openstack/ansible-hardening
Code Issues Proposed changes
ansible-hardening/templates/osas-auditd.j2
Major Hayden 3942b20fb1 Unblock security role gate 
This patch addresses two issues that are blocking the security role
CI jobs from completing:

The OpenStack CI image is missing the default audit.rules file and this
causes augenrules to fail when it loads new rules. The first line in
the default rules file deletes existing rules and this must be in
place before loading new rulesets. The contents of the default file
are now in the template file, which is safer anyway. The default
file provided by the OS is removed.

The task that updates the apt cache in test.yml was running more than
once during the CI job run when the gate ran slowly. That's fine, but
it breaks the idempotence checks. A `changed_when` is added to the task
to ensure that the idempotence tests aren't affected by an apt cache
update.

Change-Id: I9c2b50389cc2e4fa81717dcceccf6da1d973d34c
2017-01-03 12:19:46 -06:00

336 lines
16 KiB
Django/Jinja
Raw Blame History

# {{ ansible_managed }}
# Delete all existing auditd rules prior to loading this ruleset.
-D
# Increase the buffers to survive stress events.
-b 320
{% if security_audit_clock_settimeofday | bool %}
# RHEL 6 STIG V-38522
# Audits changes to system time via settimeofday
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S settimeofday -k audit_time_rules-V-38522
{% else %}
-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules-V-38522
-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules-V-38522
{% endif %}
{% endif %}
{% if security_audit_clock_stime | bool %}
# RHEL 6 STIG V-38525
# Audits changes to system time via stime
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules-V-38525
{% else %}
-a always,exit -F arch=b32 -S stime -k audit_time_rules-V-38525
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules-V-38525
{% endif %}
{% endif %}
{% if security_audit_clock_settime | bool %}
# RHEL 6 STIG V-38527
# Audits changes to system time via clock_settime
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S clock_settime -k audit_time_rules-V-38527
{% else %}
-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules-V-38527
-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules-V-38527
{% endif %}
{% endif %}
{% if security_audit_change_localtime | bool %}
# RHEL 6 STIG V-38530
# Audits clock changes made via /etc/localtime
-w /etc/localtime -p wa -k audit_time_rules-V-38530
{% endif %}
{% if security_audit_account_modification | bool %}
# RHEL 6 STIG V-38531, V-38534, V-38536, V-38538
# Audits account modifications and terminations
-w /etc/group -p wa -k audit_account_changes-V-38531
-w /etc/passwd -p wa -k audit_account_changes-V-38531
-w /etc/gshadow -p wa -k audit_account_changes-V-38531
-w /etc/shadow -p wa -k audit_account_changes-V-38531
-w /etc/security/opasswd -p wa -k audit_account_changes-V-38531
{% endif %}
{% if security_audit_network_changes | bool %}
# RHEL 6 STIG V-38540
# Audits network configuration changes
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S sethostname -S setdomainname -k audit_network_modifications-V-38540
{% else %}
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications-V-38540
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_network_modifications-V-38540
{% endif %}
-w /etc/issue -p wa -k audit_network_modifications-V-38540
-w /etc/issue.net -p wa -k audit_network_modifications-V-38540
-w /etc/hosts -p wa -k audit_network_modifications-V-38540
{% if ansible_os_family == "RedHat" %}
-w /etc/sysconfig/network -p wa -k audit_network_modifications-V-38540
{% elif ansible_os_family == "Debian" %}
-w /etc/network -p wa -k audit_network_modifications-V-38540
{% endif %}
{% endif %}
{% if linux_security_module == 'apparmor' and security_audit_mac_changes | bool %}
# RHEL 6 STIG V-38541
# Audits changes to AppArmor policies
-w /etc/apparmor/ -p wa -k MAC-policy-V-38541
-w /etc/apparmor.d/ -p wa -k MAC-policy-V-38541
{% endif %}
{% if linux_security_module == 'selinux' and security_audit_mac_changes | bool %}
# RHEL 6 STIG V-38541
# Audits changes to SELinux policies
-w /etc/selinux/ -p wa -k MAC-policy-V-38541
{% endif %}
{% if security_audit_DAC_chmod | bool %}
# RHEL 6 STIG V-38543
# Audits DAC changes via chmod
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38543
-a always,exit -F arch=ppc64 -S removexattr -F auid=0 -k perm_mod-V-38543
{% else %}
-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38543
-a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod-V-38543
-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38543
-a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod-V-38543
{% endif %}
{% endif %}
{% if security_audit_DAC_chown | bool %}
# RHEL 6 STIG V-38545
# Audits DAC changes via chown
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38545
-a always,exit -F arch=ppc64 -S chown -F auid=0 -k perm_mod-V-38545
{% else %}
-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38545
-a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod-V-38545
-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38545
-a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod-V-38545
{% endif %}
{% endif %}
{% if security_audit_DAC_fchmod | bool %}
# RHEL 6 STIG V-38547
# Audits DAC changes via fchmod
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38547
-a always,exit -F arch=ppc64 -S fchmod -F auid=0 -k perm_mod-V-38547
{% else %}
-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38547
-a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod-V-38547
-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38547
-a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod-V-38547
{% endif %}
{% endif %}
{% if security_audit_DAC_fchmodat | bool %}
# RHEL 6 STIG V-38550
# Audits DAC changes via fchmodat
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38550
-a always,exit -F arch=ppc64 -S fchmodat -F auid=0 -k perm_mod-V-38550
{% else %}
-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38550
-a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod-V-38550
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38550
-a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod-V-38550
{% endif %}
{% endif %}
{% if security_audit_DAC_fchown | bool %}
# RHEL 6 STIG V-38552
# Audits DAC changes via fchown
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38552
-a always,exit -F arch=ppc64 -S fchown -F auid=0 -k perm_mod-V-38552
{% else %}
-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38552
-a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod-V-38552
-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38552
-a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod-V-38552
{% endif %}
{% endif %}
{% if security_audit_DAC_fchownat | bool %}
# RHEL 6 STIG V-38554
# Audits DAC changes via fchownat
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38554
-a always,exit -F arch=ppc64 -S fchownat -F auid=0 -k perm_mod-V-38554
{% else %}
-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38554
-a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod-V-38554
-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38554
-a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod-V-38554
{% endif %}
{% endif %}
{% if security_audit_DAC_fremovexattr | bool %}
# RHEL 6 STIG V-38556
# Audits DAC changes via fremovexattr
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38556
-a always,exit -F arch=ppc64 -S fremovexattr -F auid=0 -k perm_mod-V-38556
{% else %}
-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38556
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod-V-38556
-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38556
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod-V-38556
{% endif %}
{% endif %}
{% if security_audit_DAC_fsetxattr | bool %}
# RHEL 6 STIG V-38557
# Audits DAC changes via fsetxattr
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38557
-a always,exit -F arch=ppc64 -S fsetxattr -F auid=0 -k perm_mod-V-38557
{% else %}
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38557
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod-V-38557
-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38557
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod-V-38557
{% endif %}
{% endif %}
{% if security_audit_DAC_lchown | bool %}
# RHEL 6 STIG V-38558
# Audits DAC changes via lchown
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38558
-a always,exit -F arch=ppc64 -S lchown -F auid=0 -k perm_mod-V-38558
{% else %}
-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38558
-a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod-V-38558
-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38558
-a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod-V-38558
{% endif %}
{% endif %}
{% if security_audit_DAC_lremovexattr | bool %}
# RHEL 6 STIG V-38559
# Audits DAC changes via lremovexattr
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38559
-a always,exit -F arch=ppc64 -S lremovexattr -F auid=0 -k perm_mod-V-38559
{% else %}
-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_modV-38559
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod-V-38559
-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38559
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod-V-38559
{% endif %}
{% endif %}
{% if security_audit_DAC_lsetxattr | bool %}
# RHEL 6 STIG V-38561
# Audits DAC changes via lsetxattr
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38561
-a always,exit -F arch=ppc64 -S lsetxattr -F auid=0 -k perm_mod-V-38561
{% else %}
-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38561
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod-V-38561
-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38561
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod-V-38561
{% endif %}
{% endif %}
{% if security_audit_DAC_setxattr | bool %}
# RHEL 6 STIG V-38565
# Audits DAC changes via setxattr
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38565
-a always,exit -F arch=ppc64 -S setxattr -F auid=0 -k perm_mod-V-38565
{% else %}
-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38565
-a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod-V-38565
-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38565
-a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod-V-38565
{% endif %}
{% endif %}
{% if security_audit_failed_access | bool %}
# RHEL 6 STIG V-38566
# Audits failed attempts to access files and programs
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access-V-38566
-a always,exit -F arch=ppc64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access-V-38566
-a always,exit -F arch=ppc64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid=0 -k access-V-38566
-a always,exit -F arch=ppc64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid=0 -k access-V-38566
{% else %}
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access-V-38566
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access-V-38566
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid=0 -k access-V-38566
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid=0 -k access-V-38566
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access-V-38566
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access-V-38566
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid=0 -k access-V-38566
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid=0 -k access-V-38566
{% endif %}
{% endif %}
{% if security_audit_filesystem_mounts | bool %}
# RHEL 6 STIG V-38568
# Audits filesystem mounts
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S mount -F auid>=500 -F auid!=4294967295 -k filesystem_mount-V-38568
-a always,exit -F arch=ppc64 -S mount -F auid=0 -k filesystem_mount-V-38568
{% else %}
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k filesystem_mount-V-38568
-a always,exit -F arch=b32 -S mount -F auid=0 -k filesystem_mount-V-38568
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k filesystem_mount-V-38568
-a always,exit -F arch=b64 -S mount -F auid=0 -k filesystem_mount-V-38568
{% endif %}
{% endif %}
{% if security_audit_deletions | bool %}
# RHEL 6 STIG V-38575
# Audits deletion of files and programs
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete-V-38575
-a always,exit -F arch=ppc64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete-V-38575
{% else %}
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete-V-38575
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete-V-38575
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete-V-38575
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete-V-38575
{% endif %}
{% endif %}
{% if security_audit_sudoers | bool %}
# RHEL 6 STIG V-38578
# Audits /etc/sudoers changes
-w /etc/sudoers -p wa -k actions-V-38578
{% endif %}
{% if security_audit_kernel_modules | bool %}
# RHEL 6 STIG V-38580
# Audits kernel module loading/unloading
-w /sbin/insmod -p x -k modules-V-38580
-w /sbin/rmmod -p x -k modules-V-38580
-w /sbin/modprobe -p x -k modules-V-38580
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S init_module -S delete_module -k modules-V-38580
{% else %}
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules-V-38580
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules-V-38580
{% endif %}
{% endif %}
{% if security_audit_change_system_time | bool %}
# RHEL 6 STIG V-38635
# Audits system time changes
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S adjtimex -k audit_time_rules-V-38635
{% else %}
-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules-V-38635
-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules-V-38635
{% endif %}
{% endif %}
View Git Blame Copy Permalink