1 ## The purpose of these rules is to meet the stig auditing requirements
2 ## These rules depends on having 10-base-config.rules & 99-finalize.rules
6 ## 1) if this is being used on a 32 bit machine, comment out the b64 lines
7 ## 2) These rules assume that login under the root account is not allowed.
8 ## 3) It is also assumed that 1000 represents the first usable user account. To
9 ## be sure, look at UID_MIN in /etc/login.defs.
10 ## IMS uses 500 as the first usable account
11 ## 4) If these rules generate too much spurious data for your tastes, limit the
12 ## the syscall file rules with a directory, like -F dir=/etc
13 ## 5) You can search for the results on the key fields in the rules
16 ## (GEN002880: CAT II) The IAO will ensure the auditing software can
17 ## record the following for each audit event:
18 ##- Date and time of the event
19 ##- Userid that initiated the event
21 ##- Success or failure of the event
22 ##- For I&A events, the origin of the request (e.g., terminal ID)
23 ##- For events that introduce an object into a user's address space, and
24 ## for object deletion events, the name of the object, and in MLS
25 ## systems, the object's security level.
27 ## Things that could affect time
28 -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
29 -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
30 -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -k time-change
31 -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -k time-change
32 # Introduced in 2.6.39, commented out because it can make false positives
33 #-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
34 #-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
35 -w /etc/localtime -p wa -k time-change
37 ## Things that affect identity
38 -w /etc/group -p wa -k identity
39 -w /etc/passwd -p wa -k identity
40 -w /etc/gshadow -p wa -k identity
41 -w /etc/shadow -p wa -k identity
42 -w /etc/security/opasswd -p wa -k identity
44 -a always,exit -F arch=b32 -S setuid -F key=32bit_setuid
45 -a always,exit -F arch=b64 -S setuid -F key=64bit_setuid
46 -a always,exit -F arch=b32 -S setgid -F key=32bit_setgid
47 -a always,exit -F arch=b64 -S setgid -F key=64bit_setgid
49 ## Things that could affect system locale
50 -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
51 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
52 -w /etc/issue -p wa -k system-locale
53 -w /etc/issue.net -p wa -k system-locale
54 -w /etc/hosts -p wa -k system-locale
55 -w /etc/sysconfig/network -p wa -k system-locale
56 -w /etc/sysconfig/network-scripts/ -p wa -k system-locale
57 -a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale
59 ## Things that could affect MAC policy
60 -a always,exit -F dir=/etc/selinux/ -F perm=wa -F key=MAC-policy
61 -a always,exit -F dir=/usr/share/selinux/ -F perm=wa -F key=MAC-policy
63 ## (GEN002900: CAT III) The IAO will ensure audit files are retained at
64 ## least one year; systems containing SAMI will be retained for five years.
66 ## Site action - no action in config files
68 ## (GEN002920: CAT III) The IAO will ensure audit files are backed up
69 ## no less than weekly onto a different system than the system being
70 ## audited or backup media.
72 ## Can be done with cron script
74 ## (GEN002700: CAT I) (Previously - G095) The SA will ensure audit data
75 ## files have permissions of 640, or more restrictive.
77 ## Done automatically by auditd
79 ## (GEN002720-GEN002840: CAT II) (Previously - G100-G106) The SA will
80 ## configure the auditing system to audit the following events for all
83 ## - Logon (unsuccessful and successful) and logout (successful)
85 ## Handled by pam, sshd, login, and gdm
86 ## Might also want to watch these files if needing extra information
87 -w /var/log/tallylog -p wa -k logins
88 -w /var/run/faillock/ -p wa -k logins
89 -w /var/log/lastlog -p wa -k logins
90 -w /var/log/faillog -p wa -k logins
91 -w /etc/login.defs -p wa -k logins
93 ##- Process and session initiation (unsuccessful and successful)
95 ## The session initiation is audited by pam without any rules needed.
96 ## Might also want to watch this file if needing extra information
97 -w /var/run/utmp -p wa -k session
98 -w /var/log/btmp -p wa -k session
99 -w /var/log/wtmp -p wa -k session
101 ##- Discretionary access control permission modification (unsuccessful
102 ## and successful use of chown/chmod)
103 -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -S chown -S fchown -S fchownat -S lchown -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod
104 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -S chown -S fchown -S fchownat -S lchown -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod
106 ##- Unauthorized access attempts to files (unsuccessful)
107 -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F key=access
108 -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F key=access
109 -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F key=access
110 -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F key=access
112 ##- Use of privileged commands (unsuccessful and successful)
113 ## use find /bin -type f -perm -04000 2>/dev/null and put all those files in a rule like this
114 #-a always,exit -F path=/bin/ping -F perm=x -F key=privileged
116 ##- Use of print command (unsuccessful and successful)
118 ##- Export to media (successful)
119 ## You have to mount media before using it. You must disable all automounting
120 ## so that its done manually in order to get the correct user requesting the
122 -a always,exit -F arch=b64 -S mount -k mounts
123 -a always,exit -F arch=b32 -S mount -k mounts
125 ##- System startup and shutdown (unsuccessful and successful)
127 ##- Files and programs deleted by the user (successful and unsuccessful)
128 -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -k delete
129 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -k delete
131 ##- All system administration actions
132 ##- All security personnel actions
134 ## Look for pam_tty_audit and add it to your login entry point's pam configs.
135 ## If that is not found, use sudo which should be patched to record its
136 ## commands to the audit system. Do not allow unrestricted root shells or
137 ## sudo cannot record the action.
138 -w /etc/sudoers -p wa -k actions
139 -w /etc/sudoers.d/ -p wa -k actions
141 ## (GEN002860: CAT II) (Previously - G674) The SA and/or IAO will
142 ##ensure old audit logs are closed and new audit logs are started daily.
144 ## Site action. Can be assisted by a cron job