|
 |
575137 |
diff --git a/fedora/profiles/ospp.profile b/fedora/profiles/ospp.profile
|
|
|
575137 |
index f13f97a537..877caff01a 100644
|
|
|
575137 |
--- a/fedora/profiles/ospp.profile
|
|
|
575137 |
+++ b/fedora/profiles/ospp.profile
|
|
|
575137 |
@@ -198,6 +198,12 @@ selections:
|
|
|
575137 |
- audit_rules_etc_group_open
|
|
|
575137 |
- audit_rules_etc_group_openat
|
|
|
575137 |
- audit_rules_etc_group_open_by_handle_at
|
|
|
575137 |
+ - audit_rules_etc_shadow_open
|
|
|
575137 |
+ - audit_rules_etc_shadow_openat
|
|
|
575137 |
+ - audit_rules_etc_shadow_open_by_handle_at
|
|
|
575137 |
+ - audit_rules_etc_gshadow_open
|
|
|
575137 |
+ - audit_rules_etc_gshadow_openat
|
|
|
575137 |
+ - audit_rules_etc_gshadow_open_by_handle_at
|
|
|
575137 |
- package_abrt_removed
|
|
|
575137 |
- package_sendmail_removed
|
|
|
575137 |
- mount_option_dev_shm_nodev
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml
|
|
|
575137 |
index a80c7dab8c..103a445cd3 100644
|
|
|
575137 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml
|
|
|
575137 |
@@ -14,6 +14,8 @@ description: |-
|
|
|
575137 |
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
575137 |
utility to read audit rules during daemon startup, add the following lines to
|
|
|
575137 |
<tt>/etc/audit/audit.rules</tt> file:
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
+ If the system is 64 bit then also add the following line:
|
|
|
575137 |
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
|
|
|
575137 |
rationale: |-
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml
|
|
|
575137 |
index 6181ad50f1..bb47451c46 100644
|
|
|
575137 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml
|
|
|
575137 |
@@ -14,6 +14,8 @@ description: |-
|
|
|
575137 |
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
575137 |
utility to read audit rules during daemon startup, add the following lines to
|
|
|
575137 |
<tt>/etc/audit/audit.rules</tt> file:
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
+ If the system is 64 bit then also add the following line:
|
|
|
575137 |
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
|
|
|
575137 |
rationale: |-
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml
|
|
|
575137 |
index 9a69643a34..8d9aa4d97c 100644
|
|
|
575137 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml
|
|
|
575137 |
@@ -14,6 +14,8 @@ description: |-
|
|
|
575137 |
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
575137 |
utility to read audit rules during daemon startup, add the following lines to
|
|
|
575137 |
<tt>/etc/audit/audit.rules</tt> file:
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
+ If the system is 64 bit then also add the following line:
|
|
|
575137 |
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
|
|
|
575137 |
rationale: |-
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_open/rule.yml
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..a9934fbe7e
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_open/rule.yml
|
|
|
575137 |
@@ -0,0 +1,41 @@
|
|
|
575137 |
+documentation_complete: true
|
|
|
575137 |
+
|
|
|
575137 |
+prodtype: rhel7,rhel8,fedora,ol7,ol8
|
|
|
575137 |
+
|
|
|
575137 |
+title: 'Record Events that Modify User/Group Information via open syscall - /etc/gshadow'
|
|
|
575137 |
+
|
|
|
575137 |
+description: |-
|
|
|
575137 |
+ The audit system should collect write events to /etc/gshadow file for all users and root.
|
|
|
575137 |
+ If the <tt>auditd</tt> daemon is configured
|
|
|
575137 |
+ to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
575137 |
+ startup (the default), add the following lines to a file with suffix
|
|
|
575137 |
+ <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
575137 |
+ utility to read audit rules during daemon startup, add the following lines to
|
|
|
575137 |
+ <tt>/etc/audit/audit.rules</tt> file:
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+ If the system is 64 bit then also add the following line:
|
|
|
575137 |
+ -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+
|
|
|
575137 |
+rationale: |-
|
|
|
575137 |
+ Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system.
|
|
|
575137 |
+ Auditing these events could serve as evidence of potential system compromise.
|
|
|
575137 |
+
|
|
|
575137 |
+severity: medium
|
|
|
575137 |
+
|
|
|
575137 |
+identifiers:
|
|
|
575137 |
+ cce@rhel8: 80959-0
|
|
|
575137 |
+
|
|
|
575137 |
+references:
|
|
|
575137 |
+ ospp: FAU_GEN.1.1.c
|
|
|
575137 |
+
|
|
|
575137 |
+{{{ complete_ocil_entry_audit_syscall(syscall="open") }}}
|
|
|
575137 |
+
|
|
|
575137 |
+warnings:
|
|
|
575137 |
+ - general: |-
|
|
|
575137 |
+ Note that these rules can be configured in a
|
|
|
575137 |
+ number of ways while still achieving the desired effect. Here the system calls
|
|
|
575137 |
+ have been placed independent of other system calls. Grouping system calls related
|
|
|
575137 |
+ to the same event is more efficient. See the following example:
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_open_by_handle_at/rule.yml
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..7a4861b3fc
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_open_by_handle_at/rule.yml
|
|
|
575137 |
@@ -0,0 +1,41 @@
|
|
|
575137 |
+documentation_complete: true
|
|
|
575137 |
+
|
|
|
575137 |
+prodtype: rhel7,rhel8,fedora,ol7,ol8
|
|
|
575137 |
+
|
|
|
575137 |
+title: 'Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow'
|
|
|
575137 |
+
|
|
|
575137 |
+description: |-
|
|
|
575137 |
+ The audit system should collect write events to /etc/gshadow file for all users and root.
|
|
|
575137 |
+ If the <tt>auditd</tt> daemon is configured
|
|
|
575137 |
+ to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
575137 |
+ startup (the default), add the following lines to a file with suffix
|
|
|
575137 |
+ <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
575137 |
+ utility to read audit rules during daemon startup, add the following lines to
|
|
|
575137 |
+ <tt>/etc/audit/audit.rules</tt> file:
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+ If the system is 64 bit then also add the following line:
|
|
|
575137 |
+ -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+
|
|
|
575137 |
+rationale: |-
|
|
|
575137 |
+ Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system.
|
|
|
575137 |
+ Auditing these events could serve as evidence of potential system compromise.
|
|
|
575137 |
+
|
|
|
575137 |
+severity: medium
|
|
|
575137 |
+
|
|
|
575137 |
+identifiers:
|
|
|
575137 |
+ cce@rhel8: 80960-8
|
|
|
575137 |
+
|
|
|
575137 |
+references:
|
|
|
575137 |
+ ospp: FAU_GEN.1.1.c
|
|
|
575137 |
+
|
|
|
575137 |
+{{{ complete_ocil_entry_audit_syscall(syscall="open_by_handle_at") }}}
|
|
|
575137 |
+
|
|
|
575137 |
+warnings:
|
|
|
575137 |
+ - general: |-
|
|
|
575137 |
+ Note that these rules can be configured in a
|
|
|
575137 |
+ number of ways while still achieving the desired effect. Here the system calls
|
|
|
575137 |
+ have been placed independent of other system calls. Grouping system calls related
|
|
|
575137 |
+ to the same event is more efficient. See the following example:
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_openat/rule.yml
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..437fb61299
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_openat/rule.yml
|
|
|
575137 |
@@ -0,0 +1,41 @@
|
|
|
575137 |
+documentation_complete: true
|
|
|
575137 |
+
|
|
|
575137 |
+prodtype: rhel7,rhel8,fedora,ol7,ol8
|
|
|
575137 |
+
|
|
|
575137 |
+title: 'Record Events that Modify User/Group Information via openat syscall - /etc/gshadow'
|
|
|
575137 |
+
|
|
|
575137 |
+description: |-
|
|
|
575137 |
+ The audit system should collect write events to /etc/gshadow file for all users and root.
|
|
|
575137 |
+ If the <tt>auditd</tt> daemon is configured
|
|
|
575137 |
+ to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
575137 |
+ startup (the default), add the following lines to a file with suffix
|
|
|
575137 |
+ <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
575137 |
+ utility to read audit rules during daemon startup, add the following lines to
|
|
|
575137 |
+ <tt>/etc/audit/audit.rules</tt> file:
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+ If the system is 64 bit then also add the following line:
|
|
|
575137 |
+ -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+
|
|
|
575137 |
+rationale: |-
|
|
|
575137 |
+ Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system.
|
|
|
575137 |
+ Auditing these events could serve as evidence of potential system compromise.
|
|
|
575137 |
+
|
|
|
575137 |
+severity: medium
|
|
|
575137 |
+
|
|
|
575137 |
+identifiers:
|
|
|
575137 |
+ cce@rhel8: 80961-6
|
|
|
575137 |
+
|
|
|
575137 |
+references:
|
|
|
575137 |
+ ospp: FAU_GEN.1.1.c
|
|
|
575137 |
+
|
|
|
575137 |
+{{{ complete_ocil_entry_audit_syscall(syscall="openat") }}}
|
|
|
575137 |
+
|
|
|
575137 |
+warnings:
|
|
|
575137 |
+ - general: |-
|
|
|
575137 |
+ Note that these rules can be configured in a
|
|
|
575137 |
+ number of ways while still achieving the desired effect. Here the system calls
|
|
|
575137 |
+ have been placed independent of other system calls. Grouping system calls related
|
|
|
575137 |
+ to the same event is more efficient. See the following example:
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml
|
|
|
575137 |
index 630b03b1b4..acb517fbc0 100644
|
|
|
575137 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml
|
|
|
575137 |
@@ -14,6 +14,8 @@ description: |-
|
|
|
575137 |
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
575137 |
utility to read audit rules during daemon startup, add the following lines to
|
|
|
575137 |
<tt>/etc/audit/audit.rules</tt> file:
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
+ If the system is 64 bit then also add the following line:
|
|
|
575137 |
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
|
|
|
575137 |
rationale: |-
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml
|
|
|
575137 |
index f1b9fbcd17..7b7fc43304 100644
|
|
|
575137 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml
|
|
|
575137 |
@@ -14,6 +14,8 @@ description: |-
|
|
|
575137 |
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
575137 |
utility to read audit rules during daemon startup, add the following lines to
|
|
|
575137 |
<tt>/etc/audit/audit.rules</tt> file:
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
+ If the system is 64 bit then also add the following line:
|
|
|
575137 |
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
|
|
|
575137 |
rationale: |-
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml
|
|
|
575137 |
index 5460009264..2275152fd0 100644
|
|
|
575137 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml
|
|
|
575137 |
@@ -14,6 +14,8 @@ description: |-
|
|
|
575137 |
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
575137 |
utility to read audit rules during daemon startup, add the following lines to
|
|
|
575137 |
<tt>/etc/audit/audit.rules</tt> file:
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
+ If the system is 64 bit then also add the following line:
|
|
|
575137 |
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
|
|
|
575137 |
|
|
|
575137 |
rationale: |-
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_open/rule.yml
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..0755d2487b
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_open/rule.yml
|
|
|
575137 |
@@ -0,0 +1,41 @@
|
|
|
575137 |
+documentation_complete: true
|
|
|
575137 |
+
|
|
|
575137 |
+prodtype: rhel7,rhel8,fedora,ol7,ol8
|
|
|
575137 |
+
|
|
|
575137 |
+title: 'Record Events that Modify User/Group Information via open syscall - /etc/shadow'
|
|
|
575137 |
+
|
|
|
575137 |
+description: |-
|
|
|
575137 |
+ The audit system should collect write events to /etc/shadow file for all users and root.
|
|
|
575137 |
+ If the <tt>auditd</tt> daemon is configured
|
|
|
575137 |
+ to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
575137 |
+ startup (the default), add the following lines to a file with suffix
|
|
|
575137 |
+ <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
575137 |
+ utility to read audit rules during daemon startup, add the following lines to
|
|
|
575137 |
+ <tt>/etc/audit/audit.rules</tt> file:
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+ If the system is 64 bit then also add the following line:
|
|
|
575137 |
+ -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+
|
|
|
575137 |
+rationale: |-
|
|
|
575137 |
+ Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system.
|
|
|
575137 |
+ Auditing these events could serve as evidence of potential system compromise.
|
|
|
575137 |
+
|
|
|
575137 |
+severity: medium
|
|
|
575137 |
+
|
|
|
575137 |
+identifiers:
|
|
|
575137 |
+ cce@rhel8: 80956-6
|
|
|
575137 |
+
|
|
|
575137 |
+references:
|
|
|
575137 |
+ ospp: FAU_GEN.1.1.c
|
|
|
575137 |
+
|
|
|
575137 |
+{{{ complete_ocil_entry_audit_syscall(syscall="open") }}}
|
|
|
575137 |
+
|
|
|
575137 |
+warnings:
|
|
|
575137 |
+ - general: |-
|
|
|
575137 |
+ Note that these rules can be configured in a
|
|
|
575137 |
+ number of ways while still achieving the desired effect. Here the system calls
|
|
|
575137 |
+ have been placed independent of other system calls. Grouping system calls related
|
|
|
575137 |
+ to the same event is more efficient. See the following example:
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a1&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_open_by_handle_at/rule.yml
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..f5446b7c31
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_open_by_handle_at/rule.yml
|
|
|
575137 |
@@ -0,0 +1,41 @@
|
|
|
575137 |
+documentation_complete: true
|
|
|
575137 |
+
|
|
|
575137 |
+prodtype: rhel7,rhel8,fedora,ol7,ol8
|
|
|
575137 |
+
|
|
|
575137 |
+title: 'Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow'
|
|
|
575137 |
+
|
|
|
575137 |
+description: |-
|
|
|
575137 |
+ The audit system should collect write events to /etc/shadow file for all users and root.
|
|
|
575137 |
+ If the <tt>auditd</tt> daemon is configured
|
|
|
575137 |
+ to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
575137 |
+ startup (the default), add the following lines to a file with suffix
|
|
|
575137 |
+ <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
575137 |
+ utility to read audit rules during daemon startup, add the following lines to
|
|
|
575137 |
+ <tt>/etc/audit/audit.rules</tt> file:
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+ If the system is 64 bit then also add the following line:
|
|
|
575137 |
+ -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+
|
|
|
575137 |
+rationale: |-
|
|
|
575137 |
+ Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system.
|
|
|
575137 |
+ Auditing these events could serve as evidence of potential system compromise.
|
|
|
575137 |
+
|
|
|
575137 |
+severity: medium
|
|
|
575137 |
+
|
|
|
575137 |
+identifiers:
|
|
|
575137 |
+ cce@rhel8: 80957-4
|
|
|
575137 |
+
|
|
|
575137 |
+references:
|
|
|
575137 |
+ ospp: FAU_GEN.1.1.c
|
|
|
575137 |
+
|
|
|
575137 |
+{{{ complete_ocil_entry_audit_syscall(syscall="open_by_handle_at") }}}
|
|
|
575137 |
+
|
|
|
575137 |
+warnings:
|
|
|
575137 |
+ - general: |-
|
|
|
575137 |
+ Note that these rules can be configured in a
|
|
|
575137 |
+ number of ways while still achieving the desired effect. Here the system calls
|
|
|
575137 |
+ have been placed independent of other system calls. Grouping system calls related
|
|
|
575137 |
+ to the same event is more efficient. See the following example:
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_openat/rule.yml
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..b68b0ae19a
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_openat/rule.yml
|
|
|
575137 |
@@ -0,0 +1,41 @@
|
|
|
575137 |
+documentation_complete: true
|
|
|
575137 |
+
|
|
|
575137 |
+prodtype: rhel7,rhel8,fedora,ol7,ol8
|
|
|
575137 |
+
|
|
|
575137 |
+title: 'Record Events that Modify User/Group Information via openat syscall - /etc/shadow'
|
|
|
575137 |
+
|
|
|
575137 |
+description: |-
|
|
|
575137 |
+ The audit system should collect write events to /etc/shadow file for all users and root.
|
|
|
575137 |
+ If the <tt>auditd</tt> daemon is configured
|
|
|
575137 |
+ to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
575137 |
+ startup (the default), add the following lines to a file with suffix
|
|
|
575137 |
+ <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
575137 |
+ utility to read audit rules during daemon startup, add the following lines to
|
|
|
575137 |
+ <tt>/etc/audit/audit.rules</tt> file:
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+ If the system is 64 bit then also add the following line:
|
|
|
575137 |
+ -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+
|
|
|
575137 |
+rationale: |-
|
|
|
575137 |
+ Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system.
|
|
|
575137 |
+ Auditing these events could serve as evidence of potential system compromise.
|
|
|
575137 |
+
|
|
|
575137 |
+severity: medium
|
|
|
575137 |
+
|
|
|
575137 |
+identifiers:
|
|
|
575137 |
+ cce@rhel8: 80958-2
|
|
|
575137 |
+
|
|
|
575137 |
+references:
|
|
|
575137 |
+ ospp: FAU_GEN.1.1.c
|
|
|
575137 |
+
|
|
|
575137 |
+{{{ complete_ocil_entry_audit_syscall(syscall="openat") }}}
|
|
|
575137 |
+
|
|
|
575137 |
+warnings:
|
|
|
575137 |
+ - general: |-
|
|
|
575137 |
+ Note that these rules can be configured in a
|
|
|
575137 |
+ number of ways while still achieving the desired effect. Here the system calls
|
|
|
575137 |
+ have been placed independent of other system calls. Grouping system calls related
|
|
|
575137 |
+ to the same event is more efficient. See the following example:
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
diff --git a/rhel7/profiles/ospp42.profile b/rhel7/profiles/ospp42.profile
|
|
|
575137 |
index e2173c973b..f3a5072f04 100644
|
|
|
575137 |
--- a/rhel7/profiles/ospp42.profile
|
|
|
575137 |
+++ b/rhel7/profiles/ospp42.profile
|
|
|
575137 |
@@ -197,6 +197,12 @@ selections:
|
|
|
575137 |
- audit_rules_etc_group_open
|
|
|
575137 |
- audit_rules_etc_group_openat
|
|
|
575137 |
- audit_rules_etc_group_open_by_handle_at
|
|
|
575137 |
+ - audit_rules_etc_shadow_open
|
|
|
575137 |
+ - audit_rules_etc_shadow_openat
|
|
|
575137 |
+ - audit_rules_etc_shadow_open_by_handle_at
|
|
|
575137 |
+ - audit_rules_etc_gshadow_open
|
|
|
575137 |
+ - audit_rules_etc_gshadow_openat
|
|
|
575137 |
+ - audit_rules_etc_gshadow_open_by_handle_at
|
|
|
575137 |
- package_abrt_removed
|
|
|
575137 |
- package_sendmail_removed
|
|
|
575137 |
- mount_option_dev_shm_nodev
|
|
|
575137 |
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
|
|
|
575137 |
index 3c6e1931e1..cd9e90e981 100644
|
|
|
575137 |
--- a/rhel8/profiles/ospp.profile
|
|
|
575137 |
+++ b/rhel8/profiles/ospp.profile
|
|
|
575137 |
@@ -170,6 +170,12 @@ selections:
|
|
|
575137 |
- audit_rules_usergroup_modification_opasswd
|
|
|
575137 |
- audit_rules_usergroup_modification_passwd
|
|
|
575137 |
- audit_rules_usergroup_modification_shadow
|
|
|
575137 |
+ - audit_rules_etc_shadow_open
|
|
|
575137 |
+ - audit_rules_etc_shadow_openat
|
|
|
575137 |
+ - audit_rules_etc_shadow_open_by_handle_at
|
|
|
575137 |
+ - audit_rules_etc_gshadow_open
|
|
|
575137 |
+ - audit_rules_etc_gshadow_openat
|
|
|
575137 |
+ - audit_rules_etc_gshadow_open_by_handle_at
|
|
|
575137 |
- audit_rules_privileged_commands_sudoedit
|
|
|
575137 |
- audit_rules_privileged_commands_sudo
|
|
|
575137 |
- audit_rules_privileged_commands_su
|
|
|
575137 |
diff --git a/shared/templates/csv/audit_rules_path_syscall.csv b/shared/templates/csv/audit_rules_path_syscall.csv
|
|
|
575137 |
index 3738369e7e..825025e2f7 100644
|
|
|
575137 |
--- a/shared/templates/csv/audit_rules_path_syscall.csv
|
|
|
575137 |
+++ b/shared/templates/csv/audit_rules_path_syscall.csv
|
|
|
575137 |
@@ -10,3 +10,9 @@
|
|
|
575137 |
/etc/group,open,a1
|
|
|
575137 |
/etc/group,openat,a2
|
|
|
575137 |
/etc/group,open_by_handle_at,a2
|
|
|
575137 |
+/etc/shadow,open,a1
|
|
|
575137 |
+/etc/shadow,openat,a2
|
|
|
575137 |
+/etc/shadow,open_by_handle_at,a2
|
|
|
575137 |
+/etc/gshadow,open,a1
|
|
|
575137 |
+/etc/gshadow,openat,a2
|
|
|
575137 |
+/etc/gshadow,open_by_handle_at,a2
|