openstack/ansible-hardening
Code Issues Proposed changes
ansible-hardening/templates/osas-auditd-rhel7.j2
Major Hayden 3942b20fb1 Unblock security role gate 
This patch addresses two issues that are blocking the security role
CI jobs from completing:

The OpenStack CI image is missing the default audit.rules file and this
causes augenrules to fail when it loads new rules. The first line in
the default rules file deletes existing rules and this must be in
place before loading new rulesets. The contents of the default file
are now in the template file, which is safer anyway. The default
file provided by the OS is removed.

The task that updates the apt cache in test.yml was running more than
once during the CI job run when the gate ran slowly. That's fine, but
it breaks the idempotence checks. A `changed_when` is added to the task
to ensure that the idempotence tests aren't affected by an apt cache
update.

Change-Id: I9c2b50389cc2e4fa81717dcceccf6da1d973d34c
2017-01-03 12:19:46 -06:00

98 lines
4.8 KiB
Django/Jinja
Raw Blame History

## Rules for auditd deployed by openstack-ansible-security
# Do not edit any of these rules directly. The contents of this file are
# controlled by Ansible variables and each variable is explained in detail
# within the role documentation:
#
# http://docs.openstack.org/developer/openstack-ansible-security/
#
# Delete all existing auditd rules prior to loading this ruleset.
-D
# Increase the buffers to survive stress events.
-b 320
# Set the auditd failure flag.
-f {{ security_rhel7_audit_failure_flag }}
{# #}
{# The following loop takes a variable called audited_commands (a list of #}
{# dictionaries) and creates audit rules for each audited command or #}
{# syscall. #}
{# #}
# Audited commands and syscalls
{% for audited_command in audited_commands %}
{# #}
{# We replace any dashes in the command with underscores. The variables that #}
{# control the deployment of each rule can only contain underscores. #}
{# #}
{% set command_sanitized = audited_command['command'] | replace('-', '_') %}
{# #}
{# Verify that the variable controlling the rule is enabled and any distro- #}
{# specific requirements are met. #}
{# #}
{% if vars['security_rhel7_audit_' + command_sanitized ] | bool and (audited_command['distro'] | default(ansible_os_family | lower) == ansible_os_family | lower) %}
# {{ audited_command['stig_id'] }} - All uses of the {{ audited_command['command'] }} command must be audited.
{# #}
{# Some audit rules are specific to syscalls. Different rules are needed for #}
{# x86 and ppc64 systems. #}
{# #}
{% if audited_command['arch_specific'] %}
{% for arch in auditd_architectures %}
-a always,exit -F arch={{ arch }} -S {{ audited_command['command'] }} -F perm=x -F auid>=1000 -F auid!=4294967295 -k {{ audited_command['stig_id'] }}
{% endfor %}
{% else %}
-a always,exit -F path={{ audited_command['path'] | default('/usr/bin') }}/{{ audited_command['command'] }} -F perm=x -F auid>=1000 -F auid!=4294967295 -k {{ audited_command['stig_id'] }}
{% endif %}
{% endif %}
{% endfor %}
# Other audited events
{# #}
{# These events are more specific and require static templating. #}
{# #}
{% if security_rhel7_audit_account_access | bool %}
# RHEL-07-030490 - The operating system must generate audit records for all
# successful/unsuccessful account access count events.
-w /var/log/tallylog -p wa -k RHEL-07-030490
# RHEL-07-030491 - The operating system must generate audit records for all
# unsuccessful account access events.
-w /var/run/faillock -p wa -k RHEL-07-030491
# RHEL-07-030492 - The operating system must generate audit records for all
# successful account access events.
-w /var/log/lastlog -p wa -k RHEL-07-030492
{% endif %}
{% if security_rhel7_audit_sudo_config_changes | bool %}
# RHEL-07-030523 - The operating system must generate audit records containing
# the full-text recording of modifications to sudo configuration files.
-w /etc/sudoers -p wa -k RHEL-07-030523
-w /etc/sudoers.d/ -p wa -k RHEL-07-030523
{% endif %}
{% if security_rhel7_audit_insmod | bool %}
# RHEL-07-030672 - All uses of the insmod command must be audited.
-w /sbin/insmod -p x -F auid!=4294967295 -k RHEL-07-030672
{% endif %}
{% if security_rhel7_audit_rmmod | bool %}
# RHEL-07-030673 - All uses of the rmmod command must be audited.
-w /sbin/rmmod -p x -F auid!=4294967295 -k RHEL-07-030673
{% endif %}
{% if security_rhel7_audit_modprobe | bool %}
# RHEL-07-030674 - All uses of the modprobe command must be audited.
-w /sbin/modprobe -p x -F auid!=4294967295 -k RHEL-07-030674
{% endif %}
{% if security_rhel7_audit_account_actions | bool %}
# RHEL-07-030710 - The operating system must generate audit records for all
# account creations, modifications, disabling, and termination events.
-w /etc/group -p wa -k RHEL-07-030710
-w /etc/passwd -p wa -k RHEL-07-030710
-w /etc/gshadow -p wa -k RHEL-07-030710
-w /etc/shadow -p wa -k RHEL-07-030710
-w /etc/security/opasswd -p wa -k RHEL-07-030710
{% endif %}
View Git Blame Copy Permalink