0eece28000
This patch sets the auditd failure flag and controls what auditd does when there is an auditing failure. Changing this setting can cause a system to go offline and this is noted thoroughly in the documentation. Implements: blueprint security-rhel7-stig Change-Id: I3eb76804a0335596afd3591ae0133fca7568d0cb
91 lines
4.6 KiB
Django/Jinja
91 lines
4.6 KiB
Django/Jinja
## Rules for auditd deployed by openstack-ansible-security
|
|
# Do not edit any of these rules directly. The contents of this file are
|
|
# controlled by Ansible variables and each variable is explained in detail
|
|
# within the role documentation:
|
|
#
|
|
# http://docs.openstack.org/developer/openstack-ansible-security/
|
|
#
|
|
{# #}
|
|
{# The following loop takes a variable called audited_commands (a list of #}
|
|
{# dictionaries) and creates audit rules for each audited command or #}
|
|
{# syscall. #}
|
|
{# #}
|
|
# Audited commands and syscalls
|
|
{% for audited_command in audited_commands %}
|
|
{# #}
|
|
{# We replace any dashes in the command with underscores. The variables that #}
|
|
{# control the deployment of each rule can only contain underscores. #}
|
|
{# #}
|
|
{% set command_sanitized = audited_command['command'] | replace('-', '_') %}
|
|
{# #}
|
|
{# Verify that the variable controlling the rule is enabled and any distro- #}
|
|
{# specific requirements are met. #}
|
|
{# #}
|
|
{% if vars['security_rhel7_audit_' + command_sanitized ] | bool and (audited_command['distro'] | default(ansible_os_family | lower) == ansible_os_family | lower) %}
|
|
# {{ audited_command['stig_id'] }} - All uses of the {{ audited_command['command'] }} command must be audited.
|
|
{# #}
|
|
{# Some audit rules are specific to syscalls. Different rules are needed for #}
|
|
{# x86 and ppc64 systems. #}
|
|
{# #}
|
|
{% if audited_command['arch_specific'] %}
|
|
{% for arch in auditd_architectures %}
|
|
-a always,exit -F arch={{ arch }} -S {{ audited_command['command'] }} -F perm=x -F auid>=1000 -F auid!=4294967295 -k {{ audited_command['stig_id'] }}
|
|
{% endfor %}
|
|
{% else %}
|
|
-a always,exit -F path={{ audited_command['path'] | default('/usr/bin') }}/{{ audited_command['command'] }} -F perm=x -F auid>=1000 -F auid!=4294967295 -k {{ audited_command['stig_id'] }}
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
{% endfor %}
|
|
|
|
# Other audited events
|
|
{# #}
|
|
{# These events are more specific and require static templating. #}
|
|
{# #}
|
|
{% if security_rhel7_audit_account_access | bool %}
|
|
# RHEL-07-030490 - The operating system must generate audit records for all
|
|
# successful/unsuccessful account access count events.
|
|
-w /var/log/tallylog -p wa -k RHEL-07-030490
|
|
# RHEL-07-030491 - The operating system must generate audit records for all
|
|
# unsuccessful account access events.
|
|
-w /var/run/faillock -p wa -k RHEL-07-030491
|
|
# RHEL-07-030492 - The operating system must generate audit records for all
|
|
# successful account access events.
|
|
-w /var/log/lastlog -p wa -k RHEL-07-030492
|
|
{% endif %}
|
|
|
|
{% if security_rhel7_audit_sudo_config_changes | bool %}
|
|
# RHEL-07-030523 - The operating system must generate audit records containing
|
|
# the full-text recording of modifications to sudo configuration files.
|
|
-w /etc/sudoers -p wa -k RHEL-07-030523
|
|
-w /etc/sudoers.d/ -p wa -k RHEL-07-030523
|
|
{% endif %}
|
|
|
|
{% if security_rhel7_audit_insmod | bool %}
|
|
# RHEL-07-030672 - All uses of the insmod command must be audited.
|
|
-w /sbin/insmod -p x -F auid!=4294967295 -k RHEL-07-030672
|
|
{% endif %}
|
|
|
|
{% if security_rhel7_audit_rmmod | bool %}
|
|
# RHEL-07-030673 - All uses of the rmmod command must be audited.
|
|
-w /sbin/rmmod -p x -F auid!=4294967295 -k RHEL-07-030673
|
|
{% endif %}
|
|
|
|
{% if security_rhel7_audit_modprobe | bool %}
|
|
# RHEL-07-030674 - All uses of the modprobe command must be audited.
|
|
-w /sbin/modprobe -p x -F auid!=4294967295 -k RHEL-07-030674
|
|
{% endif %}
|
|
|
|
{% if security_rhel7_audit_account_actions | bool %}
|
|
# RHEL-07-030710 - The operating system must generate audit records for all
|
|
# account creations, modifications, disabling, and termination events.
|
|
-w /etc/group -p wa -k RHEL-07-030710
|
|
-w /etc/passwd -p wa -k RHEL-07-030710
|
|
-w /etc/gshadow -p wa -k RHEL-07-030710
|
|
-w /etc/shadow -p wa -k RHEL-07-030710
|
|
-w /etc/security/opasswd -p wa -k RHEL-07-030710
|
|
{% endif %}
|
|
|
|
# Set the auditd failure flag
|
|
-f {{ security_rhel7_audit_failure_flag }}
|