ansible-hardening/openstack-ansible-security/templates/osas-auditd.j2

{% if auditd_rules['clock_settimeofday'] | bool %}
# RHEL 6 STIG V-38522
# Audits changes to system time via settimeofday
-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules
-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules
{% endif %}

{% if auditd_rules['clock_stime'] | bool %}
# RHEL 6 STIG V-38525
# Audits changes to system time via stime
-a always,exit -F arch=b32 -S stime -k audit_time_rules
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules
{% endif %}

{% if auditd_rules['clock_settime'] | bool %}
# RHEL 6 STIG V-38527
# Audits changes to system time via clock_settime
-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules
-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules
{% endif %}

{% if auditd_rules['change_localtime'] | bool %}
# RHEL 6 STIG V-38530
# Audits clock changes made via /etc/localtime
-w /etc/localtime -p wa -k audit_time_rules
{% endif %}

{% if auditd_rules['account_modification'] | bool %}
# RHEL 6 STIG V-38531, V-38534, V-38536, V-38538
# Audits account modifications and terminations
-w /etc/group -p wa -k audit_account_changes
-w /etc/passwd -p wa -k audit_account_changes
-w /etc/gshadow -p wa -k audit_account_changes
-w /etc/shadow -p wa -k audit_account_changes
-w /etc/security/opasswd -p wa -k audit_account_changes
{% endif %}

{% if auditd_rules['network_changes'] | bool %}
# RHEL 6 STIG V-38540
# Audits network configuration changes
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_network_modifications
-w /etc/issue -p wa -k audit_network_modifications
-w /etc/issue.net -p wa -k audit_network_modifications
-w /etc/hosts -p wa -k audit_network_modifications
-w /etc/network -p wa -k audit_network_modifications
{% endif %}

{% if auditd_rules['apparmor_changes'] | bool %}
# RHEL 6 STIG V-38541
# Audits changes to AppArmor policies
-w /etc/apparmor/ -p wa -k MAC-policy
{% endif %}

{% if auditd_rules['DAC_chmod'] | bool %}
# RHEL 6 STIG V-38543
# Audits DAC changes via chmod
-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod
{% endif %}

{% if auditd_rules['DAC_chown'] | bool %}
# RHEL 6 STIG V-38545
# Audits DAC changes via chown
-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod
{% endif %}

{% if auditd_rules['DAC_fchmod'] | bool %}
# RHEL 6 STIG V-38547
# Audits DAC changes via fchmod
-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod
{% endif %}

{% if auditd_rules['DAC_fchmodat'] | bool %}
# RHEL 6 STIG V-38550
# Audits DAC changes via fchmodat
-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod
{% endif %}

{% if auditd_rules['DAC_fchown'] | bool %}
# RHEL 6 STIG V-38552
# Audits DAC changes via fchown
-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod
{% endif %}

{% if auditd_rules['DAC_fchownat'] | bool %}
# RHEL 6 STIG V-38554
# Audits DAC changes via fchownat
-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod
{% endif %}

{% if auditd_rules['DAC_fremovexattr'] | bool %}
# RHEL 6 STIG V-38556
# Audits DAC changes via fremovexattr
-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod
{% endif %}

{% if auditd_rules['DAC_fsetxattr'] | bool %}
# RHEL 6 STIG V-38557
# Audits DAC changes via fsetxattr
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod
{% endif %}

{% if auditd_rules['DAC_lchown'] | bool %}
# RHEL 6 STIG V-38558
# Audits DAC changes via lchown
-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod
{% endif %}

{% if auditd_rules['DAC_lremovexattr'] | bool %}
# RHEL 6 STIG V-38559
# Audits DAC changes via lremovexattr
-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod
{% endif %}

{% if auditd_rules['DAC_lsetxattr'] | bool %}
# RHEL 6 STIG V-38561
# Audits DAC changes via lsetxattr
-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod
{% endif %}

{% if auditd_rules['DAC_setxattr'] | bool %}
# RHEL 6 STIG V-38565
# Audits DAC changes via setxattr
-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod
{% endif %}

{% if auditd_rules['failed_access'] | bool %}
# RHEL 6 STIG V-38566
# Audits failed attempts to access files and programs
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid=0 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid=0 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid=0 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid=0 -k access
{% endif %}

{% if auditd_rules['filesystem_mounts'] | bool %}
# RHEL 6 STIG V-38568
# Audits filesystem mounts
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
-a always,exit -F arch=b32 -S mount -F auid=0 -k export
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
-a always,exit -F arch=b64 -S mount -F auid=0 -k export
{% endif %}

{% if auditd_rules['deletions'] %}
# RHEL 6 STIG V-38575
# Audits deletion of files and programs
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete
{% endif %}

{% if auditd_rules['sudoers'] %}
# RHEL 6 STIG V-38578
# Audits /etc/sudoers changes
-w /etc/sudoers -p wa -k actions
{% endif %}

{% if auditd_rules['kernel_modules'] | bool %}
# RHEL 6 STIG V-38580
# Audits kernel module loading/unloading
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
{% endif %}

{% if auditd_rules['change_system_time'] | bool %}
# RHEL 6 STIG V-38635
# Audits system time changes
-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules
-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules
{% endif %}