Add audit rules to support ppc64le architecture.
Add 'ppc64' arch in osas-auditd.j2 to support ppc64le architecture. Change-Id: Idb730325334a428e91c3eee44b7ca0980548da99
This commit is contained in:
Qing Wu Wang
parent
256ef94ea2
commit
5e70944bef
@ -3,23 +3,35 @@
|
||||
{% if security_audit_clock_settimeofday | bool %}
|
||||
# RHEL 6 STIG V-38522
|
||||
# Audits changes to system time via settimeofday
|
||||
{% if ansible_architecture == 'ppc64le' %}
|
||||
-a always,exit -F arch=ppc64 -S settimeofday -k audit_time_rules-V-38522
|
||||
{% else %}
|
||||
-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules-V-38522
|
||||
-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules-V-38522
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if security_audit_clock_stime | bool %}
|
||||
# RHEL 6 STIG V-38525
|
||||
# Audits changes to system time via stime
|
||||
{% if ansible_architecture == 'ppc64le' %}
|
||||
-a always,exit -F arch=ppc64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules-V-38525
|
||||
{% else %}
|
||||
-a always,exit -F arch=b32 -S stime -k audit_time_rules-V-38525
|
||||
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules-V-38525
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if security_audit_clock_settime | bool %}
|
||||
# RHEL 6 STIG V-38527
|
||||
# Audits changes to system time via clock_settime
|
||||
{% if ansible_architecture == 'ppc64le' %}
|
||||
-a always,exit -F arch=ppc64 -S clock_settime -k audit_time_rules-V-38527
|
||||
{% else %}
|
||||
-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules-V-38527
|
||||
-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules-V-38527
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if security_audit_change_localtime | bool %}
|
||||
# RHEL 6 STIG V-38530
|
||||
@ -40,8 +52,12 @@
|
||||
{% if security_audit_network_changes | bool %}
|
||||
# RHEL 6 STIG V-38540
|
||||
# Audits network configuration changes
|
||||
{% if ansible_architecture == 'ppc64le' %}
|
||||
-a always,exit -F arch=ppc64 -S sethostname -S setdomainname -k audit_network_modifications-V-38540
|
||||
{% else %}
|
||||
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications-V-38540
|
||||
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_network_modifications-V-38540
|
||||
{% endif %}
|
||||
-w /etc/issue -p wa -k audit_network_modifications-V-38540
|
||||
-w /etc/issue.net -p wa -k audit_network_modifications-V-38540
|
||||
-w /etc/hosts -p wa -k audit_network_modifications-V-38540
|
||||
@ -64,114 +80,180 @@
|
||||
{% if security_audit_DAC_chmod | bool %}
|
||||
# RHEL 6 STIG V-38543
|
||||
# Audits DAC changes via chmod
|
||||
{% if ansible_architecture == 'ppc64le' %}
|
||||
-a always,exit -F arch=ppc64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38543
|
||||
-a always,exit -F arch=ppc64 -S removexattr -F auid=0 -k perm_mod-V-38543
|
||||
{% else %}
|
||||
-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38543
|
||||
-a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod-V-38543
|
||||
-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38543
|
||||
-a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod-V-38543
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if security_audit_DAC_chown | bool %}
|
||||
# RHEL 6 STIG V-38545
|
||||
# Audits DAC changes via chown
|
||||
{% if ansible_architecture == 'ppc64le' %}
|
||||
-a always,exit -F arch=ppc64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38545
|
||||
-a always,exit -F arch=ppc64 -S chown -F auid=0 -k perm_mod-V-38545
|
||||
{% else %}
|
||||
-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38545
|
||||
-a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod-V-38545
|
||||
-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38545
|
||||
-a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod-V-38545
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if security_audit_DAC_fchmod | bool %}
|
||||
# RHEL 6 STIG V-38547
|
||||
# Audits DAC changes via fchmod
|
||||
{% if ansible_architecture == 'ppc64le' %}
|
||||
-a always,exit -F arch=ppc64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38547
|
||||
-a always,exit -F arch=ppc64 -S fchmod -F auid=0 -k perm_mod-V-38547
|
||||
{% else %}
|
||||
-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38547
|
||||
-a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod-V-38547
|
||||
-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38547
|
||||
-a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod-V-38547
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if security_audit_DAC_fchmodat | bool %}
|
||||
# RHEL 6 STIG V-38550
|
||||
# Audits DAC changes via fchmodat
|
||||
{% if ansible_architecture == 'ppc64le' %}
|
||||
-a always,exit -F arch=ppc64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38550
|
||||
-a always,exit -F arch=ppc64 -S fchmodat -F auid=0 -k perm_mod-V-38550
|
||||
{% else %}
|
||||
-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38550
|
||||
-a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod-V-38550
|
||||
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38550
|
||||
-a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod-V-38550
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if security_audit_DAC_fchown | bool %}
|
||||
# RHEL 6 STIG V-38552
|
||||
# Audits DAC changes via fchown
|
||||
{% if ansible_architecture == 'ppc64le' %}
|
||||
-a always,exit -F arch=ppc64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38552
|
||||
-a always,exit -F arch=ppc64 -S fchown -F auid=0 -k perm_mod-V-38552
|
||||
{% else %}
|
||||
-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38552
|
||||
-a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod-V-38552
|
||||
-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38552
|
||||
-a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod-V-38552
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if security_audit_DAC_fchownat | bool %}
|
||||
# RHEL 6 STIG V-38554
|
||||
# Audits DAC changes via fchownat
|
||||
{% if ansible_architecture == 'ppc64le' %}
|
||||
-a always,exit -F arch=ppc64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38554
|
||||
-a always,exit -F arch=ppc64 -S fchownat -F auid=0 -k perm_mod-V-38554
|
||||
{% else %}
|
||||
-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38554
|
||||
-a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod-V-38554
|
||||
-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38554
|
||||
-a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod-V-38554
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if security_audit_DAC_fremovexattr | bool %}
|
||||
# RHEL 6 STIG V-38556
|
||||
# Audits DAC changes via fremovexattr
|
||||
{% if ansible_architecture == 'ppc64le' %}
|
||||
-a always,exit -F arch=ppc64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38556
|
||||
-a always,exit -F arch=ppc64 -S fremovexattr -F auid=0 -k perm_mod-V-38556
|
||||
{% else %}
|
||||
-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38556
|
||||
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod-V-38556
|
||||
-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38556
|
||||
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod-V-38556
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if security_audit_DAC_fsetxattr | bool %}
|
||||
# RHEL 6 STIG V-38557
|
||||
# Audits DAC changes via fsetxattr
|
||||
{% if ansible_architecture == 'ppc64le' %}
|
||||
-a always,exit -F arch=ppc64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38557
|
||||
-a always,exit -F arch=ppc64 -S fsetxattr -F auid=0 -k perm_mod-V-38557
|
||||
{% else %}
|
||||
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38557
|
||||
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod-V-38557
|
||||
-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38557
|
||||
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod-V-38557
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if security_audit_DAC_lchown | bool %}
|
||||
# RHEL 6 STIG V-38558
|
||||
# Audits DAC changes via lchown
|
||||
{% if ansible_architecture == 'ppc64le' %}
|
||||
-a always,exit -F arch=ppc64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_modV-38558
|
||||
-a always,exit -F arch=ppc64 -S lchown -F auid=0 -k perm_mod-V-38558
|
||||
{% else %}
|
||||
-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38558
|
||||
-a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod-V-38558
|
||||
-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_modV-38558
|
||||
-a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod-V-38558
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if security_audit_DAC_lremovexattr | bool %}
|
||||
# RHEL 6 STIG V-38559
|
||||
# Audits DAC changes via lremovexattr
|
||||
{% if ansible_architecture == 'ppc64le' %}
|
||||
-a always,exit -F arch=ppc64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38559
|
||||
-a always,exit -F arch=ppc64 -S lremovexattr -F auid=0 -k perm_mod-V-38559
|
||||
{% else %}
|
||||
-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_modV-38559
|
||||
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod-V-38559
|
||||
-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38559
|
||||
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod-V-38559
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if security_audit_DAC_lsetxattr | bool %}
|
||||
# RHEL 6 STIG V-38561
|
||||
# Audits DAC changes via lsetxattr
|
||||
{% if ansible_architecture == 'ppc64le' %}
|
||||
-a always,exit -F arch=ppc64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38561
|
||||
-a always,exit -F arch=ppc64 -S lsetxattr -F auid=0 -k perm_mod-V-38561
|
||||
{% else %}
|
||||
-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38561
|
||||
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod-V-38561
|
||||
-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38561
|
||||
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod-V-38561
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if security_audit_DAC_setxattr | bool %}
|
||||
# RHEL 6 STIG V-38565
|
||||
# Audits DAC changes via setxattr
|
||||
{% if ansible_architecture == 'ppc64le' %}
|
||||
-a always,exit -F arch=ppc64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38565
|
||||
-a always,exit -F arch=ppc64 -S setxattr -F auid=0 -k perm_mod-V-38565
|
||||
{% else %}
|
||||
-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38565
|
||||
-a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod-V-38565
|
||||
-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38565
|
||||
-a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod-V-38565
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if security_audit_failed_access | bool %}
|
||||
# RHEL 6 STIG V-38566
|
||||
# Audits failed attempts to access files and programs
|
||||
{% if ansible_architecture == 'ppc64le' %}
|
||||
-a always,exit -F arch=ppc64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access-V-38566
|
||||
-a always,exit -F arch=ppc64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access-V-38566
|
||||
-a always,exit -F arch=ppc64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid=0 -k access-V-38566
|
||||
-a always,exit -F arch=ppc64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid=0 -k access-V-38566
|
||||
{% else %}
|
||||
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access-V-38566
|
||||
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access-V-38566
|
||||
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid=0 -k access-V-38566
|
||||
@ -181,24 +263,35 @@
|
||||
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid=0 -k access-V-38566
|
||||
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid=0 -k access-V-38566
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if security_audit_filesystem_mounts | bool %}
|
||||
# RHEL 6 STIG V-38568
|
||||
# Audits filesystem mounts
|
||||
{% if ansible_architecture == 'ppc64le' %}
|
||||
-a always,exit -F arch=ppc64 -S mount -F auid>=500 -F auid!=4294967295 -k export-V-38568
|
||||
-a always,exit -F arch=ppc64 -S mount -F auid=0 -k export-V-38568
|
||||
{% else %}
|
||||
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export-V-38568
|
||||
-a always,exit -F arch=b32 -S mount -F auid=0 -k export-V-38568
|
||||
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export-V-38568
|
||||
-a always,exit -F arch=b64 -S mount -F auid=0 -k export-V-38568
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if security_audit_deletions | bool %}
|
||||
# RHEL 6 STIG V-38575
|
||||
# Audits deletion of files and programs
|
||||
{% if ansible_architecture == 'ppc64le' %}
|
||||
-a always,exit -F arch=ppc64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete-V-38575
|
||||
-a always,exit -F arch=ppc64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete-V-38575
|
||||
{% else %}
|
||||
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete-V-38575
|
||||
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete-V-38575
|
||||
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete-V-38575
|
||||
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete-V-38575
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if security_audit_sudoers | bool %}
|
||||
# RHEL 6 STIG V-38578
|
||||
@ -212,13 +305,21 @@
|
||||
-w /sbin/insmod -p x -k modules-V-38580
|
||||
-w /sbin/rmmod -p x -k modules-V-38580
|
||||
-w /sbin/modprobe -p x -k modules-V-38580
|
||||
{% if ansible_architecture == 'ppc64le' %}
|
||||
-a always,exit -F arch=ppc64 -S init_module -S delete_module -k modules-V-38580
|
||||
{% else %}
|
||||
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules-V-38580
|
||||
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules-V-38580
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if security_audit_change_system_time | bool %}
|
||||
# RHEL 6 STIG V-38635
|
||||
# Audits system time changes
|
||||
{% if ansible_architecture == 'ppc64le' %}
|
||||
-a always,exit -F arch=ppc64 -S adjtimex -k audit_time_rules-V-38635
|
||||
{% else %}
|
||||
-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules-V-38635
|
||||
-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules-V-38635
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user