openstack/ansible-hardening
Code Issues Proposed changes

Refactor auditd rules

Browse Source 
This commit adds all of the remaining audit rules to the role and
refactors the audit rules (mostly) into a list that jinja2 can
loop over.

Docs will be in a follow-on patch.

Implements: blueprint security-rhel7-stig
Change-Id: I17ca6356ae7819f0721585850e4d70e0bac29ff1
This commit is contained in:
Major Hayden 2016-11-14 12:55:29 -06:00
parent 0fbf1cc09d
commit ff5bbe1233
6 changed files with 314 additions and 190 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
defaults/main.yml
View File

@ -389,39 +389,62 @@ security_unattended_upgrades_notifications: false
#security_audisp_remote_server: '10.0.21.1' # RHEL-07-030330
# Encrypt audit records when they are transmitted over the network.
#security_audisp_enable_krb5: yes # RHEL-07-030331
# Rules for auditd are enabled if 'yes', disabled if 'no'. See the
# documentation for each STIG control before enabling or disabling any rules.
security_rhel7_audit_account_access: yes # RHEL-07-030492
security_rhel7_audit_passwd_command: yes # RHEL-07-030510
security_rhel7_audit_unix_chkpwd: yes # RHEL-07-030511
security_rhel7_audit_gpasswd: yes # RHEL-07-030512
security_rhel7_audit_chage: yes # RHEL-07-030513
security_rhel7_audit_userhelper: yes # RHEL-07-030514
security_rhel7_audit_su: yes # RHEL-07-030521
security_rhel7_audit_sudo: yes # RHEL-07-030522
security_rhel7_audit_sudo_config_changes: yes # RHEL-07-030523
security_rhel7_audit_newgrp: yes # RHEL-07-030524
# Add audit rules for commands/syscalls.
security_rhel7_audit_chsh: yes # RHEL-07-030525
security_rhel7_audit_sudoedit: yes # RHEL-07-030526
security_rhel7_audit_chage: yes # RHEL-07-030513
security_rhel7_audit_chcon: yes # RHEL-07-030443
security_rhel7_audit_chmod: no # RHEL-07-030390
security_rhel7_audit_chown: no # RHEL-07-030380
security_rhel7_audit_creat: yes # RHEL-07-030420
security_rhel7_audit_crontab: yes # RHEL-07-030561
security_rhel7_audit_delete_module: yes # RHEL-07-030671
security_rhel7_audit_fchmod: no # RHEL-07-030391
security_rhel7_audit_fchmodat: no # RHEL-07-030392
security_rhel7_audit_fchown: no # RHEL-07-030381
security_rhel7_audit_fchownat: no # RHEL-07-030383
security_rhel7_audit_fremovexattr: no # RHEL-07-030404
security_rhel7_audit_fsetxattr: no # RHEL-07-030401
security_rhel7_audit_ftruncate: yes # RHEL-07-030425
security_rhel7_audit_init_module: yes # RHEL-07-030670
security_rhel7_audit_gpasswd: yes # RHEL-07-030512
security_rhel7_audit_lchown: no # RHEL-07-030382
security_rhel7_audit_lremovexattr: no # RHEL-07-030405
security_rhel7_audit_lsetxattr: no # RHEL-07-030402
security_rhel7_audit_mount: yes # RHEL-07-030530
security_rhel7_audit_umount: yes # RHEL-07-030531
security_rhel7_audit_newgrp: yes # RHEL-07-030524
security_rhel7_audit_open: yes # RHEL-07-030421
security_rhel7_audit_openat: yes # RHEL-07-030422
security_rhel7_audit_open_by_handle_at: yes # RHEL-07-030423
security_rhel7_audit_pam_timestamp_check: yes # RHEL-07-030630
security_rhel7_audit_passwd: yes # RHEL-07-030510
security_rhel7_audit_postdrop: yes # RHEL-07-030540
security_rhel7_audit_postqueue: yes # RHEL-07-030541
security_rhel7_audit_ssh_keysign: yes # RHEL-07-030550
security_rhel7_audit_pt_chown: yes # RHEL-07-030560
security_rhel7_audit_crontab: yes # RHEL-07-030561
security_rhel7_audit_pam_timestamp_check: yes # RHEL-07-030630
security_rhel7_audit_init_module: yes # RHEL-07-030670
security_rhel7_audit_delete_module: yes # RHEL-07-030671
security_rhel7_audit_removexattr: no # RHEL-07-030403
security_rhel7_audit_rename: yes # RHEL-07-030750
security_rhel7_audit_renameat: yes # RHEL-07-030751
security_rhel7_audit_restorecon: yes # RHEL-07-030444
security_rhel7_audit_rmdir: yes # RHEL-07-030752
security_rhel7_audit_semanage: yes # RHEL-07-030441
security_rhel7_audit_setsebool: yes # RHEL-07-030442
security_rhel7_audit_setxattr: no # RHEL-07-030400
security_rhel7_audit_ssh_keysign: yes # RHEL-07-030550
security_rhel7_audit_su: yes # RHEL-07-030521
security_rhel7_audit_sudo: yes # RHEL-07-030522
security_rhel7_audit_sudoedit: yes # RHEL-07-030526
security_rhel7_audit_truncate: yes # RHEL-07-030424
security_rhel7_audit_umount: yes # RHEL-07-030531
security_rhel7_audit_unix_chkpwd: yes # RHEL-07-030511
security_rhel7_audit_unlink: yes # RHEL-07-030753
security_rhel7_audit_unlinkat: yes # RHEL-07-030754
security_rhel7_audit_userhelper: yes # RHEL-07-030514
# Add audit rules for other events.
security_rhel7_audit_account_access: yes # RHEL-07-030490
security_rhel7_audit_sudo_config_changes: yes # RHEL-07-030523
security_rhel7_audit_insmod: yes # RHEL-07-030672
security_rhel7_audit_rmmod: yes # RHEL-07-030673
security_rhel7_audit_modprobe: yes # RHEL-07-030674
security_rhel7_audit_account_actions: yes # RHEL-07-030710
security_rhel7_audit_rename: yes # RHEL-07-030750
security_rhel7_audit_renameat: yes # RHEL-07-030751
security_rhel7_audit_rmdir: yes # RHEL-07-030752
security_rhel7_audit_unlink: yes # RHEL-07-030753
security_rhel7_audit_unlinkat: yes # RHEL-07-030754
## Authentication (auth)
# Disallow logins from accounts with blank/null passwords via PAM.

73
tasks/rhel7stig/auditd.yml
View File

@ -21,6 +21,11 @@
tags:
- always
- name: Load variables for audited commands
include_vars: audit.yml
tags:
- always
- name: RHEL-07-030330 - The operating system must off-load audit records onto a different system or media from the system being audited
lineinfile:
dest: /etc/audisp/audisp-remote.conf
@ -79,33 +84,57 @@
- generate auditd rules
tags:
- auditd
- RHEL-07-030492
- RHEL-07-030510
- RHEL-07-030511
- RHEL-07-030512
- RHEL-07-030513
- RHEL-07-030514
- RHEL-07-030521
- RHEL-07-030522
- RHEL-07-030523
- RHEL-07-030524
- RHEL-07-030525
- RHEL-07-030526
- RHEL-07-030513
- RHEL-07-030443
- RHEL-07-030390
- RHEL-07-030380
- RHEL-07-030420
- RHEL-07-030561
- RHEL-07-030671
- RHEL-07-030391
- RHEL-07-030392
- RHEL-07-030381
- RHEL-07-030383
- RHEL-07-030404
- RHEL-07-030401
- RHEL-07-030425
- RHEL-07-030670
- RHEL-07-030512
- RHEL-07-030382
- RHEL-07-030405
- RHEL-07-030402
- RHEL-07-030530
- RHEL-07-030531
- RHEL-07-030524
- RHEL-07-030421
- RHEL-07-030422
- RHEL-07-030423
- RHEL-07-030630
- RHEL-07-030510
- RHEL-07-030540
- RHEL-07-030541
- RHEL-07-030550
- RHEL-07-030560
- RHEL-07-030561
- RHEL-07-030630
- RHEL-07-030670
- RHEL-07-030671
- RHEL-07-030403
- RHEL-07-030750
- RHEL-07-030751
- RHEL-07-030444
- RHEL-07-030752
- RHEL-07-030441
- RHEL-07-030442
- RHEL-07-030400
- RHEL-07-030550
- RHEL-07-030521
- RHEL-07-030522
- RHEL-07-030526
- RHEL-07-030424
- RHEL-07-030531
- RHEL-07-030511
- RHEL-07-030753
- RHEL-07-030754
- RHEL-07-030514
- RHEL-07-030490
- RHEL-07-030523
- RHEL-07-030672
- RHEL-07-030673
- RHEL-07-030674
- RHEL-07-030750
- RHEL-07-030751
- RHEL-07-030752
- RHEL-07-030753
- RHEL-07-030754
- RHEL-07-030710

196
templates/osas-auditd-rhel7.j2
View File

@ -1,123 +1,66 @@
## Rules for auditd deployed by openstack-ansible-security
# Do not edit any of these rules directly. The contents of this file are
# controlled by Ansible variables and each variable is explained in detail
# within the role documentation:
#
# http://docs.openstack.org/developer/openstack-ansible-security/
#
{# #}
{# The following loop takes a variable called audited_commands (a list of #}
{# dictionaries) and creates audit rules for each audited command or #}
{# syscall. #}
{# #}
# Audited commands and syscalls
{% for audited_command in audited_commands %}
{# #}
{# We replace any dashes in the command with underscores. The variables that #}
{# control the deployment of each rule can only contain underscores. #}
{# #}
{% set command_sanitized = audited_command['command'] | replace('-', '_') %}
{# #}
{# Verify that the variable controlling the rule is enabled and any distro- #}
{# specific requirements are met. #}
{# #}
{% if vars['security_rhel7_audit_' + command_sanitized ] | bool and (audited_command['distro'] | default(ansible_os_family | lower) == ansible_os_family | lower) %}
# {{ audited_command['stig_id'] }} - All uses of the {{ audited_command['command'] }} command must be audited.
{# #}
{# Some audit rules are specific to syscalls. Different rules are needed for #}
{# x86 and ppc64 systems. #}
{# #}
{% if audited_command['arch_specific'] %}
{% for arch in auditd_architectures %}
-a always,exit -F arch={{ arch }} -S {{ audited_command['command'] }} -F perm=x -F auid>=1000 -F auid!=4294967295 -k {{ audited_command['stig_id'] }}
{% endfor %}
{% else %}
-a always,exit -F path={{ audited_command['path'] | default('/usr/bin') }}/{{ audited_command['command'] }} -F perm=x -F auid>=1000 -F auid!=4294967295 -k {{ audited_command['stig_id'] }}
{% endif %}
{% endif %}
{% endfor %}
# Other audited events
{# #}
{# These events are more specific and require static templating. #}
{# #}
{% if security_rhel7_audit_account_access | bool %}
# RHEL-07-030490 - The operating system must generate audit records for all
# successful/unsuccessful account access count events.
-w /var/log/tallylog -p wa -k RHEL-07-030490
# RHEL-07-030491 - The operating system must generate audit records for all
# unsuccessful account access events.
-w /var/run/faillock -p wa -k RHEL-07-030491
# RHEL-07-030492 - The operating system must generate audit records for all
# successful account access events.
-w /var/log/lastlog -p wa -k RHEL-07-030492
{% endif %}
{% if security_rhel7_audit_passwd_command | bool %}
# RHEL-07-030510 - All uses of the passwd command must be audited.
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030510
{% endif %}
{% if security_rhel7_audit_unix_chkpwd | bool %}
# RHEL-07-030511 - All uses of the unix_chkpwd command must be audited.
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030511
{% endif %}
{% if security_rhel7_audit_gpasswd | bool %}
# RHEL-07-030512 - All uses of the gpasswd command must be audited.
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030512
{% endif %}
{% if security_rhel7_audit_chage | bool %}
# RHEL-07-030513 - All uses of the chage command must be audited.
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030513
{% endif %}
{% if security_rhel7_audit_userhelper | bool %}
# RHEL-07-030514 - All uses of the userhelper command must be audited.
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030514
{% endif %}
{% if security_rhel7_audit_su | bool %}
# RHEL-07-030521 - All uses of the su command must be audited.
-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030521
{% endif %}
{% if security_rhel7_audit_sudo | bool %}
# RHEL-07-030522 - All uses of the sudo command must be audited.
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030522
{% endif %}
{% if security_rhel7_audit_sudo_config_changes | bool %}
# RHEL-07-030523 - The operating system must generate audit records containing the full-text recording of modifications to sudo configuration files.
# RHEL-07-030523 - The operating system must generate audit records containing
# the full-text recording of modifications to sudo configuration files.
-w /etc/sudoers -p wa -k RHEL-07-030523
-w /etc/sudoers.d/ -p wa -k RHEL-07-030523
{% endif %}
{% if security_rhel7_audit_newgrp | bool %}
# RHEL-07-030524 - All uses of the newgrp command must be audited.
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030524
{% endif %}
{% if security_rhel7_audit_chsh | bool %}
# RHEL-07-030525 - All uses of the chsh command must be audited.
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030525
{% endif %}
{% if security_rhel7_audit_sudoedit | bool %}
# RHEL-07-030526 - All uses of the sudoedit command must be audited.
-a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030526
{% endif %}
{% if security_rhel7_audit_mount | bool %}
# RHEL-07-030530 - All uses of the mount command must be audited.
-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030530
{% endif %}
{% if security_rhel7_audit_umount | bool %}
# RHEL-07-030531 - All uses of the umount command must be audited.
-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030531
{% endif %}
{% if security_rhel7_audit_postdrop | bool %}
# RHEL-07-030540 - All uses of the postdrop command must be audited.
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030540
{% endif %}
{% if security_rhel7_audit_postqueue | bool %}
# RHEL-07-030541 - All uses of the postqueue command must be audited.
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030541
{% endif %}
{% if security_rhel7_audit_ssh_keysign | bool %}
# RHEL-07-030550 - All uses of the ssh-keysign command must be audited.
{% if ansible_os_family | lower == 'debian' %}
-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030550
{% else %}
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030550
{% endif %}
{% endif %}
{% if security_rhel7_audit_pt_chown | bool and ansible_os_family | lower == 'redhat' %}
# RHEL-07-030560 - All uses of the pt_chown command must be audited.
-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030560
{% endif %}
{% if security_rhel7_audit_crontab | bool %}
# RHEL-07-030561 - All uses of the crontab command must be audited.
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030561
{% endif %}
{% if security_rhel7_audit_pam_timestamp_check | bool %}
# RHEL-07-030630 - All uses of the pam_timestamp_check command must be audited.
-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -F auid!=4294967295 -k RHEL-07-030630
{% endif %}
{% if security_rhel7_audit_init_module | bool %}
# RHEL-07-030670 - All uses of the init_module command must be audited.
{% for arch in auditd_architectures %}
-a always,exit -F arch={{ arch }} -S init_module -k RHEL-07-030670
{% endfor %}
{% endif %}
{% if security_rhel7_audit_delete_module | bool %}
# RHEL-07-030671 - All uses of the delete_module command must be audited.
{% for arch in auditd_architectures %}
-a always,exit -F arch={{ arch }} -S delete_module -k RHEL-07-030671
{% endfor %}
{% endif %}
{% if security_rhel7_audit_insmod | bool %}
# RHEL-07-030672 - All uses of the insmod command must be audited.
-w /sbin/insmod -p x -F auid!=4294967295 -k RHEL-07-030672
@ -142,38 +85,3 @@
-w /etc/shadow -p wa -k RHEL-07-030710
-w /etc/security/opasswd -p wa -k RHEL-07-030710
{% endif %}
{% if security_rhel7_audit_rename | bool %}
# RHEL-07-030750 - All uses of the rename command must be audited.
{% for arch in auditd_architectures %}
-a always,exit -F arch={{ arch }} -S rename -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030750
{% endfor %}
{% endif %}
{% if security_rhel7_audit_renameat | bool %}
# RHEL-07-030751 - All uses of the renameat command must be audited.
{% for arch in auditd_architectures %}
-a always,exit -F arch={{ arch }} -S renameat -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030751
{% endfor %}
{% endif %}
{% if security_rhel7_audit_rmdir | bool %}
# RHEL-07-030752 - All uses of the rmdir command must be audited.
{% for arch in auditd_architectures %}
-a always,exit -F arch={{ arch }} -S rmdir -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030752
{% endfor %}
{% endif %}
{% if security_rhel7_audit_unlink | bool %}
# RHEL-07-030753 - All uses of the unlink command must be audited.
{% for arch in auditd_architectures %}
-a always,exit -F arch={{ arch }} -S unlink -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030753
{% endfor %}
{% endif %}
{% if security_rhel7_audit_unlinkat | bool %}
# RHEL-07-030754 - All uses of the unlinkat command must be audited.
{% for arch in auditd_architectures %}
-a always,exit -F arch={{ arch }} -S unlinkat -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030754
{% endfor %}
{% endif %}

162
vars/audit.yml Normal file
View File

@ -0,0 +1,162 @@
---
audited_commands:
- command: chsh
stig_id: RHEL-07-030525
arch_specific: no
- command: chage
stig_id: RHEL-07-030513
arch_specific: no
- command: chcon
stig_id: RHEL-07-030443
arch_specific: no
- command: chmod
stig_id: RHEL-07-030390
arch_specific: yes
- command: chown
stig_id: RHEL-07-030380
arch_specific: yes
- command: creat
stig_id: RHEL-07-030420
arch_specific: yes
- command: crontab
stig_id: RHEL-07-030561
arch_specific: no
- command: delete_module
stig_id: RHEL-07-030671
arch_specific: yes
- command: fchmod
stig_id: RHEL-07-030391
arch_specific: yes
- command: fchmodat
stig_id: RHEL-07-030392
arch_specific: yes
- command: fchown
stig_id: RHEL-07-030381
arch_specific: yes
- command: fchownat
stig_id: RHEL-07-030383
arch_specific: yes
- command: fremovexattr
stig_id: RHEL-07-030404
arch_specific: yes
- command: fsetxattr
stig_id: RHEL-07-030401
arch_specific: yes
- command: ftruncate
stig_id: RHEL-07-030425
arch_specific: yes
- command: init_module
stig_id: RHEL-07-030670
arch_specific: yes
- command: gpasswd
stig_id: RHEL-07-030512
arch_specific: no
- command: lchown
stig_id: RHEL-07-030382
arch_specific: yes
- command: lremovexattr
stig_id: RHEL-07-030405
arch_specific: yes
- command: lsetxattr
stig_id: RHEL-07-030402
arch_specific: yes
- command: mount
path: /bin
stig_id: RHEL-07-030530
arch_specific: no
- command: newgrp
stig_id: RHEL-07-030524
arch_specific: no
- command: open
stig_id: RHEL-07-030421
arch_specific: yes
- command: openat
stig_id: RHEL-07-030422
arch_specific: yes
- command: open_by_handle_at
stig_id: RHEL-07-030423
arch_specific: yes
- command: pam_timestamp_check
path: /sbin
stig_id: RHEL-07-030630
arch_specific: no
- command: passwd
stig_id: RHEL-07-030510
arch_specific: no
- command: postdrop
path: /usr/sbin
stig_id: RHEL-07-030540
arch_specific: no
- command: postqueue
path: /usr/sbin
stig_id: RHEL-07-030541
arch_specific: no
- command: pt_chown
path: /usr/libexec
stig_id: RHEL-07-030560
arch_specific: no
distro: redhat
- command: removexattr
stig_id: RHEL-07-030403
arch_specific: yes
- command: rename
stig_id: RHEL-07-030750
arch_specific: yes
- command: renameat
stig_id: RHEL-07-030751
arch_specific: yes
- command: restorecon
path: /usr/sbin
stig_id: RHEL-07-030444
arch_specific: no
- command: rmdir
stig_id: RHEL-07-030752
arch_specific: yes
- command: semanage
path: /usr/sbin
stig_id: RHEL-07-030441
arch_specific: no
- command: setsebool
path: /usr/sbin
stig_id: RHEL-07-030442
arch_specific: no
- command: setxattr
stig_id: RHEL-07-030400
arch_specific: yes
- command: ssh-keysign
path: "{{ ssh_keysign_path }}"
stig_id: RHEL-07-030550
arch_specific: no
- command: su
path: /bin
stig_id: RHEL-07-030521
arch_specific: no
- command: sudo
stig_id: RHEL-07-030522
arch_specific: no
- command: sudoedit
path: /bin
stig_id: RHEL-07-030526
arch_specific: no
- command: truncate
stig_id: RHEL-07-030424
arch_specific: yes
- command: umount
path: /bin
stig_id: RHEL-07-030531
arch_specific: no
- command: unix_chkpwd
path: /sbin
stig_id: RHEL-07-030511
arch_specific: no
- command: unlink
stig_id: RHEL-07-030753
arch_specific: yes
- command: unlinkat
stig_id: RHEL-07-030754
arch_specific: yes
- command: userhelper
path: /usr/sbin
stig_id: RHEL-07-030514
arch_specific: no

1
vars/redhat.yml
View File

@ -29,6 +29,7 @@ chrony_service: chronyd
# Commands
grub_update_cmd: "grub2-mkconfig -o /boot/grub/grub.conf"
ssh_keysign_path: /usr/libexec/openssh
# RHEL 6 STIG: Packages to add/remove
stig_packages:

1
vars/ubuntu.yml
View File

@ -32,6 +32,7 @@ chrony_service: chrony
# Commands
grub_update_cmd: "update-grub"
ssh_keysign_path: /usr/lib/openssh
# RHEL 6 STIG: Packages to add/remove
stig_packages: