-
Notifications
You must be signed in to change notification settings - Fork 671
/
rule.yml
73 lines (59 loc) · 3.37 KB
/
rule.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
documentation_complete: true
title: 'Record Attempts to Alter Logon and Logout Events - tallylog'
description: |-
The audit system already collects login information for all users
and root. If the <tt>auditd</tt> daemon is configured to use the
<tt>augenrules</tt> program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix <tt>.rules</tt> in the
directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
edits of files involved in storing logon events:
<pre>-w /var/log/tallylog -p wa -k logins</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add the following lines to
<tt>/etc/audit/audit.rules</tt> file in order to watch for unattempted manual
edits of files involved in storing logon events:
<pre>-w /var/log/tallylog -p wa -k logins</pre>
rationale: |-
Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.
severity: medium
identifiers:
cce@rhcos4: CCE-82585-1
cce@rhel7: CCE-80994-7
cce@rhel8: CCE-80720-6
cce@rhel9: CCE-83782-3
cce@sle12: CCE-83107-3
cce@sle15: CCE-85597-3
references:
cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9
cis@sle12: 4.1.7
cis@sle15: 4.1.7
cis@ubuntu2004: 4.1.7
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.1.7
disa: CCI-000172,CCI-002884,CCI-000126
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.2.1,A.6.2.2
nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
ospp: FAU_GEN.1.1.c
pcidss: Req-10.2.3
srg: SRG-OS-000392-GPOS-00172,SRG-OS-000470-GPOS-00214,SRG-OS-000473-GPOS-00218,SRG-APP-000503-CTR-001275
stigid@rhel7: RHEL-07-030600
stigid@sle12: SLES-12-020650
stigid@sle15: SLES-15-030470
stigid@ubuntu2004: UBTU-20-010169
ocil_clause: 'the command does not return a line, or the line is commented out'
ocil: |-
Verify {{{ full_name }}} generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/tallylog" with the following command:
$ sudo auditctl -l | grep /var/log/tallylog
-w /var/log/tallylog -p wa -k logins
template:
name: audit_rules_login_events
vars:
path: /var/log/tallylog
fixtext: |-
{{{ fixtext_audit_file_watch_rule("/var/log/tallylog", "logins", "/etc/audit/rules.d/audit.rules") | indent(4) }}}
srg_requirement: '{{{ srg_requirement_audit_file_watch_rule("/var/log/tallylog") }}}'