Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,6 @@ references:
stigid@ol7: OL07-00-030410
stigid@ol8: OL08-00-030490
stigid@sle12: SLES-12-020460
stigid@sle15: SLES-15-030290

ocil_clause: 'the system is not configured to audit permission changes'

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,6 @@ references:
stigid@ol7: OL07-00-030370
stigid@ol8: OL08-00-030480
stigid@sle12: SLES-12-020420
stigid@sle15: SLES-15-030250

{{{ complete_ocil_entry_audit_syscall(syscall="chown") }}}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,6 @@ references:
stigid@ol7: OL07-00-030410
stigid@ol8: OL08-00-030490
stigid@sle12: SLES-12-020460
stigid@sle15: SLES-15-030290

{{{ complete_ocil_entry_audit_syscall(syscall="fchmod") }}}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,6 @@ references:
stigid@ol7: OL07-00-030410
stigid@ol8: OL08-00-030490
stigid@sle12: SLES-12-020460
stigid@sle15: SLES-15-030290

{{{ complete_ocil_entry_audit_syscall(syscall="fchmodat") }}}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,6 @@ references:
stigid@ol7: OL07-00-030370
stigid@ol8: OL08-00-030480
stigid@sle12: SLES-12-020420
stigid@sle15: SLES-15-030250

{{{ complete_ocil_entry_audit_syscall(syscall="fchown") }}}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,6 @@ references:
stigid@ol7: OL07-00-030370
stigid@ol8: OL08-00-030480
stigid@sle12: SLES-12-020420
stigid@sle15: SLES-15-030250

{{{ complete_ocil_entry_audit_syscall(syscall="fchownat") }}}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,6 @@ references:
stigid@ol7: OL07-00-030440
stigid@ol8: OL08-00-030200
stigid@sle12: SLES-12-020370
stigid@sle15: SLES-15-030190

{{{ complete_ocil_entry_audit_syscall(syscall="fremovexattr") }}}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,6 @@ references:
stigid@ol7: OL07-00-030440
stigid@ol8: OL08-00-030200
stigid@sle12: SLES-12-020370
stigid@sle15: SLES-15-030190

{{{ complete_ocil_entry_audit_syscall(syscall="fsetxattr") }}}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,6 @@ references:
stigid@ol7: OL07-00-030370
stigid@ol8: OL08-00-030480
stigid@sle12: SLES-12-020420
stigid@sle15: SLES-15-030250

{{{ complete_ocil_entry_audit_syscall(syscall="lchown") }}}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,6 @@ references:
stigid@ol7: OL07-00-030440
stigid@ol8: OL08-00-030200
stigid@sle12: SLES-12-020370
stigid@sle15: SLES-15-030190

{{{ complete_ocil_entry_audit_syscall(syscall="lremovexattr") }}}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,6 @@ references:
stigid@ol7: OL07-00-030440
stigid@ol8: OL08-00-030200
stigid@sle12: SLES-12-020370
stigid@sle15: SLES-15-030190

{{{ complete_ocil_entry_audit_syscall(syscall="lsetxattr") }}}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,6 @@ references:
stigid@ol7: OL07-00-030440
stigid@ol8: OL08-00-030200
stigid@sle12: SLES-12-020370
stigid@sle15: SLES-15-030190

{{{ complete_ocil_entry_audit_syscall(syscall="removexattr") }}}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,6 @@ references:
stigid@ol7: OL07-00-030440
stigid@ol8: OL08-00-030200
stigid@sle12: SLES-12-020370
stigid@sle15: SLES-15-030190

{{{ complete_ocil_entry_audit_syscall(syscall="setxattr") }}}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,6 @@ references:
nist@sle12: AU-3,AU-3.1,AU-12.1(ii),AU-12(a),AU-12.1(iv),AU-12(c),MA-4(1)(a)
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000495-CTR-001235
stigid@sle12: SLES-12-020300
stigid@sle15: SLES-15-030360

ocil_clause: '{{{ ocil_clause_audit() }}}'

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,6 @@ references:
nist@sle12: AU-3,AU-3.1,AU-12.1(ii),AU-12(a),AU-12.1(iv),AU-12(c),MA-4(1)(a)
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000495-CTR-001235
stigid@sle12: SLES-12-020300
stigid@sle15: SLES-15-030360

{{{ complete_ocil_entry_audit_syscall(syscall="umount2") }}}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,6 @@ references:
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-APP-000495-CTR-001235,SRG-APP-000499-CTR-001255
stigid@ol8: OL08-00-030570
stigid@sle12: SLES-12-020620
stigid@sle15: SLES-15-030440

{{{ ocil_fix_srg_privileged_command("chacl", "/usr/bin/", "perm_mod") }}}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@ references:
nist@sle12: AU-3,AU-3.1,AU-12.1(ii),AU-12(a),AU-12.1(iv),AU-12(c),MA-4(1)(a)
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
stigid@sle12: SLES-12-020600
stigid@sle15: SLES-15-030420

ocil: |-
To verify that execution of the command is being audited, run the following command:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@ references:
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000495-CTR-001235
stigid@ol8: OL08-00-030330
stigid@sle12: SLES-12-020610
stigid@sle15: SLES-15-030430

{{{ ocil_fix_srg_privileged_command("setfacl", "/usr/bin/", "perm_mod") }}}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,6 @@ references:
stigid@ol7: OL07-00-030580
stigid@ol8: OL08-00-030260
stigid@sle12: SLES-12-020630
stigid@sle15: SLES-15-030450

{{{ ocil_fix_srg_privileged_command("chcon", "/usr/bin/", "perm_mod") }}}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@ references:
nist@sle12: AU-3,AU-3.1,AU-12.1(ii),AU-12(a),AU-12.1(iv),AU-12(c),MA-4(1)(a)
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
stigid@sle12: SLES-12-020640
stigid@sle15: SLES-15-030460

ocil: |-
To verify that execution of the command is being audited, run the following command:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,6 @@ references:
stigid@ol7: OL07-00-030510
stigid@ol8: OL08-00-030420
stigid@sle12: SLES-12-020490
stigid@sle15: SLES-15-030150

ocil: |-
{{{ ocil_audit_rules_unsuccessful_file_modification("creat", "access") | indent(4) }}}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,6 @@ references:
stigid@ol7: OL07-00-030510
stigid@ol8: OL08-00-030420
stigid@sle12: SLES-12-020490
stigid@sle15: SLES-15-030150

ocil: |-
{{{ ocil_audit_rules_unsuccessful_file_modification("ftruncate", "access") | indent(4) }}}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,6 @@ references:
stigid@ol7: OL07-00-030510
stigid@ol8: OL08-00-030420
stigid@sle12: SLES-12-020490
stigid@sle15: SLES-15-030150

ocil: |-
{{{ ocil_audit_rules_unsuccessful_file_modification("open", "access") | indent(4) }}}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,6 @@ references:
stigid@ol7: OL07-00-030510
stigid@ol8: OL08-00-030420
stigid@sle12: SLES-12-020490
stigid@sle15: SLES-15-030150

ocil: |-
{{{ ocil_audit_rules_unsuccessful_file_modification("open_by_handle_at", "access") | indent(4) }}}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,6 @@ references:
stigid@ol7: OL07-00-030510
stigid@ol8: OL08-00-030420
stigid@sle12: SLES-12-020490
stigid@sle15: SLES-15-030150

ocil: |-
{{{ ocil_audit_rules_unsuccessful_file_modification("openat", "access") | indent(4) }}}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,6 @@ references:
pcidss: Req-10.2.4,Req-10.2.1
srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270
stigid@sle12: SLES-12-020411
stigid@sle15: SLES-15-030740

ocil: |-
{{{ ocil_audit_rules_unsuccessful_file_modification("rename", "unsuccessful-delete") | indent(4) }}}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,6 @@ references:
pcidss: Req-10.2.4,Req-10.2.1
srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270
stigid@sle12: SLES-12-020411
stigid@sle15: SLES-15-030740

ocil: |-
{{{ ocil_audit_rules_unsuccessful_file_modification("renameat", "unsuccessful-delete") | indent(4) }}}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,11 @@ title: 'Record Unsuccessful Delete Attempts to Files - renameat2'

description: |-
The operating system must generate audit records for all uses of the <tt>renameat2</tt> system call.
Without generating audit records specific to the security and mission needs of the organization, it would be
Without generating audit records specific to the security and mission needs of the organization, it would be
difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
Add or update the following lines to <tt>/etc/audit/rules.d/audit.rules</tt> to configure the operating system to generate
an audit record for all uses of the <tt>renameat2</tt> system call:
Add or update the following lines to <tt>/etc/audit/rules.d/audit.rules</tt> to configure the operating system to generate
an audit record for all uses of the <tt>renameat2</tt> system call:
<pre>
-a always,exit -F arch=b32 -S renameat2 -F auid>={{{ uid_min }}} -F auid!=-1 -k perm_mod
-a always,exit -F arch=b64 -S renameat2 -F auid>={{{ uid_min }}} -F auid!=-1 -k perm_mod</pre>
Expand All @@ -26,7 +26,6 @@ identifiers:
references:
nist@sle15: AU-12(c),AU-12.1(iv)
srg: SRG-OS-000468-GPOS-00212
stigid@sle15: SLES-15-030740

{{{ complete_ocil_entry_audit_unsuccessful_syscall(syscall="renameat2") }}}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,6 @@ references:
stigid@ol7: OL07-00-030510
stigid@ol8: OL08-00-030420
stigid@sle12: SLES-12-020490
stigid@sle15: SLES-15-030150

ocil: |-
{{{ ocil_audit_rules_unsuccessful_file_modification("truncate", "access") | indent(4) }}}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,6 @@ references:
pcidss: Req-10.2.4,Req-10.2.1
srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270
stigid@sle12: SLES-12-020411
stigid@sle15: SLES-15-030740

ocil: |-
{{{ ocil_audit_rules_unsuccessful_file_modification("unlink", "unsuccessful-delete") | indent(4) }}}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,6 @@ references:
pcidss: Req-10.2.4,Req-10.2.1
srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270
stigid@sle12: SLES-12-020411
stigid@sle15: SLES-15-030740

ocil: |-
{{{ ocil_audit_rules_unsuccessful_file_modification("unlinkat", "unsuccessful-delete") | indent(4) }}}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,6 @@ references:
stigid@ol7: OL07-00-030830
stigid@ol8: OL08-00-030390
stigid@sle12: SLES-12-020730
stigid@sle15: SLES-15-030520

{{{ complete_ocil_entry_audit_syscall(syscall="delete_module") }}}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,6 @@ references:
stigid@ol7: OL07-00-030820
stigid@ol8: OL08-00-030360
stigid@sle12: SLES-12-020740
stigid@sle15: SLES-15-030530

{{{ complete_ocil_entry_audit_syscall(syscall="finit_module") }}}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,6 @@ references:
stigid@ol7: OL07-00-030820
stigid@ol8: OL08-00-030360
stigid@sle12: SLES-12-020740
stigid@sle15: SLES-15-030530

{{{ complete_ocil_entry_audit_syscall(syscall="init_module") }}}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,6 @@ references:
stigid@ol7: OL07-00-030620
stigid@ol8: OL08-00-030600
stigid@sle12: SLES-12-020660
stigid@sle15: SLES-15-030480

ocil_clause: 'the command does not return a line, or the line is commented out'

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,6 @@ references:
pcidss: Req-10.2.3
srg: SRG-OS-000392-GPOS-00172,SRG-OS-000470-GPOS-00214,SRG-OS-000473-GPOS-00218,SRG-APP-000503-CTR-001275
stigid@sle12: SLES-12-020650
stigid@sle15: SLES-15-030470

ocil_clause: 'the command does not return a line, or the line is commented out'

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,6 @@ references:
stigid@ol7: OL07-00-030660
stigid@ol8: OL08-00-030250
stigid@sle12: SLES-12-020690
stigid@sle15: SLES-15-030120

{{{ ocil_fix_srg_privileged_command("chage") }}}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ identifiers:
references:
nist: AU-3,AU-12(a),AU-12(c),MA-4(1)(a)
stigid@sle12: SLES-12-020280
stigid@sle15: SLES-15-030340

ocil_clause: '{{{ ocil_clause_audit() }}}'

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,6 @@ references:
stigid@ol7: OL07-00-030720
stigid@ol8: OL08-00-030410
stigid@sle12: SLES-12-020580
stigid@sle15: SLES-15-030100

{{{ ocil_fix_srg_privileged_command("chsh") }}}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,6 @@ references:
stigid@ol7: OL07-00-030800
stigid@ol8: OL08-00-030400
stigid@sle12: SLES-12-020710
stigid@sle15: SLES-15-030130

{{{ ocil_fix_srg_privileged_command("crontab") }}}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,6 @@ references:
stigid@ol7: OL07-00-030650
stigid@ol8: OL08-00-030370
stigid@sle12: SLES-12-020560
stigid@sle15: SLES-15-030080

{{{ ocil_fix_srg_privileged_command("gpasswd") }}}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,6 @@ references:
cis@sle15: 4.1.16
nist: AU-12(c),AU-12.1(iv),AU-3,AU-3.1,AU-12(a),AU-12.1(ii),MA-4(1)(a)
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
stigid@sle15: SLES-15-030380

ocil_clause: '{{{ ocil_clause_audit() }}}'

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,6 @@ references:
stigid@ol7: OL07-00-030840
stigid@ol8: OL08-00-030580
stigid@sle12: SLES-12-020360
stigid@sle15: SLES-15-030410

{{{ ocil_fix_srg_privileged_command("kmod") }}}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,6 @@ references:
cis@sle15: 4.1.16
nist: AU-12(a),AU-12.1(ii),AU-3,AU-3.1,AU-12(c),AU-12.1(iv),MA-4(1)(a)
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
stigid@sle15: SLES-15-030400

ocil_clause: '{{{ ocil_clause_audit() }}}'

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,6 @@ references:
stigid@ol7: OL07-00-030710
stigid@ol8: OL08-00-030350
stigid@sle12: SLES-12-020570
stigid@sle15: SLES-15-030090

{{{ ocil_fix_srg_privileged_command("newgrp") }}}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,6 @@ references:
stigid@ol7: OL07-00-030810
stigid@ol8: OL08-00-030340
stigid@sle12: SLES-12-020720
stigid@sle15: SLES-15-030510

{{% if product not in ["sle12", "sle15", "slmicro5", "slmicro6"] %}}
{{{ ocil_fix_srg_privileged_command("pam_timestamp_check", "/usr/sbin/") }}}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@ references:
nist@sle12: AU-3,AU-12(a),AU-12(c),MA-4(1)(a)
srg: SRG-OS-000037-GPOS-00015
stigid@sle12: SLES-12-020670
stigid@sle15: SLES-15-030490

ocil_clause: '{{{ ocil_clause_audit() }}}'

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,6 @@ references:
stigid@ol7: OL07-00-030630
stigid@ol8: OL08-00-030290
stigid@sle12: SLES-12-020550
stigid@sle15: SLES-15-030070

{{{ ocil_fix_srg_privileged_command("passwd") }}}

Expand Down
Loading
Loading