Merge "Add template for audit rules"

defaults/main.yml

@@ -389,6 +389,39 @@ security_unattended_upgrades_notifications: false
 #security_audisp_remote_server: '10.0.21.1'                  # RHEL-07-030330
 # Encrypt audit records when they are transmitted over the network.
 #security_audisp_enable_krb5: yes                            # RHEL-07-030331
+# Rules for auditd are enabled if 'yes', disabled if 'no'. See the
+# documentation for each STIG control before enabling or disabling any rules.
+security_rhel7_audit_account_access: yes                     # RHEL-07-030492
+security_rhel7_audit_passwd_command: yes                     # RHEL-07-030510
+security_rhel7_audit_unix_chkpwd: yes                        # RHEL-07-030511
+security_rhel7_audit_gpasswd: yes                            # RHEL-07-030512
+security_rhel7_audit_chage: yes                              # RHEL-07-030513
+security_rhel7_audit_userhelper: yes                         # RHEL-07-030514
+security_rhel7_audit_su: yes                                 # RHEL-07-030521
+security_rhel7_audit_sudo: yes                               # RHEL-07-030522
+security_rhel7_audit_sudo_config_changes: yes                # RHEL-07-030523
+security_rhel7_audit_newgrp: yes                             # RHEL-07-030524
+security_rhel7_audit_chsh: yes                               # RHEL-07-030525
+security_rhel7_audit_sudoedit: yes                           # RHEL-07-030526
+security_rhel7_audit_mount: yes                              # RHEL-07-030530
+security_rhel7_audit_umount: yes                             # RHEL-07-030531
+security_rhel7_audit_postdrop: yes                           # RHEL-07-030540
+security_rhel7_audit_postqueue: yes                          # RHEL-07-030541
+security_rhel7_audit_ssh_keysign: yes                        # RHEL-07-030550
+security_rhel7_audit_pt_chown: yes                           # RHEL-07-030560
+security_rhel7_audit_crontab: yes                            # RHEL-07-030561
+security_rhel7_audit_pam_timestamp_check: yes                # RHEL-07-030630
+security_rhel7_audit_init_module: yes                        # RHEL-07-030670
+security_rhel7_audit_delete_module: yes                      # RHEL-07-030671
+security_rhel7_audit_insmod: yes                             # RHEL-07-030672
+security_rhel7_audit_rmmod: yes                              # RHEL-07-030673
+security_rhel7_audit_modprobe: yes                           # RHEL-07-030674
+security_rhel7_audit_account_actions: yes                    # RHEL-07-030710
+security_rhel7_audit_rename: yes                             # RHEL-07-030750
+security_rhel7_audit_renameat: yes                           # RHEL-07-030751
+security_rhel7_audit_rmdir: yes                              # RHEL-07-030752
+security_rhel7_audit_unlink: yes                             # RHEL-07-030753
+security_rhel7_audit_unlinkat: yes                           # RHEL-07-030754
 
 ## Authentication (auth)
 # Disallow logins from accounts with blank/null passwords via PAM.

tasks/rhel7stig/auditd.yml

@@ -13,6 +13,14 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+- name: Verify that auditd.conf exists
+  stat:
+    path: /etc/audit/auditd.conf
+  register: auditd_conf
+  check_mode: no
+  tags:
+    - always
+
 - name: RHEL-07-030330 - The operating system must off-load audit records onto a different system or media from the system being audited
   lineinfile:
     dest: /etc/audisp/audisp-remote.conf
@@ -20,6 +28,7 @@
     line: "remote_server = {{ security_audisp_remote_server }}"
   when:
     - security_audisp_remote_server is defined
+    - auditd_conf.stat.exists
   notify:
     - restart auditd
   tags:
@@ -34,9 +43,69 @@
     line: "enable_krb5 = yes"
   when:
     - security_audisp_enable_krb5 is defined
+    - auditd_conf.stat.exists
   notify:
     - restart auditd
   tags:
     - medium
     - auditd
     - RHEL-07-030331
+
+- name: Get valid system architectures for audit rules
+  set_fact:
+    auditd_architectures: "{{ (ansible_architecture == 'ppc64le') | ternary(['ppc64'], ['b32', 'b64']) }}"
+  check_mode: no
+  tags:
+    - always
+
+- name: Remove old RHEL 6 audit rules file
+  file:
+    path: /etc/audit/rules.d/osas-auditd.rules
+    state: absent
+  when:
+    - auditd_conf.stat.exists
+  notify:
+    - generate auditd rules
+  tags:
+    - always
+
+- name: Deploy rules for auditd based on STIG requirements
+  template:
+    src: osas-auditd-rhel7.j2
+    dest: /etc/audit/rules.d/osas-auditd-rhel7.rules
+  when:
+    - auditd_conf.stat.exists
+  notify:
+    - generate auditd rules
+  tags:
+    - auditd
+    - RHEL-07-030492
+    - RHEL-07-030510
+    - RHEL-07-030511
+    - RHEL-07-030512
+    - RHEL-07-030513
+    - RHEL-07-030514
+    - RHEL-07-030521
+    - RHEL-07-030522
+    - RHEL-07-030523
+    - RHEL-07-030524
+    - RHEL-07-030525
+    - RHEL-07-030526
+    - RHEL-07-030530
+    - RHEL-07-030531
+    - RHEL-07-030540
+    - RHEL-07-030541
+    - RHEL-07-030550
+    - RHEL-07-030560
+    - RHEL-07-030561
+    - RHEL-07-030630
+    - RHEL-07-030670
+    - RHEL-07-030671
+    - RHEL-07-030672
+    - RHEL-07-030673
+    - RHEL-07-030674
+    - RHEL-07-030750
+    - RHEL-07-030751
+    - RHEL-07-030752
+    - RHEL-07-030753
+    - RHEL-07-030754

tasks/rhel7stig/main.yml

@@ -27,6 +27,10 @@
   when:
     - not check_mode | bool
 
+# Package installations and removals must come first so that configuration
+# changes can be made later.
+- include: packages.yml
+
 # Package managers are managed first since the changes in these tasks will
 # affect the remainder of the tasks in the role.
 - include: apt.yml
@@ -39,10 +43,10 @@
 # each file are tagged with the same name (for example, tasks in `auth.yml`
 # are tagged with `auth`). Also, the tag name matches up with the "STIG
 # Controls by Tag" section of the role documentation.
+- include: auditd.yml
 - include: auth.yml
 - include: file_perms.yml
 - include: graphical.yml
-- include: packages.yml
 - include: sshd.yml
 
 - name: Remove the temporary directory

templates/osas-auditd-rhel7.j2

@@ -0,0 +1,179 @@
+{% if security_rhel7_audit_account_access | bool %}
+# RHEL-07-030492 - The operating system must generate audit records for all
+# successful account access events.
+-w /var/log/lastlog -p wa -k RHEL-07-030492
+{% endif %}
+
+{% if security_rhel7_audit_passwd_command | bool %}
+# RHEL-07-030510 - All uses of the passwd command must be audited.
+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030510
+{% endif %}
+
+{% if security_rhel7_audit_unix_chkpwd | bool %}
+# RHEL-07-030511 - All uses of the unix_chkpwd command must be audited.
+-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030511
+{% endif %}
+
+{% if security_rhel7_audit_gpasswd | bool %}
+# RHEL-07-030512 - All uses of the gpasswd command must be audited.
+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030512
+{% endif %}
+
+{% if security_rhel7_audit_chage | bool %}
+# RHEL-07-030513 - All uses of the chage command must be audited.
+-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030513
+{% endif %}
+
+{% if security_rhel7_audit_userhelper | bool %}
+# RHEL-07-030514 - All uses of the userhelper command must be audited.
+-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030514
+{% endif %}
+
+{% if security_rhel7_audit_su | bool %}
+# RHEL-07-030521 - All uses of the su command must be audited.
+-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030521
+{% endif %}
+
+{% if security_rhel7_audit_sudo | bool %}
+# RHEL-07-030522 - All uses of the sudo command must be audited.
+-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030522
+{% endif %}
+
+{% if security_rhel7_audit_sudo_config_changes | bool %}
+# RHEL-07-030523 - The operating system must generate audit records containing the full-text recording of modifications to sudo configuration files.
+-w /etc/sudoers -p wa -k RHEL-07-030523
+-w /etc/sudoers.d/ -p wa -k RHEL-07-030523
+{% endif %}
+
+{% if security_rhel7_audit_newgrp | bool %}
+# RHEL-07-030524 - All uses of the newgrp command must be audited.
+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030524
+{% endif %}
+
+{% if security_rhel7_audit_chsh | bool %}
+# RHEL-07-030525 - All uses of the chsh command must be audited.
+-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030525
+{% endif %}
+
+{% if security_rhel7_audit_sudoedit | bool %}
+# RHEL-07-030526 - All uses of the sudoedit command must be audited.
+-a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030526
+{% endif %}
+
+{% if security_rhel7_audit_mount | bool %}
+# RHEL-07-030530 - All uses of the mount command must be audited.
+-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030530
+{% endif %}
+
+{% if security_rhel7_audit_umount | bool %}
+# RHEL-07-030531 - All uses of the umount command must be audited.
+-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030531
+{% endif %}
+
+{% if security_rhel7_audit_postdrop | bool %}
+# RHEL-07-030540 - All uses of the postdrop command must be audited.
+-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030540
+{% endif %}
+
+{% if security_rhel7_audit_postqueue | bool %}
+# RHEL-07-030541 - All uses of the postqueue command must be audited.
+-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030541
+{% endif %}
+
+{% if security_rhel7_audit_ssh_keysign | bool %}
+# RHEL-07-030550 - All uses of the ssh-keysign command must be audited.
+{% if ansible_os_family | lower == 'debian' %}
+-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030550
+{% else %}
+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030550
+{% endif %}
+{% endif %}
+
+{% if security_rhel7_audit_pt_chown | bool and ansible_os_family | lower == 'redhat' %}
+# RHEL-07-030560 - All uses of the pt_chown command must be audited.
+-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030560
+{% endif %}
+
+{% if security_rhel7_audit_crontab | bool %}
+# RHEL-07-030561 - All uses of the crontab command must be audited.
+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030561
+{% endif %}
+
+{% if security_rhel7_audit_pam_timestamp_check | bool %}
+# RHEL-07-030630 - All uses of the pam_timestamp_check command must be audited.
+-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -F auid!=4294967295 -k RHEL-07-030630
+{% endif %}
+
+{% if security_rhel7_audit_init_module | bool %}
+# RHEL-07-030670 - All uses of the init_module command must be audited.
+{% for arch in auditd_architectures %}
+-a always,exit -F arch={{ arch }} -S init_module -k RHEL-07-030670
+{% endfor %}
+{% endif %}
+
+{% if security_rhel7_audit_delete_module | bool %}
+# RHEL-07-030671 - All uses of the delete_module command must be audited.
+{% for arch in auditd_architectures %}
+-a always,exit -F arch={{ arch }} -S delete_module -k RHEL-07-030671
+{% endfor %}
+{% endif %}
+
+{% if security_rhel7_audit_insmod | bool %}
+# RHEL-07-030672 - All uses of the insmod command must be audited.
+-w /sbin/insmod -p x -F auid!=4294967295 -k RHEL-07-030672
+{% endif %}
+
+{% if security_rhel7_audit_rmmod | bool %}
+# RHEL-07-030673 - All uses of the rmmod command must be audited.
+-w /sbin/rmmod -p x -F auid!=4294967295 -k RHEL-07-030673
+{% endif %}
+
+{% if security_rhel7_audit_modprobe | bool %}
+# RHEL-07-030674 - All uses of the modprobe command must be audited.
+-w /sbin/modprobe -p x -F auid!=4294967295 -k RHEL-07-030674
+{% endif %}
+
+{% if security_rhel7_audit_account_actions | bool %}
+# RHEL-07-030710 - The operating system must generate audit records for all
+# account creations, modifications, disabling, and termination events.
+-w /etc/group -p wa -k RHEL-07-030710
+-w /etc/passwd -p wa -k RHEL-07-030710
+-w /etc/gshadow -p wa -k RHEL-07-030710
+-w /etc/shadow -p wa -k RHEL-07-030710
+-w /etc/security/opasswd -p wa -k RHEL-07-030710
+{% endif %}
+
+{% if security_rhel7_audit_rename | bool %}
+# RHEL-07-030750 - All uses of the rename command must be audited.
+{% for arch in auditd_architectures %}
+-a always,exit -F arch={{ arch }} -S rename -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030750
+{% endfor %}
+{% endif %}
+
+{% if security_rhel7_audit_renameat | bool %}
+# RHEL-07-030751 - All uses of the renameat command must be audited.
+{% for arch in auditd_architectures %}
+-a always,exit -F arch={{ arch }} -S renameat  -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030751
+{% endfor %}
+{% endif %}
+
+{% if security_rhel7_audit_rmdir | bool %}
+# RHEL-07-030752 - All uses of the rmdir command must be audited.
+{% for arch in auditd_architectures %}
+-a always,exit -F arch={{ arch }} -S rmdir  -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030752
+{% endfor %}
+{% endif %}
+
+{% if security_rhel7_audit_unlink | bool %}
+# RHEL-07-030753 - All uses of the unlink command must be audited.
+{% for arch in auditd_architectures %}
+-a always,exit -F arch={{ arch }} -S unlink  -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030753
+{% endfor %}
+{% endif %}
+
+{% if security_rhel7_audit_unlinkat | bool %}
+# RHEL-07-030754 - All uses of the unlinkat command must be audited.
+{% for arch in auditd_architectures %}
+-a always,exit -F arch={{ arch }} -S unlinkat  -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030754
+{% endfor %}
+{% endif %}