##
## This file contains a sample audit configuration. Combined with the
## system events that are audited by default, this set of rules causes
## audit to generate records for the auditable events specified by the
## Controlled Access Protection Profile (CAPP).
##
## It should be noted that this set of rules identifies directories by
## leaving a / at the end of the path. These need to be updated to be
## a watch for each file in that directory. This is because a watch on
## a directory only triggers when the directory’s inode is updated with
## meta data. To have accurate events, a watch should be place on each
## file. Because each installation is different, we leave that as a
## site customization.
##
## Remove any existing rules -D
## Increase buffer size to handle the increased number of messages.
## Feel free to increase this if the machine panic’s -b 8192
## Set failure mode to panic -f 2
##
## FAU_SAR.1, FAU_SAR.2, FMT_MTD.1
## successful and unsuccessful attempts to read information from the
## audit records; all modifications to the audit trail
##
-w /var/log/audit/ -k LOG_audit
#-w /var/log/audit/audit_log -k LOG_audit_log
#-w /var/log/audit/audit_log.1 -k LOG_audit_log
#-w /var/log/audit/audit_log.2 -k LOG_audit_log
#-w /var/log/audit/audit_log.3 -k LOG_audit_log
#-w /var/log/audit/audit_log.4 -k LOG_audit_log
##
## FAU_SEL.1, FMT_MTD.1
## modifications to audit configuration that occur while the audit
## collection functions are operating; all modications to the set of
## audited events
##
-w /etc/auditd.conf -k CFG_auditd.conf -w /etc/audit.rules -k CFG_audit.rules
##
## FDP_ACF.1, FMT_MSA.1, FMT_MTD.1, FMT_REV.1
## all requests to perform an operation on an object covered by the
## SFP; all modifications of the values of security attributes;
## modifications to TSF data; attempts to revoke security attributes
##
## Objects covered by the Security Functional Policy (SFP) are:
## - File system objects (files, directories, special files, extended attributes)
## - IPC objects (SYSV shared memory, message queues, and semaphores)
## Operations on file system objects - by default, only monitor
## files and directories covered by filesystem watches. Replace
## "possible" with "always" to create audit records for all uses of this
## syscall.
## Changes in ownership and permissions
-a entry,possible -S chmod -S fchmod -S chown -S chown32 -S fchown -S fchown32 -S lchown -S lchown32
## For x86_64,ia64 architectures, disable any *32 rules above
## File content modification. Permissions are checked at open time,
## monitoring individual read/write calls is not useful.
-a entry,possible -S creat -S open -S truncate -S truncate64 -S ftruncate -S ftruncate64
## For x86_64,ia64 architectures, disable any *64 rules above
## directory operations
-a entry,possible -S mkdir -S rmdir
## moving, removing, and linking
-a entry,possible -S unlink -S rename -S link -S symlink
## Extended attribute operations
## Enable if you are interested in these events - combine where possible
#-a entry,always -S setxattr
#-a entry,always -S lsetxattr
#-a entry,always -S fsetxattr
#-a entry,always -S removexattr
#-a entry,always -S lremovexattr
#-a entry,always -S fremovexattr
## special files
-a entry,always -S mknod
## Other file system operations
-a entry,always -S mount -S umount -S umount2
## For x86_64 architecture, disable umount rule
## For ia64 architecture, disable umount2 rule
## SYSV message queues
## Enable if you are interested in these events (x86)
## msgctl
#-a entry,always -S ipc -F a0=14
## msgget
#-a entry,always -S ipc -F a0=13
## Enable if you are interested in these events (x86_64,ia64)
#-a entry,always -S msgctl
#-a entry,always -S msgget
## SYSV semaphores
## Enable if you are interested in these events (x86)
## semctl
#-a entry,always -S ipc -F a0=3
## semget
#-a entry,always -S ipc -F a0=2
## semop
#-a entry,always -S ipc -F a0=1
## semtimedop
#-a entry,always -S ipc -F a0=4
## Enable if you are interested in these events (x86_64, ia64)
#-a entry,always -S semctl
#-a entry,always -S semget
#-a entry,always -S semop
#-a entry,always -S semtimedop
## SYSV shared memory
## Enable if you are interested in these events (x86)
## shmctl
#-a entry,always -S ipc -F a0=24
## shmget
#-a entry,always -S ipc -F a0=23
## Enable if you are interested in these events (x86_64, ia64)
#-a entry,always -S shmctl
#-a entry,always -S shmget
##
## FIA_USB.1
## success and failure of binding user security attributes to a subject
##
## Enable if you are interested in these events
##
#-a entry,always -S clone
#-a entry,always -S fork
#-a entry,always -S vfork
## For ia64 architecture, disable fork and vfork rules above, and
## enable the following:
#-a entry,always -S clone2
##
## FMT_MSA.3
## modifications of the default setting of permissive or restrictive
## rules, all modifications of the initial value of security attributes
##
## Enable if you are interested in these events
##
#-a entry,always -S umask
##
## FPT_STM.1
## changes to the time
##
-a entry,always -S adjtimex -S settimeofday
##
## FTP_ITC.1
## set-up of trusted channel
##
-w /usr/sbin/stunnel -p x -a entry,possible -S execve
##
## Security Databases
##
## at configuration & scheduled jobs -w /var/spool/at -k LOG_at
-w /etc/at.allow -k CFG_at.allow -w /etc/at.deny -k CFG_at.deny
## cron configuration & scheduled jobs -w /etc/cron.allow -p wa -k CFG_cron.allow -w /etc/cron.deny -p wa -k CFG_cron.deny -w /etc/cron.d/ -p wa -k CFG_cron.d
-w /etc/cron.daily/ -p wa -k CFG_cron.daily -w /etc/cron.hourly/ -p wa -k CFG_cron.hourly
-w /etc/cron.monthly/ -p wa -k CFG_cron.monthly -w /etc/cron.weekly/ -p wa -k CFG_cron.weekly -w /etc/crontab -p wa -k CFG_crontab
-w /var/spool/cron/root -k CFG_crontab_root
## user, group, password databases -w /etc/group -p wa -k CFG_group -w /etc/passwd -p wa -k CFG_passwd -w /etc/gshadow -k CFG_gshadow -w /etc/shadow -k CFG_shadow
-w /etc/security/opasswd -k CFG_opasswd
## login configuration and information -w /etc/login.defs -p wa -k CFG_login.defs -w /etc/securetty -k CFG_securetty
-w /var/log/faillog -k LOG_faillog -w /var/log/lastlog -k LOG_lastlog
## network configuration
-w /etc/hosts -p wa -k CFG_hosts -w /etc/sysconfig/
## system startup scripts
-w /etc/inittab -p wa -k CFG_inittab -w /etc/rc.d/init.d/
-w /etc/rc.d/init.d/auditd -p wa -k CFG_initd_auditd
## library search paths
-w /etc/ld.so.conf -p wa -k CFG_ld.so.conf
## local time zone
-w /etc/localtime -p wa -k CFG_localtime
## kernel parameters
-w /etc/sysctl.conf -p wa -k CFG_sysctl.conf
## modprobe configuration
-w /etc/modprobe.conf -p wa -k CFG_modprobe.conf
## pam configuration -w /etc/pam.d/
## postfix configuration
-w /etc/aliases -p wa -k CFG_aliases -w /etc/postfix/ -p wa -k CFG_postfix
## ssh configuration
-w /etc/ssh/sshd_config -k CFG_sshd_config
## stunnel configuration
-w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf -w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem
## vsftpd configuration
-w /etc/vsftpd.ftpusers -k CFG_vsftpd.ftpusers -w /etc/vsftpd/vsftpd.conf -k CFG_vsftpd.conf
## Not specifically required by CAPP; but common sense items -a exit,always -S sethostname
-w /etc/issue -p wa -k CFG_issue
-w /etc/issue.net -p wa -k CFG_issue.net
## Put your own watches after this point
# -w /your-file -p rwxa -k mykey
This is a demo version of txt2pdf v.10.1
Developed by SANFACE Software http://www.sanface.com/
Available at http://www.sanface.com/txt2pdf.html