa -k mykey
1:31 p.m.
On Friday 13 April 2007 14:24, Timothy R. Chavez wrote:
Wow... finally just getting to these. Just a couple quick comments
below.
The nispom.rules file has been updated several times since this was initially
posted.
> ## unsuccessful modifications
> -a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods
> -a exit,always -S renameat -F exit=-13 -k mods
> -a exit,always -F perm=a -F exit=-13 -k mods
No system call specified...
That's what the magic of "perm" is. It selects all syscalls that match the
changing of attribute.
-Steve
4:45 p.m.
Steve,
I am a bit new at using mail lists, but I joined this one to get help on
setting up auditd for NISPOM chapter 8.
Below you say the nispom.rules has been updated several times. Where is the
latest version located?
In the nispom.rules version in your post in the archive, the comments said
several NISPOM audit requirements were met by other programs (1(b) by
patches to login, gdm, and openssh; 1(d) by patches to libpam; 1(e) & 1(f)
by patches to pam_tally). Can these patches be downloaded from somewhere?
Do the patches work with SuSE 10.1 or 10.2?
Sorry I come from a non-RH distro background. Our choice of SuSE came from
the long historic past. I rather not have to switch several machines to RH
in order to meet NISPOM requirements, but I could if absolutely necessary.
Brian K. Whatcott
Senior Software and Systems Engineer
Millennium Engineering Integration
(719) 264-4310, FAX (719) 264-4318
(719) 331-5100 (Cell)
bwhatcott(a)meicompany.com
-----Original Message-----
From: linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com]
On Behalf Of Steve Grubb
Sent: Friday, April 13, 2007 12:32 PM
To: Timothy R. Chavez
Cc: Linux Audit
Subject: Re: [RFC] NISPOM audit rules - first draft
On Friday 13 April 2007 14:24, Timothy R. Chavez wrote:
Wow... finally just getting to these. Just a couple quick comments
below.
The nispom.rules file has been updated several times since this was
initially posted.
> ## unsuccessful modifications
> -a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k
> mods -a exit,always -S renameat -F exit=-13 -k mods -a exit,always
> -F perm=a -F exit=-13 -k mods
No system call specified...
That's what the magic of "perm" is. It selects all syscalls that match the
changing of attribute.
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
4:54 p.m.
On Friday 13 April 2007 17:45, Brian K. Whatcott wrote:
Below you say the nispom.rules has been updated several times. Where
is
the latest version located?
You can download the latest source code, open the archive and copy
nispom.rules to wherever you needed it.
http://people.redhat.com/sgrubb/audit/audit-1.5.2.tar.gz
The configuration takes advantage of some newer features. So, it may or may
not work with the exact version of audit/kernel that you have.
In the nispom.rules version in your post in the archive, the comments
said
several NISPOM audit requirements were met by other programs (1(b) by
patches to login, gdm, and openssh; 1(d) by patches to libpam; 1(e) & 1(f)
by patches to pam_tally). Can these patches be downloaded from somewhere?
These patches have been sent upstream and hopefully your versions of those
apps are new enough to have the patches and audit is enabled for them. I did
not collect them up into one place, but rather tried to get them where they
ultimately needed to go so everyone benefits from the work. The one exception
might be util-linux which seems to be a dead project that each distro
maintains themselves.
Do the patches work with SuSE 10.1 or 10.2?
I don't know.
-Steve
3:41 p.m.
I downloaded the 1.5.2 source code, opened the archive and looked at the
nispom.rules. Two things:
1. auditd complained about using the -k (keyword) flag on lines that
were not file watch lines.
This could be a newer feature not supported by our audit subsystem (we
are running RHEL4 update 4 with audit-1.0.14 I believe). Can you verify
if this is a general syntax problem or a
your-audit-version-doesn't-support-this problem ? Thanks.
2. We had two additional lines in out audit.rules to capture failed
chown, chgrp, and chmod:
-a exit,always -S 90 -F exit=-1
-a exit,always -S 92 -F exit=-1
I think these capture a few other events that aren't necessarily chown,
chmod, or chgrp, so there may be a savvier way to write this so to
exclude those extraneous items, but I haven't played with it. Let me
know if these are picked up elsewhere in the sample NISPOM rules. If
these actions aren't already being captured by another NISPOM audit
rule, you might consider adding them since failed attempts to chown,
chgrp, chmod are indications of someone possibly trying to open up
access to files they don't have rights to which would fall into the
"failed file access attempts" category.
Let me know what you think.
Thanks,
Karen Wieprecht
4:16 p.m.
On Wednesday 18 April 2007 16:41, Wieprecht, Karen M. wrote:
1. auditd complained about using the -k (keyword) flag on lines
that
were not file watch lines.
Yes, this was mentioned on IRC last week and fixed in my development copy. It
will be in 1.5.3.
This could be a newer feature not supported by our audit subsystem
(we
are running RHEL4 update 4 with audit-1.0.14 I believe). Can you verify
if this is a general syntax problem or a
your-audit-version-doesn't-support-this problem ? Thanks.
1.5.2 does not work with RHEL4.
2. We had two additional lines in out audit.rules to capture failed
chown, chgrp, and chmod:
-a exit,always -S 90 -F exit=-1
-a exit,always -S 92 -F exit=-1
I think you want 90-94 on x86_64. I guess they do return -EPERM. The way that
we are doing this for 1.5.2 is using special syntax allowed by the newer
kernels:
-a exit,always -F perm=a -F exit=-13
This tells the kernel to select any syscall that changes file attributes. We
should probably add another line with -F exit=-1
If these actions aren't already being captured by another NISPOM
audit
rule, you might consider adding them since failed attempts to chown,
chgrp, chmod are indications of someone possibly trying to open up
access to files they don't have rights to which would fall into the
"failed file access attempts" category.
Yep, I'll add a line.
-Steve
6457
days inactive
6505
days old
linux-audit@lists.linux-audit.osci.io
6 comments
4 participants
participants (4)
-
Brian K. Whatcott -
Steve Grubb -
Timothy R. Chavez -
Wieprecht, Karen M.