## Add keys to the audit rules below using the -k option to allow for more ## organized and quicker searches with the ausearch tool. See auditctl(8) ## and ausearch(8) for more information. # Remove any existing rules -D # Increase buffer size to handle the increased number of messages. -b 16384 # Failure of auditd causes a kernel panic -f 2 ## (GEN002800)The SA will configure the auditing system to audit ## logon (unsuccessful and successful) and logout (successful) -w /bin/login -p x -w /bin/logout -p x ## (GEN002740: CAT II) The SA will configure the auditing system to audit ## discretionary access control permission modification (unsuccessful and ## successful use of chown/chmod) <% if architecture == "x86_64" %> -a exit,always -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod -a exit,always -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod -a exit,always -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a exit,always -F arch=b32 -S chown32 -S fchown32 -S lchown32 -F auid>=500 -F auid!=4294967295 -k perm_mod -a exit,always -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a exit,always -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a exit,always -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod <% end %> <% if architecture != "x86_64" %> -a exit,always -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod -a exit,always -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a exit,always -F arch=b32 -S chown32 -S fchown32 -S lchown32 -F auid>=500 -F auid!=4294967295 -k perm_mod -a exit,always -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod <% end %> ## (GEN002760: CAT II) The SA will configure the auditing system to audit ## unauthorized access attempts to files (unsuccessful) <% if architecture == "x86_64" %> -a exit,always -F arch=b32 -S mknod -S pipe -S mkdir -S creat -S open -S openat -S truncate -S ftruncate -S truncate64 -S ftruncate64 -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a exit,always -F arch=b32 -S mknod -S pipe -S mkdir -S creat -S open -S openat -S truncate -S ftruncate -S truncate64 -S ftruncate64 -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a exit,always -F arch=b64 -S mknod -S pipe -S mkdir -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a exit,always -F arch=b64 -S mknod -S pipe -S mkdir -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access <% end %> <% if architecture != "x86_64" %> -a exit,always -F arch=b32 -S mknod -S pipe -S mkdir -S creat -S open -S openat -S truncate -S ftruncate -S truncate64 -S ftruncate64 -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a exit,always -F arch=b32 -S mknod -S pipe -S mkdir -S creat -S open -S openat -S truncate -S ftruncate -S truncate64 -S ftruncate64 -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access <% end %> ## (GEN002780: CAT II) The SA will configure the auditing system to audit ## use of privileged commands (unsuccessful and successful) -w /usr/sbin/pwck -k priv-command -w /bin/chgrp -k priv-command -w /usr/bin/newgrp -k priv-command -w /usr/sbin/groupadd -k priv-command -w /usr/sbin/groupmod -k priv-command -w /usr/sbin/groupdel -k priv-command -w /usr/sbin/useradd -k priv-command -w /usr/sbin/userdel -k priv-command -w /usr/sbin/usermod -k priv-command -w /usr/bin/chage -k priv-command -w /usr/bin/setfacl -k priv-command -w /usr/bin/chacll -k priv-command ## (GEN002720: CAT II) The SA will configure the auditing system to audit ## files and programs deleted by the user (successful and unsuccessful) <% if architecture == "x86_64" %> -a exit,always -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=500 -F auid!=4294967295 -k deleted -a exit,always -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=500 -F auid!=4294967295 -k deleted -a exit,always -F arch=b32 -S link -S symlink -S acct -F auid>=500 -F auid!=4294967295 -k created -a exit,always -F arch=b64 -S link -S symlink -S acct -F auid>=500 -F auid!=4294967295 -k created <% end %> <% if architecture != "x86_64" %> -a exit,always -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k deleted -a exit,always -F arch=b32 -S link -S symlink -S acct -F auid>=500 -F auid!=4294967295 -k created <% end %> ## (GEN002820: CAT II) The SA will configure the auditing system to audit ## all system administration actions -w /var/log/audit/audit.log -k admin-actions -w /var/log/audit/audit[1-4].log -k admin-actions -w /var/log/messages -k admin-actions -w /var/log/lastlog -k admin-actions -w /var/log/faillog -k admin-actions -w /etc/passwd -p wa -k admin-actions -w /etc/shadow -p wa -k admin-actions -w /etc/group -p wa -k admin-actions -w /etc/ld.so.conf -p wa -k admin-actions -w /etc/ld.so.conf.d -p wa -k admin-actions -w /etc/ssh/sshd_config -k admin-actions -w /etc/login.defs -k admin-actions -w /etc/rc.d/init.d -k admin-actions -w /etc/inittab -p wa -k admin-actions -w /var/run/utmp -k admin-actions -w /var/run/wtmp -k admin-actions <% if architecture == "x86_64" %> -a exit,always -F arch=b32 -S adjtimex -S settimeofday -S stime -k admin-actions -a exit,always -F arch=b64 -S adjtimex -S settimeofday -k admin-actions -a exit,always -F arch=b32 -S sethostname -S setdomainname -k admin-actions -a exit,always -F arch=b64 -S sethostname -S setdomainname -k admin-actions -a exit,always -F arch=b32 -S mount -S chroot -S umount2 -S umount -S kill -F auid!=4294967295 -k admin-actions -a exit,always -F arch=b64 -S mount -S chroot -S umount2 -S kill -F auid!=4294967295 -k admin-actions -a exit,always -F arch=b32 -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S swapon -k admin-actions -a exit,always -F arch=b64 -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S swapon -k admin-actions <% end %> <% if architecture != "x86_64" %> -a exit,always -F arch=b32 -S adjtimex -S settimeofday -S stime -k admin-actions -a exit,always -F arch=b32 -S sethostname -S setdomainname -k admin-actions -a exit,always -F arch=b32 -S mount -S chroot -S umount2 -S umount -S kill -F auid!=4294967295 -k admin-actions <% end %> -w /etc/localtime -p wa -k time ## (GEN002840: CAT II) The SA will configure the auditing system to audit ## all security personnel actions -w /etc/audit/auditd.conf -p wa -k security-actions -w /etc/audit/audit.rules -p wa -k security-actions -w /etc/selinux/config -p wa -k security-actions -w /etc/pam.d -k admin-actions <% if architecture == "x86_64" %> -a exit,always -F arch=b32 -S init_module -S delete_module -k security-actions -a exit,always -F arch=b64 -S init_module -S delete_module -k security-actions <% end %> <% if architecture != "x86_64" %> -a exit,always -F arch=b32 -S init_module -S delete_module -k security-actions <% end %> -w /bin/su # Enable auditing with immutability (for integrity purposes) -e 2