ansible-hardening/templates/osas-auditd-rhel7.j2
Major Hayden 0eece28000 Set auditd failure flag [+Docs]
This patch sets the auditd failure flag and controls what
auditd does when there is an auditing failure. Changing this setting
can cause a system to go offline and this is noted thoroughly in
the documentation.

Implements: blueprint security-rhel7-stig
Change-Id: I3eb76804a0335596afd3591ae0133fca7568d0cb
2016-11-29 16:20:32 -06:00

91 lines
4.6 KiB
Django/Jinja

## Rules for auditd deployed by openstack-ansible-security
# Do not edit any of these rules directly. The contents of this file are
# controlled by Ansible variables and each variable is explained in detail
# within the role documentation:
#
# http://docs.openstack.org/developer/openstack-ansible-security/
#
{# #}
{# The following loop takes a variable called audited_commands (a list of #}
{# dictionaries) and creates audit rules for each audited command or #}
{# syscall. #}
{# #}
# Audited commands and syscalls
{% for audited_command in audited_commands %}
{# #}
{# We replace any dashes in the command with underscores. The variables that #}
{# control the deployment of each rule can only contain underscores. #}
{# #}
{% set command_sanitized = audited_command['command'] | replace('-', '_') %}
{# #}
{# Verify that the variable controlling the rule is enabled and any distro- #}
{# specific requirements are met. #}
{# #}
{% if vars['security_rhel7_audit_' + command_sanitized ] | bool and (audited_command['distro'] | default(ansible_os_family | lower) == ansible_os_family | lower) %}
# {{ audited_command['stig_id'] }} - All uses of the {{ audited_command['command'] }} command must be audited.
{# #}
{# Some audit rules are specific to syscalls. Different rules are needed for #}
{# x86 and ppc64 systems. #}
{# #}
{% if audited_command['arch_specific'] %}
{% for arch in auditd_architectures %}
-a always,exit -F arch={{ arch }} -S {{ audited_command['command'] }} -F perm=x -F auid>=1000 -F auid!=4294967295 -k {{ audited_command['stig_id'] }}
{% endfor %}
{% else %}
-a always,exit -F path={{ audited_command['path'] | default('/usr/bin') }}/{{ audited_command['command'] }} -F perm=x -F auid>=1000 -F auid!=4294967295 -k {{ audited_command['stig_id'] }}
{% endif %}
{% endif %}
{% endfor %}
# Other audited events
{# #}
{# These events are more specific and require static templating. #}
{# #}
{% if security_rhel7_audit_account_access | bool %}
# RHEL-07-030490 - The operating system must generate audit records for all
# successful/unsuccessful account access count events.
-w /var/log/tallylog -p wa -k RHEL-07-030490
# RHEL-07-030491 - The operating system must generate audit records for all
# unsuccessful account access events.
-w /var/run/faillock -p wa -k RHEL-07-030491
# RHEL-07-030492 - The operating system must generate audit records for all
# successful account access events.
-w /var/log/lastlog -p wa -k RHEL-07-030492
{% endif %}
{% if security_rhel7_audit_sudo_config_changes | bool %}
# RHEL-07-030523 - The operating system must generate audit records containing
# the full-text recording of modifications to sudo configuration files.
-w /etc/sudoers -p wa -k RHEL-07-030523
-w /etc/sudoers.d/ -p wa -k RHEL-07-030523
{% endif %}
{% if security_rhel7_audit_insmod | bool %}
# RHEL-07-030672 - All uses of the insmod command must be audited.
-w /sbin/insmod -p x -F auid!=4294967295 -k RHEL-07-030672
{% endif %}
{% if security_rhel7_audit_rmmod | bool %}
# RHEL-07-030673 - All uses of the rmmod command must be audited.
-w /sbin/rmmod -p x -F auid!=4294967295 -k RHEL-07-030673
{% endif %}
{% if security_rhel7_audit_modprobe | bool %}
# RHEL-07-030674 - All uses of the modprobe command must be audited.
-w /sbin/modprobe -p x -F auid!=4294967295 -k RHEL-07-030674
{% endif %}
{% if security_rhel7_audit_account_actions | bool %}
# RHEL-07-030710 - The operating system must generate audit records for all
# account creations, modifications, disabling, and termination events.
-w /etc/group -p wa -k RHEL-07-030710
-w /etc/passwd -p wa -k RHEL-07-030710
-w /etc/gshadow -p wa -k RHEL-07-030710
-w /etc/shadow -p wa -k RHEL-07-030710
-w /etc/security/opasswd -p wa -k RHEL-07-030710
{% endif %}
# Set the auditd failure flag
-f {{ security_rhel7_audit_failure_flag }}