From 7b313ee1bc6c300869ce557d7ab8e3ddc17b2333 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Wed, 25 May 2016 11:26:56 -0500
Subject: [PATCH] Adding audit rule for SELinux policy modifications

This patch fixes the auditd rules template so that AppArmor and SELinux
policy modifications are logged, depending on which Linux distribution
is in use. The security_audit_apparmor_changes variable has been renamed
to security_audit_mac_changes to be more generic.

Documentation updates and a release note are included.

Closes-bug: 1584187

Change-Id: I0955e2cb8a05af4afd36aaca518322a9df6d1ff7
---
 defaults/main.yml                                 |  2 +-
 doc/source/developer-notes/V-38541.rst            | 14 ++++++++++----
 ...iting-mac-policy-changes-fb83e0260a6431ed.yaml | 15 +++++++++++++++
 tasks/main.yml                                    |  1 +
 templates/osas-auditd.j2                          |  8 +++++++-
 5 files changed, 34 insertions(+), 6 deletions(-)
 create mode 100644 releasenotes/notes/auditing-mac-policy-changes-fb83e0260a6431ed.yaml

diff --git a/defaults/main.yml b/defaults/main.yml
index d365dd6d..dda0337a 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -53,7 +53,6 @@ security_initialize_aide: false
 # automatically with augenrules.
 #
 security_audit_account_modification: yes          # V-38531, V-38534, V-38538
-security_audit_apparmor_changes: yes              # V-38541
 security_audit_change_localtime: yes              # V-38530
 security_audit_change_system_time: yes            # V-38635
 security_audit_clock_settime: yes                 # V-38527
@@ -75,6 +74,7 @@ security_audit_deletions: no                      # V-38575
 security_audit_failed_access: no                  # V-38566
 security_audit_filesystem_mounts: yes             # V-38568
 security_audit_kernel_modules: yes                # V-38580
+security_audit_mac_changes: yes                   # V-38541
 security_audit_network_changes: yes               # V-38540
 security_audit_sudoers: yes                       # V-38578
 #
diff --git a/doc/source/developer-notes/V-38541.rst b/doc/source/developer-notes/V-38541.rst
index 2b070433..f764ee67 100644
--- a/doc/source/developer-notes/V-38541.rst
+++ b/doc/source/developer-notes/V-38541.rst
@@ -1,5 +1,11 @@
-The RHEL 6 STIG requires that changes to SELinux policies and configuration are
-audited.  However, Ubuntu's preference for Mandatory Access Control (MAC) is
-AppArmor and openstack-ansible configures AppArmor by default.
+For Ubuntu, rules are added to auditd that will log any changes made in the
+``/etc/apparmor`` directory.
 
-This requirement has been modified to fit AppArmor on an Ubuntu system.
+For CentOS, rules are added to auditd that will log any changes made in the
+``/etc/selinux`` directory.
+
+To opt-out of this change, set the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_audit_mac_changes: no
diff --git a/releasenotes/notes/auditing-mac-policy-changes-fb83e0260a6431ed.yaml b/releasenotes/notes/auditing-mac-policy-changes-fb83e0260a6431ed.yaml
new file mode 100644
index 00000000..0c20701f
--- /dev/null
+++ b/releasenotes/notes/auditing-mac-policy-changes-fb83e0260a6431ed.yaml
@@ -0,0 +1,15 @@
+---
+
+upgrade:
+  - |
+    The variable ``security_audit_apparmor_changes`` is now renamed to
+    ``security_audit_mac_changes`` and is enabled by default. Setting
+    ``security_audit_mac_changes`` to ``no`` will disable syscall auditing for
+    any changes to AppArmor policies (in Ubuntu) or SELinux policies (in
+    CentOS).
+features:
+  - |
+    The auditd rules template included a rule that audited changes to the
+    AppArmor policies, but the SELinux policy changes were not being audited.
+    Any changes to SELinux policies in ``/etc/selinux`` are now being logged
+    by auditd.
diff --git a/tasks/main.yml b/tasks/main.yml
index 4fa6f443..0531d661 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -36,6 +36,7 @@
     set_fact:
       check_mode: "{{ noop_result | skipped }}"
       systemd_running: "{{ systemd_check | success }}"
+      linux_security_module: "{{ (ansible_os_family == 'Debian') | ternary('apparmor','selinux') }}"
 
   - include: apt.yml
     when: ansible_pkg_mgr == 'apt'
diff --git a/templates/osas-auditd.j2 b/templates/osas-auditd.j2
index 6a3ded96..536943e4 100644
--- a/templates/osas-auditd.j2
+++ b/templates/osas-auditd.j2
@@ -48,12 +48,18 @@
 -w /etc/network -p wa -k audit_network_modifications
 {% endif %}
 
-{% if security_audit_apparmor_changes | bool %}
+{% if linux_security_module == 'apparmor' and security_audit_mac_changes | bool %}
 # RHEL 6 STIG V-38541
 # Audits changes to AppArmor policies
 -w /etc/apparmor/ -p wa -k MAC-policy
 {% endif %}
 
+{% if linux_security_module == 'selinux' and security_audit_mac_changes | bool %}
+# RHEL 6 STIG V-38541
+# Audits changes to SELinux policies
+-w /etc/selinux/ -p wa -k MAC-policy
+{% endif %}
+
 {% if security_audit_DAC_chmod | bool %}
 # RHEL 6 STIG V-38543
 # Audits DAC changes via chmod