openstack/ansible-hardening
Code Issues Proposed changes
ansible-hardening/tasks/rhel6stig/auditd.yml
Major Hayden 3942b20fb1 Unblock security role gate 
This patch addresses two issues that are blocking the security role
CI jobs from completing:

The OpenStack CI image is missing the default audit.rules file and this
causes augenrules to fail when it loads new rules. The first line in
the default rules file deletes existing rules and this must be in
place before loading new rulesets. The contents of the default file
are now in the template file, which is safer anyway. The default
file provided by the OS is removed.

The task that updates the apt cache in test.yml was running more than
once during the CI job run when the gate ran slowly. That's fine, but
it breaks the idempotence checks. A `changed_when` is added to the task
to ensure that the idempotence tests aren't affected by an apt cache
update.

Change-Id: I9c2b50389cc2e4fa81717dcceccf6da1d973d34c
2017-01-03 12:19:46 -06:00

291 lines
7.4 KiB
YAML
Raw Blame History

---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: V-38631/38632 - The operating system must produce audit records (start auditd)
service:
name: auditd
state: started
enabled: true
when: not check_mode
tags:
- auditd
- cat2
- V-38632
- V-38631
- name: Verify that auditd.conf exists
stat:
path: /etc/audit/auditd.conf
register: auditd_conf
check_mode: no
tags:
- auditd
- always
- name: V-38633 - The system must set a maximum audit log file size
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?max_log_file(?!_action)"
line: "max_log_file = {{ security_max_log_file }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38633
- name: V-38634 - The system must rotate audit log files that reach the max file size
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?max_log_file_action ="
line: "max_log_file_action = {{ security_max_log_file_action }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38634
- name: V-38636 - The system must retain enough rotated audit logs to cover the required log retention period.
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?num_logs ="
line: "num_logs = {{ security_num_logs }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38636
# The debsums command returns 0 if the files haven't been altered but it
# returns 2 otherwise. We also will check to see if auditd has been installed
# and fail if it's not installed.
- name: Checking auditd package contents for alterations with debsums (for V-38637)
command: debsums auditd -c
register: v38637_result
changed_when: False
failed_when: "'not installed' in v38637_result.stdout"
when: ansible_pkg_mgr == 'apt'
tags:
- auditd
- cat2
- V-38637
- name: V-38637 - Contents of auditd package must be verified
fail:
msg: "Could not verify that files from auditd package are unaltered"
when:
- not check_mode
- ansible_pkg_mgr == 'apt'
- v38637_result.rc == 2
tags:
- auditd
- cat2
- V-38637
- name: Check audit package contents for alterations with rpm (for V-38637)
shell: "rpmverify audit audit-libs | grep -v '\\.conf$' | wc -l"
register: v38637_result
changed_when: False
when: ansible_pkg_mgr == 'yum'
tags:
- auditd
- cat2
- V-38637
- name: V-38637 - Contents of auditd package must be verified
fail:
msg: "Could not verify that files from auditd package are unaltered"
when:
- not check_mode
- ansible_pkg_mgr == 'yum'
- v38637_result.stdout != "0"
tags:
- auditd
- cat2
- V-38637
- name: Verify that auditd log directory exists (for V-38445)
stat:
path: /var/log/audit/
register: auditd_log_dir
check_mode: no
tags:
- auditd
- always
- name: V-38445 - Audit log files must be group-owned by root
file:
dest: /var/log/audit/
group: root
recurse: true
when: auditd_log_dir.stat.exists | bool
tags:
- auditd
- cat2
- V-38445
- name: V-38464 - The audit system must take action for disk errors
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?disk_error_action"
line: "disk_error_action = {{ security_disk_error_action }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38464
- name: V-38468 - The audit system must take action when the disk is full
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?disk_full_action"
line: "disk_full_action = {{ security_disk_full_action }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38468
- name: V-38678 - Lower limit of available disk space when auditd triggers space_left_action
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?space_left(?!_action)"
line: "space_left = {{ security_space_left }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38678
- name: V-38470 - The audit system must take action when the disk is almost full
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?space_left_action"
line: "space_left_action = {{ security_space_left_action }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38470
- name: V-38680 - Audit system must send email notifications when storage capacity is low
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?action_mail_acct"
line: "action_mail_acct = {{ security_action_mail_acct }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38680
- name: V-38495 - Audit log files must be owned by root
file:
dest: /var/log/audit/
owner: root
recurse: true
when: auditd_log_dir.stat.exists | bool
tags:
- auditd
- cat2
- V-38495
# TODO: Ansible 2.0 offers the find module and that will allow this task to
# avoid using the shell module to get a list of logs. This task should be
# adjusted to use the find module when Ansible 2.0 is fully released.
- name: Get a list of audit logs in the auditd directory (for V-38498)
command: ls /var/log/audit/
register: v38498_result
changed_when: false
when: auditd_log_dir.stat.exists | bool
tags:
- auditd
- cat2
- V-38498
# On most systems, the active log file is 0600 and the older logs are 0400.
# This task ensures that all logs meet or exceed the STIG requirement.
- name: V-38498 - Audit log files must have mode 0640 or less
file:
dest: "/var/log/audit/{{ item }}"
mode: "u-x,g-wx,o-rwx"
with_items: "{{ v38498_result.stdout_lines | default([]) }}"
when: auditd_log_dir.stat.exists | bool
tags:
- auditd
- cat2
- V-38498
- name: Remove system default audit.rules file
file:
path: /etc/audit/rules.d/audit.rules
state: absent
notify:
- generate auditd rules
tags:
- always
- name: Auditd rules (includes several STIGs)
template:
src: osas-auditd.j2
dest: /etc/audit/rules.d/osas-auditd.rules
notify:
- generate auditd rules
tags:
- auditd
- cat3
- name: V-38471 - Forward auditd records to syslog
lineinfile:
dest: /etc/audisp/plugins.d/syslog.conf
regexp: "^(#)?active"
line: "active = yes"
state: present
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat3
- V-38471
- name: V-54381 - The audit system must switch to single user mode when disk space is low
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?admin_space_left_action"
line: "admin_space_left_action = {{ security_admin_space_left_action }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat2
- V-54381
View Git Blame Copy Permalink