openstack/ansible-hardening
Code Issues Proposed changes

Add key fields to audit rules

Browse Source 
This patch adjusts the key fields in the audit rules that are added
by the security rule to make it easier to link a log entry with the
audit rules that caused it. Deployers with overflowing logs should
be able to narrow down the rule much more easily.

Closes-Bug: 1590911

Change-Id: I39c673d515467f685004463e914a0a1aaec3c153
This commit is contained in:
Major Hayden 2016-06-09 13:42:18 -05:00
parent 41260da8ac
commit 44e6056a93
2 changed files with 98 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
releasenotes/notes/improved-audit-rule-keys-9fa85f758386446c.yaml Normal file
View File

@ -0,0 +1,5 @@
---
features:
- The audit rules added by the security role now have key fields that make
it easier to link the audit log entry to the audit rule that caused it to
appear.

186
templates/osas-auditd.j2
View File

@ -3,222 +3,222 @@
{% if security_audit_clock_settimeofday | bool %} {% if security_audit_clock_settimeofday | bool %}
# RHEL 6 STIG V-38522 # RHEL 6 STIG V-38522
# Audits changes to system time via settimeofday # Audits changes to system time via settimeofday
-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules -a always,exit -F arch=b32 -S settimeofday -k audit_time_rules-V-38522
-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules -a always,exit -F arch=b64 -S settimeofday -k audit_time_rules-V-38522
{% endif %} {% endif %}
{% if security_audit_clock_stime | bool %} {% if security_audit_clock_stime | bool %}
# RHEL 6 STIG V-38525 # RHEL 6 STIG V-38525
# Audits changes to system time via stime # Audits changes to system time via stime
-a always,exit -F arch=b32 -S stime -k audit_time_rules -a always,exit -F arch=b32 -S stime -k audit_time_rules-V-38525
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules-V-38525
{% endif %} {% endif %}
{% if security_audit_clock_settime | bool %} {% if security_audit_clock_settime | bool %}
# RHEL 6 STIG V-38527 # RHEL 6 STIG V-38527
# Audits changes to system time via clock_settime # Audits changes to system time via clock_settime
-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules -a always,exit -F arch=b32 -S clock_settime -k audit_time_rules-V-38527
-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules -a always,exit -F arch=b64 -S clock_settime -k audit_time_rules-V-38527
{% endif %} {% endif %}
{% if security_audit_change_localtime | bool %} {% if security_audit_change_localtime | bool %}
# RHEL 6 STIG V-38530 # RHEL 6 STIG V-38530
# Audits clock changes made via /etc/localtime # Audits clock changes made via /etc/localtime
-w /etc/localtime -p wa -k audit_time_rules -w /etc/localtime -p wa -k audit_time_rules-V-38530
{% endif %} {% endif %}
{% if security_audit_account_modification | bool %} {% if security_audit_account_modification | bool %}
# RHEL 6 STIG V-38531, V-38534, V-38536, V-38538 # RHEL 6 STIG V-38531, V-38534, V-38536, V-38538
# Audits account modifications and terminations # Audits account modifications and terminations
-w /etc/group -p wa -k audit_account_changes -w /etc/group -p wa -k audit_account_changes-V-38531
-w /etc/passwd -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes-V-38531
-w /etc/gshadow -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes-V-38531
-w /etc/shadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes-V-38531
-w /etc/security/opasswd -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes-V-38531
{% endif %} {% endif %}
{% if security_audit_network_changes | bool %} {% if security_audit_network_changes | bool %}
# RHEL 6 STIG V-38540 # RHEL 6 STIG V-38540
# Audits network configuration changes # Audits network configuration changes
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications -a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications-V-38540
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_network_modifications -a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_network_modifications-V-38540
-w /etc/issue -p wa -k audit_network_modifications -w /etc/issue -p wa -k audit_network_modifications-V-38540
-w /etc/issue.net -p wa -k audit_network_modifications -w /etc/issue.net -p wa -k audit_network_modifications-V-38540
-w /etc/hosts -p wa -k audit_network_modifications -w /etc/hosts -p wa -k audit_network_modifications-V-38540
-w /etc/network -p wa -k audit_network_modifications -w /etc/network -p wa -k audit_network_modifications-V-38540
{% endif %} {% endif %}
{% if linux_security_module == 'apparmor' and security_audit_mac_changes | bool %} {% if linux_security_module == 'apparmor' and security_audit_mac_changes | bool %}
# RHEL 6 STIG V-38541 # RHEL 6 STIG V-38541
# Audits changes to AppArmor policies # Audits changes to AppArmor policies
-w /etc/apparmor/ -p wa -k MAC-policy -w /etc/apparmor/ -p wa -k MAC-policy-V-38541
-w /etc/apparmor.d/ -p wa -k MAC-policy -w /etc/apparmor.d/ -p wa -k MAC-policy-V-38541
{% endif %} {% endif %}
{% if linux_security_module == 'selinux' and security_audit_mac_changes | bool %} {% if linux_security_module == 'selinux' and security_audit_mac_changes | bool %}
# RHEL 6 STIG V-38541 # RHEL 6 STIG V-38541
# Audits changes to SELinux policies # Audits changes to SELinux policies
-w /etc/selinux/ -p wa -k MAC-policy -w /etc/selinux/ -p wa -k MAC-policy-V-38541
{% endif %} {% endif %}
{% if security_audit_DAC_chmod | bool %} {% if security_audit_DAC_chmod | bool %}
# RHEL 6 STIG V-38543 # RHEL 6 STIG V-38543
# Audits DAC changes via chmod # Audits DAC changes via chmod
-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38543
-a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod-V-38543
-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38543
-a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod-V-38543
{% endif %} {% endif %}
{% if security_audit_DAC_chown | bool %} {% if security_audit_DAC_chown | bool %}
# RHEL 6 STIG V-38545 # RHEL 6 STIG V-38545
# Audits DAC changes via chown # Audits DAC changes via chown
-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38545
-a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod-V-38545
-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38545
-a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod-V-38545
{% endif %} {% endif %}
{% if security_audit_DAC_fchmod | bool %} {% if security_audit_DAC_fchmod | bool %}
# RHEL 6 STIG V-38547 # RHEL 6 STIG V-38547
# Audits DAC changes via fchmod # Audits DAC changes via fchmod
-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38547
-a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod-V-38547
-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38547
-a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod-V-38547
{% endif %} {% endif %}
{% if security_audit_DAC_fchmodat | bool %} {% if security_audit_DAC_fchmodat | bool %}
# RHEL 6 STIG V-38550 # RHEL 6 STIG V-38550
# Audits DAC changes via fchmodat # Audits DAC changes via fchmodat
-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38550
-a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod-V-38550
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38550
-a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod-V-38550
{% endif %} {% endif %}
{% if security_audit_DAC_fchown | bool %} {% if security_audit_DAC_fchown | bool %}
# RHEL 6 STIG V-38552 # RHEL 6 STIG V-38552
# Audits DAC changes via fchown # Audits DAC changes via fchown
-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38552
-a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod-V-38552
-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38552
-a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod-V-38552
{% endif %} {% endif %}
{% if security_audit_DAC_fchownat | bool %} {% if security_audit_DAC_fchownat | bool %}
# RHEL 6 STIG V-38554 # RHEL 6 STIG V-38554
# Audits DAC changes via fchownat # Audits DAC changes via fchownat
-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38554
-a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod-V-38554
-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38554
-a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod-V-38554
{% endif %} {% endif %}
{% if security_audit_DAC_fremovexattr | bool %} {% if security_audit_DAC_fremovexattr | bool %}
# RHEL 6 STIG V-38556 # RHEL 6 STIG V-38556
# Audits DAC changes via fremovexattr # Audits DAC changes via fremovexattr
-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38556
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod-V-38556
-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38556
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod-V-38556
{% endif %} {% endif %}
{% if security_audit_DAC_fsetxattr | bool %} {% if security_audit_DAC_fsetxattr | bool %}
# RHEL 6 STIG V-38557 # RHEL 6 STIG V-38557
# Audits DAC changes via fsetxattr # Audits DAC changes via fsetxattr
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38557
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod-V-38557
-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38557
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod-V-38557
{% endif %} {% endif %}
{% if security_audit_DAC_lchown | bool %} {% if security_audit_DAC_lchown | bool %}
# RHEL 6 STIG V-38558 # RHEL 6 STIG V-38558
# Audits DAC changes via lchown # Audits DAC changes via lchown
-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38558
-a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod-V-38558
-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_modV-38558
-a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod-V-38558
{% endif %} {% endif %}
{% if security_audit_DAC_lremovexattr | bool %} {% if security_audit_DAC_lremovexattr | bool %}
# RHEL 6 STIG V-38559 # RHEL 6 STIG V-38559
# Audits DAC changes via lremovexattr # Audits DAC changes via lremovexattr
-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_modV-38559
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod-V-38559
-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38559
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod-V-38559
{% endif %} {% endif %}
{% if security_audit_DAC_lsetxattr | bool %} {% if security_audit_DAC_lsetxattr | bool %}
# RHEL 6 STIG V-38561 # RHEL 6 STIG V-38561
# Audits DAC changes via lsetxattr # Audits DAC changes via lsetxattr
-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38561
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod-V-38561
-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38561
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod-V-38561
{% endif %} {% endif %}
{% if security_audit_DAC_setxattr | bool %} {% if security_audit_DAC_setxattr | bool %}
# RHEL 6 STIG V-38565 # RHEL 6 STIG V-38565
# Audits DAC changes via setxattr # Audits DAC changes via setxattr
-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38565
-a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod-V-38565
-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38565
-a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod-V-38565
{% endif %} {% endif %}
{% if security_audit_failed_access | bool %} {% if security_audit_failed_access | bool %}
# RHEL 6 STIG V-38566 # RHEL 6 STIG V-38566
# Audits failed attempts to access files and programs # Audits failed attempts to access files and programs
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access-V-38566
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access-V-38566
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid=0 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid=0 -k access-V-38566
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid=0 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid=0 -k access-V-38566
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access-V-38566
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access-V-38566
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid=0 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid=0 -k access-V-38566
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid=0 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid=0 -k access-V-38566
{% endif %} {% endif %}
{% if security_audit_filesystem_mounts | bool %} {% if security_audit_filesystem_mounts | bool %}
# RHEL 6 STIG V-38568 # RHEL 6 STIG V-38568
# Audits filesystem mounts # Audits filesystem mounts
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export-V-38568
-a always,exit -F arch=b32 -S mount -F auid=0 -k export -a always,exit -F arch=b32 -S mount -F auid=0 -k export-V-38568
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export-V-38568
-a always,exit -F arch=b64 -S mount -F auid=0 -k export -a always,exit -F arch=b64 -S mount -F auid=0 -k export-V-38568
{% endif %} {% endif %}
{% if security_audit_deletions | bool %} {% if security_audit_deletions | bool %}
# RHEL 6 STIG V-38575 # RHEL 6 STIG V-38575
# Audits deletion of files and programs # Audits deletion of files and programs
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete-V-38575
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete-V-38575
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete-V-38575
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete-V-38575
{% endif %} {% endif %}
{% if security_audit_sudoers | bool %} {% if security_audit_sudoers | bool %}
# RHEL 6 STIG V-38578 # RHEL 6 STIG V-38578
# Audits /etc/sudoers changes # Audits /etc/sudoers changes
-w /etc/sudoers -p wa -k actions -w /etc/sudoers -p wa -k actions-V-38578
{% endif %} {% endif %}
{% if security_audit_kernel_modules | bool %} {% if security_audit_kernel_modules | bool %}
# RHEL 6 STIG V-38580 # RHEL 6 STIG V-38580
# Audits kernel module loading/unloading # Audits kernel module loading/unloading
-w /sbin/insmod -p x -k modules -w /sbin/insmod -p x -k modules-V-38580
-w /sbin/rmmod -p x -k modules -w /sbin/rmmod -p x -k modules-V-38580
-w /sbin/modprobe -p x -k modules -w /sbin/modprobe -p x -k modules-V-38580
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules -a always,exit -F arch=b32 -S init_module -S delete_module -k modules-V-38580
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -k modules-V-38580
{% endif %} {% endif %}
{% if security_audit_change_system_time | bool %} {% if security_audit_change_system_time | bool %}
# RHEL 6 STIG V-38635 # RHEL 6 STIG V-38635
# Audits system time changes # Audits system time changes
-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules -a always,exit -F arch=b32 -S adjtimex -k audit_time_rules-V-38635
-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules -a always,exit -F arch=b64 -S adjtimex -k audit_time_rules-V-38635
{% endif %} {% endif %}