|
|
5fd106 |
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
|
|
|
5fd106 |
index 09dc1566bbf..26c7eea79d1 100644
|
|
|
5fd106 |
--- a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
|
|
|
5fd106 |
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
|
|
|
5fd106 |
@@ -6,10 +6,10 @@ title: 'Configure auditing of unsuccessful file accesses'
|
|
|
5fd106 |
|
|
|
5fd106 |
{{% set file_contents_audit_access_failed =
|
|
|
5fd106 |
"## Unsuccessful file access (any other opens) This has to go last.
|
|
|
5fd106 |
--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
|
|
5fd106 |
--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
|
|
5fd106 |
--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
|
|
5fd106 |
--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access" %}}
|
|
|
5fd106 |
+-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
|
|
5fd106 |
+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
|
|
5fd106 |
+-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
|
|
5fd106 |
+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access" %}}
|
|
|
5fd106 |
|
|
|
5fd106 |
description: |-
|
|
|
5fd106 |
Ensure that unsuccessful attempts to access a file are audited.
|
|
|
5fd106 |
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
|
|
|
5fd106 |
index 5ce9fe6799c..262cf290ec0 100644
|
|
|
5fd106 |
--- a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
|
|
|
5fd106 |
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
|
|
|
5fd106 |
@@ -7,8 +7,8 @@ title: 'Configure auditing of successful file accesses'
|
|
|
5fd106 |
{{% set file_contents_audit_access_success =
|
|
|
5fd106 |
"## Successful file access (any other opens) This has to go last.
|
|
|
5fd106 |
## These next two are likely to result in a whole lot of events
|
|
|
5fd106 |
--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
|
|
|
5fd106 |
--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access" %}}
|
|
|
5fd106 |
+-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
|
|
|
5fd106 |
+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access" %}}
|
|
|
5fd106 |
|
|
|
5fd106 |
description: |-
|
|
|
5fd106 |
Ensure that successful attempts to access a file are audited.
|
|
|
5fd106 |
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
|
|
|
5fd106 |
index e37291c68a1..bdc59faa5f7 100644
|
|
|
5fd106 |
--- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
|
|
|
5fd106 |
+++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
|
|
|
5fd106 |
@@ -4,7 +4,7 @@ prodtype: ol8,rhcos4,rhel8,rhel9
|
|
|
5fd106 |
|
|
|
5fd106 |
title: 'Perform general configuration of Audit for OSPP'
|
|
|
5fd106 |
|
|
|
5fd106 |
-{{% if product == "rhel9" %}}
|
|
|
5fd106 |
+
|
|
|
5fd106 |
{{% set file_contents_audit_ospp_general =
|
|
|
5fd106 |
"## The purpose of these rules is to meet the requirements for Operating
|
|
|
5fd106 |
## System Protection Profile (OSPP)v4.2. These rules depends on having
|
|
|
5fd106 |
@@ -90,89 +90,7 @@ title: 'Perform general configuration of Audit for OSPP'
|
|
|
5fd106 |
## state results from that policy. This would be handled entirely by
|
|
|
5fd106 |
## that daemon.
|
|
|
5fd106 |
" %}}
|
|
|
5fd106 |
-{{% else %}}
|
|
|
5fd106 |
-{{% set file_contents_audit_ospp_general =
|
|
|
5fd106 |
-"## The purpose of these rules is to meet the requirements for Operating
|
|
|
5fd106 |
-## System Protection Profile (OSPP)v4.2. These rules depends on having
|
|
|
5fd106 |
-## the following rule files copied to /etc/audit/rules.d:
|
|
|
5fd106 |
-##
|
|
|
5fd106 |
-## 10-base-config.rules, 11-loginuid.rules,
|
|
|
5fd106 |
-## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
|
|
|
5fd106 |
-## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
|
|
|
5fd106 |
-## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
|
|
|
5fd106 |
-## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
|
|
|
5fd106 |
-## 30-ospp-v42-5-perm-change-failed.rules,
|
|
|
5fd106 |
-## 30-ospp-v42-5-perm-change-success.rules,
|
|
|
5fd106 |
-## 30-ospp-v42-6-owner-change-failed.rules,
|
|
|
5fd106 |
-## 30-ospp-v42-6-owner-change-success.rules
|
|
|
5fd106 |
-##
|
|
|
5fd106 |
-## original copies may be found in /usr/share/audit/sample-rules/
|
|
|
5fd106 |
-
|
|
|
5fd106 |
-
|
|
|
5fd106 |
-## User add delete modify. This is covered by pam. However, someone could
|
|
|
5fd106 |
-## open a file and directly create or modify a user, so we'll watch passwd and
|
|
|
5fd106 |
-## shadow for writes
|
|
|
5fd106 |
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
|
5fd106 |
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
|
5fd106 |
--a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
|
5fd106 |
--a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
|
5fd106 |
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
|
5fd106 |
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
|
5fd106 |
--a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
|
5fd106 |
--a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
|
5fd106 |
-
|
|
|
5fd106 |
-## User enable and disable. This is entirely handled by pam.
|
|
|
5fd106 |
-
|
|
|
5fd106 |
-## Group add delete modify. This is covered by pam. However, someone could
|
|
|
5fd106 |
-## open a file and directly create or modify a user, so we'll watch group and
|
|
|
5fd106 |
-## gshadow for writes
|
|
|
5fd106 |
--a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
|
5fd106 |
--a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
|
5fd106 |
--a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
|
|
|
5fd106 |
--a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
|
|
|
5fd106 |
-
|
|
|
5fd106 |
|
|
|
5fd106 |
-## Use of special rights for config changes. This would be use of setuid
|
|
|
5fd106 |
-## programs that relate to user accts. This is not all setuid apps because
|
|
|
5fd106 |
-## requirements are only for ones that affect system configuration.
|
|
|
5fd106 |
--a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
|
5fd106 |
--a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
|
5fd106 |
--a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
|
5fd106 |
--a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
|
5fd106 |
--a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
|
5fd106 |
--a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
|
5fd106 |
--a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
|
5fd106 |
--a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
|
5fd106 |
--a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
|
5fd106 |
--a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
|
5fd106 |
--a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
|
5fd106 |
--a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
|
5fd106 |
--a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
|
5fd106 |
-
|
|
|
5fd106 |
-## Privilege escalation via su or sudo. This is entirely handled by pam.
|
|
|
5fd106 |
-
|
|
|
5fd106 |
-## Audit log access
|
|
|
5fd106 |
--a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
|
|
|
5fd106 |
-## Attempts to Alter Process and Session Initiation Information
|
|
|
5fd106 |
--a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
|
|
5fd106 |
--a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
|
|
5fd106 |
--a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
|
|
5fd106 |
-
|
|
|
5fd106 |
-## Attempts to modify MAC controls
|
|
|
5fd106 |
--a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
|
|
|
5fd106 |
-
|
|
|
5fd106 |
-## Software updates. This is entirely handled by rpm.
|
|
|
5fd106 |
-
|
|
|
5fd106 |
-## System start and shutdown. This is entirely handled by systemd
|
|
|
5fd106 |
-
|
|
|
5fd106 |
-## Kernel Module loading. This is handled in 43-module-load.rules
|
|
|
5fd106 |
-
|
|
|
5fd106 |
-## Application invocation. The requirements list an optional requirement
|
|
|
5fd106 |
-## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
|
|
|
5fd106 |
-## state results from that policy. This would be handled entirely by
|
|
|
5fd106 |
-## that daemon.
|
|
|
5fd106 |
-" %}}
|
|
|
5fd106 |
-{{% endif %}}
|
|
|
5fd106 |
|
|
|
5fd106 |
description: |-
|
|
|
5fd106 |
Configure some basic <tt>Audit</tt> parameters specific for OSPP profile.
|
|
|
5fd106 |
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh
|
|
|
5fd106 |
index ffe2344db56..c59e7e5e1f2 100644
|
|
|
5fd106 |
--- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh
|
|
|
5fd106 |
+++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh
|
|
|
5fd106 |
@@ -1,3 +1,3 @@
|
|
|
5fd106 |
-# platform = Red Hat Enterprise Linux 8
|
|
|
5fd106 |
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
|
|
|
5fd106 |
|
|
|
5fd106 |
cp $SHARED/audit/30-ospp-v42.rules /etc/audit/rules.d/
|
|
|
5fd106 |
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules_rhel9.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules_rhel9.pass.sh
|
|
|
5fd106 |
deleted file mode 100644
|
|
|
5fd106 |
index 96ef5ae0a23..00000000000
|
|
|
5fd106 |
--- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules_rhel9.pass.sh
|
|
|
5fd106 |
+++ /dev/null
|
|
|
5fd106 |
@@ -1,3 +0,0 @@
|
|
|
5fd106 |
-# platform = Red Hat Enterprise Linux 9
|
|
|
5fd106 |
-
|
|
|
5fd106 |
-cp $SHARED/audit/30-ospp-v42_rhel9.rules /etc/audit/rules.d/30-ospp-v42.rules
|
|
|
5fd106 |
diff --git a/tests/shared/audit/30-ospp-v42-3-access-failed.rules b/tests/shared/audit/30-ospp-v42-3-access-failed.rules
|
|
|
5fd106 |
index a5aad3a95ce..39ac7a883ca 100644
|
|
|
5fd106 |
--- a/tests/shared/audit/30-ospp-v42-3-access-failed.rules
|
|
|
5fd106 |
+++ b/tests/shared/audit/30-ospp-v42-3-access-failed.rules
|
|
|
5fd106 |
@@ -1,5 +1,5 @@
|
|
|
5fd106 |
## Unsuccessful file access (any other opens) This has to go last.
|
|
|
5fd106 |
--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
|
|
5fd106 |
--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
|
|
5fd106 |
--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
|
|
5fd106 |
--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
|
|
5fd106 |
+-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
|
|
5fd106 |
+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
|
|
5fd106 |
+-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
|
|
5fd106 |
+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
|
|
5fd106 |
diff --git a/tests/shared/audit/30-ospp-v42-3-access-success.rules b/tests/shared/audit/30-ospp-v42-3-access-success.rules
|
|
|
5fd106 |
index 0c8a6b65760..79004ce0c21 100644
|
|
|
5fd106 |
--- a/tests/shared/audit/30-ospp-v42-3-access-success.rules
|
|
|
5fd106 |
+++ b/tests/shared/audit/30-ospp-v42-3-access-success.rules
|
|
|
5fd106 |
@@ -1,4 +1,4 @@
|
|
|
5fd106 |
## Successful file access (any other opens) This has to go last.
|
|
|
5fd106 |
## These next two are likely to result in a whole lot of events
|
|
|
5fd106 |
--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
|
|
|
5fd106 |
--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
|
|
|
5fd106 |
+-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
|
|
|
5fd106 |
+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
|
|
|
5fd106 |
diff --git a/tests/shared/audit/30-ospp-v42.rules b/tests/shared/audit/30-ospp-v42.rules
|
|
|
5fd106 |
index 3dced17255c..2d3c48265b6 100644
|
|
|
5fd106 |
--- a/tests/shared/audit/30-ospp-v42.rules
|
|
|
5fd106 |
+++ b/tests/shared/audit/30-ospp-v42.rules
|
|
|
5fd106 |
@@ -57,6 +57,10 @@
|
|
|
5fd106 |
|
|
|
5fd106 |
## Privilege escalation via su or sudo. This is entirely handled by pam.
|
|
|
5fd106 |
|
|
|
5fd106 |
+## Watch for configuration changes to privilege escalation.
|
|
|
5fd106 |
+-a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
|
|
|
5fd106 |
+-a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
|
|
|
5fd106 |
+
|
|
|
5fd106 |
## Audit log access
|
|
|
5fd106 |
-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
|
|
|
5fd106 |
## Attempts to Alter Process and Session Initiation Information
|
|
|
5fd106 |
diff --git a/tests/shared/audit/30-ospp-v42_rhel9.rules b/tests/shared/audit/30-ospp-v42_rhel9.rules
|
|
|
5fd106 |
deleted file mode 100644
|
|
|
5fd106 |
index 2d3c48265b6..00000000000
|
|
|
5fd106 |
--- a/tests/shared/audit/30-ospp-v42_rhel9.rules
|
|
|
5fd106 |
+++ /dev/null
|
|
|
5fd106 |
@@ -1,84 +0,0 @@
|
|
|
5fd106 |
-## The purpose of these rules is to meet the requirements for Operating
|
|
|
5fd106 |
-## System Protection Profile (OSPP)v4.2. These rules depends on having
|
|
|
5fd106 |
-## the following rule files copied to /etc/audit/rules.d:
|
|
|
5fd106 |
-##
|
|
|
5fd106 |
-## 10-base-config.rules, 11-loginuid.rules,
|
|
|
5fd106 |
-## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
|
|
|
5fd106 |
-## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
|
|
|
5fd106 |
-## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
|
|
|
5fd106 |
-## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
|
|
|
5fd106 |
-## 30-ospp-v42-5-perm-change-failed.rules,
|
|
|
5fd106 |
-## 30-ospp-v42-5-perm-change-success.rules,
|
|
|
5fd106 |
-## 30-ospp-v42-6-owner-change-failed.rules,
|
|
|
5fd106 |
-## 30-ospp-v42-6-owner-change-success.rules
|
|
|
5fd106 |
-##
|
|
|
5fd106 |
-## original copies may be found in /usr/share/audit/sample-rules/
|
|
|
5fd106 |
-
|
|
|
5fd106 |
-
|
|
|
5fd106 |
-## User add delete modify. This is covered by pam. However, someone could
|
|
|
5fd106 |
-## open a file and directly create or modify a user, so we'll watch passwd and
|
|
|
5fd106 |
-## shadow for writes
|
|
|
5fd106 |
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
|
5fd106 |
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
|
5fd106 |
--a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
|
5fd106 |
--a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
|
5fd106 |
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
|
5fd106 |
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
|
5fd106 |
--a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
|
5fd106 |
--a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
|
5fd106 |
-
|
|
|
5fd106 |
-## User enable and disable. This is entirely handled by pam.
|
|
|
5fd106 |
-
|
|
|
5fd106 |
-## Group add delete modify. This is covered by pam. However, someone could
|
|
|
5fd106 |
-## open a file and directly create or modify a user, so we'll watch group and
|
|
|
5fd106 |
-## gshadow for writes
|
|
|
5fd106 |
--a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
|
5fd106 |
--a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
|
|
|
5fd106 |
--a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
|
|
|
5fd106 |
--a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
|
|
|
5fd106 |
-
|
|
|
5fd106 |
-
|
|
|
5fd106 |
-## Use of special rights for config changes. This would be use of setuid
|
|
|
5fd106 |
-## programs that relate to user accts. This is not all setuid apps because
|
|
|
5fd106 |
-## requirements are only for ones that affect system configuration.
|
|
|
5fd106 |
--a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
|
5fd106 |
--a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
|
5fd106 |
--a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
|
5fd106 |
--a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
|
5fd106 |
--a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
|
5fd106 |
--a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
|
5fd106 |
--a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
|
5fd106 |
--a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
|
5fd106 |
--a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
|
5fd106 |
--a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
|
5fd106 |
--a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
|
5fd106 |
--a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
|
5fd106 |
--a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
|
|
5fd106 |
-
|
|
|
5fd106 |
-## Privilege escalation via su or sudo. This is entirely handled by pam.
|
|
|
5fd106 |
-
|
|
|
5fd106 |
-## Watch for configuration changes to privilege escalation.
|
|
|
5fd106 |
--a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
|
|
|
5fd106 |
--a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
|
|
|
5fd106 |
-
|
|
|
5fd106 |
-## Audit log access
|
|
|
5fd106 |
--a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
|
|
|
5fd106 |
-## Attempts to Alter Process and Session Initiation Information
|
|
|
5fd106 |
--a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
|
|
5fd106 |
--a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
|
|
5fd106 |
--a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
|
|
5fd106 |
-
|
|
|
5fd106 |
-## Attempts to modify MAC controls
|
|
|
5fd106 |
--a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
|
|
|
5fd106 |
-
|
|
|
5fd106 |
-## Software updates. This is entirely handled by rpm.
|
|
|
5fd106 |
-
|
|
|
5fd106 |
-## System start and shutdown. This is entirely handled by systemd
|
|
|
5fd106 |
-
|
|
|
5fd106 |
-## Kernel Module loading. This is handled in 43-module-load.rules
|
|
|
5fd106 |
-
|
|
|
5fd106 |
-## Application invocation. The requirements list an optional requirement
|
|
|
5fd106 |
-## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
|
|
|
5fd106 |
-## state results from that policy. This would be handled entirely by
|
|
|
5fd106 |
-## that daemon.
|
|
|
5fd106 |
-
|