Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create auditd rules #468

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions NOTICE
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
Ansible Collection - devsec.hardening

Huge parts of the audit rules in roles/os_hardening/vars/*.yml
was created by Deutsche Telekom AG. (https://github.com/telekom/tel-it-security-automation/blob/21dacf83ab1245bf7c42c12d1d25292562599b79/hardening-linux-server/vars/main.yml & https://github.com/telekom/tel-it-security-automation)
Copyright (c) 2020 Maximilian Hertstein [...] Deutsche Telekom AG
9 changes: 9 additions & 0 deletions roles/os_hardening/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -217,6 +217,15 @@ We know that this is the case on Raspberry Pi.
- `os_auditd_max_log_file`
- Default: `6`
- Description: This keyword specifies the maximum file size in megabytes. When this limit is reached, it will trigger a configurable action. The value given must be numeric.
- `os_auditd_rules_enabled`
- Default: `true`
- Description: Set to false to disable configuring auditd rules.
- `os_auditd_rules_failure_mode`
- Default: `1`
- Description: Set failure mode of auditd 0=silent 1=printk 2=panic. This option lets you determine how you want the kernel to handle critical errors. The value given must be numeric.
- `os_auditd_rules_events_extra`
- Default: `[]`
- Description: Add additional event rules for auditd. You can also delete predefined rules with `-d list,action` or `-W path`.
- `hidepid_option`
- Default: `2` (on RHEL/CentOS7 `0`, see known limitations)
- Description: `0`: This is the default setting and gives you the default behaviour. `1`: With this option an normal user would not see other processes but their own about ps, top etc, but he is still able to see process IDs in /proc. `2`: Users are only able too see their own processes (like with hidepid=1), but also the other process IDs are hidden for them in /proc.
Expand Down
4 changes: 4 additions & 0 deletions roles/os_hardening/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -322,6 +322,10 @@ os_hardening_enabled: true
os_auditd_enabled: true
os_auditd_max_log_file: 6
os_auditd_max_log_file_action: keep_logs
# Set to false to disable configuring auditd rules.
os_auditd_rules_enabled: true
os_auditd_rules_failure_mode: 1
os_auditd_rules_events_extra: []

# Set the SELinux state, which can be either disabled, permissive, or enforcing.
os_selinux_state: enforcing
Expand Down
11 changes: 11 additions & 0 deletions roles/os_hardening/tasks/auditd.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,14 @@
mode: '0640'
notify: 'restart-auditd'
tags: auditd

- name: Configure auditd rules
template:
src: 'etc/audit/rules.d/audit.rules.j2'
dest: "{{ os_auditd_rules_path }}"
owner: 'root'
group: 'root'
mode: '0640'
notify: 'restart-auditd'
tags: auditd
when: os_auditd_rules_enabled | bool
26 changes: 26 additions & 0 deletions roles/os_hardening/templates/etc/audit/rules.d/audit.rules.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
{{ ansible_managed | comment }}
# Generated by Ansible role {{ ansible_role_name }}

## First rule - delete all
-D

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192

## Set failure mode to syslog
-f {{ os_auditd_rules_failure_mode }}

## List of events to log
{% for rule in os_auditd_rules_events %}
{{rule}}
{% endfor %}
{% for ruleos in os_auditd_rules_events_os %}
{{ruleos}}
{% endfor %}
{% for ruleextra in os_auditd_rules_events_extra %}
{{ruleextra}}
{% endfor %}

## Lock the Audit configuration
-e 2
16 changes: 16 additions & 0 deletions roles/os_hardening/vars/Amazon.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,22 @@ os_useradd_create_home: true

modprobe_package: 'module-init-tools'
auditd_package: 'audit'
os_auditd_rules_events_os:
# System events must be logged. Telekom SoC 3.65 ReqID 32213164
# (Un)Installation of software
- "-w /usr/bin/rpm -p x -k software_mgmt"
- "-w /usr/bin/yum -p x -k software_mgmt"
# Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34
# Logon and Logoff
- "-w /var/run/faillock -p wa -k logins"
# Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110
# Deletion and unauthorized modification of logs
- "-w /var/log/messages"
# Change of network configuration
- "-w /etc/sysconfig/network -p wa -k system-locale"
- "-w /etc/sysconfig/network-scripts -p wa -k system-locale"
# Change of SELinux configuration
- "-w /etc/selinux -p wa -k MAC-policy"

# system accounts that do not get their login disabled and pasword changed
os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt', 'ec2-user']
Expand Down
13 changes: 13 additions & 0 deletions roles/os_hardening/vars/Archlinux.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,5 +31,18 @@ os_auth_sub_gid_count: 65536

modprobe_package: 'kmod'
auditd_package: 'audit'
os_auditd_rules_events_os:
# System events must be logged. Telekom SoC 3.65 ReqID 32213164
# (Un)Installation of software
- "-w /usr/bin/pacman -p x -k software_mgmt"
# Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34
# Logon and Logoff
- "-w /var/run/faillock -p wa -k logins"
# Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110
# Change of SELinux configuration
- "-w /etc/selinux -p wa -k MAC-policy"
# Change of AppArmor configuration
- "-w /etc/apparmor -p wa -k MAC-policy"
- "-w /etc/apparmor.d -p wa -k MAC-policy"

hidepid_option: '2' # allowed values: 0, 1, 2
20 changes: 20 additions & 0 deletions roles/os_hardening/vars/Debian.yml
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,26 @@ os_useradd_mail_dir: /var/mail

modprobe_package: 'kmod'
auditd_package: 'auditd'
os_auditd_rules_events_os:
# System events must be logged. Telekom SoC 3.65 ReqID 32213164
# (Un)Installation of software
- "-w /usr/bin/dpkg -p x -k software_mgmt"
- "-w /usr/bin/apt-add-repository -p x -k software_mgmt"
- "-w /usr/bin/apt-get -p x -k software_mgmt"
- "-w /usr/bin/aptitude -p x -k software_mgmt"
# Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34
# Logon and Logoff
- "-w /var/log/faillog -p wa -k logins"
- "-w /var/log/tallylog -p wa -k logins"
# Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110
# Deletion and unauthorized modification of logs
- "-w /var/log/auth.log"
- "-w /var/log/system.log"
# Change of network configuration
- "-w /etc/network/interfaces -p wa -k system-locale"
# Change of AppArmor configuration
- "-w /etc/apparmor -p wa -k MAC-policy"
- "-w /etc/apparmor.d -p wa -k MAC-policy"

tally2_path: '/usr/share/pam-configs/tally2'
passwdqc_path: '/usr/share/pam-configs/passwdqc'
Expand Down
16 changes: 16 additions & 0 deletions roles/os_hardening/vars/Fedora.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,5 +41,21 @@ os_useradd_create_home: true

modprobe_package: 'module-init-tools'
auditd_package: 'audit'
os_auditd_rules_events_os:
# System events must be logged. Telekom SoC 3.65 ReqID 32213164
# (Un)Installation of software
- "-w /usr/bin/rpm -p x -k software_mgmt"
- "-w /usr/bin/yum -p x -k software_mgmt"
# Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34
# Logon and Logoff
- "-w /var/run/faillock -p wa -k logins"
# Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110
# Deletion and unauthorized modification of logs
- "-w /var/log/messages"
# Change of network configuration
- "-w /etc/sysconfig/network -p wa -k system-locale"
- "-w /etc/sysconfig/network-scripts -p wa -k system-locale"
# Change of SELinux configuration
- "-w /etc/selinux -p wa -k MAC-policy"

hidepid_option: '2' # allowed values: 0, 1, 2
16 changes: 16 additions & 0 deletions roles/os_hardening/vars/RedHat.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,5 +41,21 @@ os_useradd_create_home: true

modprobe_package: 'module-init-tools'
auditd_package: 'audit'
os_auditd_rules_events_os:
# System events must be logged. Telekom SoC 3.65 ReqID 32213164
# (Un)Installation of software
- "-w /usr/bin/rpm -p x -k software_mgmt"
- "-w /usr/bin/yum -p x -k software_mgmt"
# Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34
# Logon and Logoff
- "-w /var/run/faillock -p wa -k logins"
# Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110
# Deletion and unauthorized modification of logs
- "-w /var/log/messages"
# Change of network configuration
- "-w /etc/sysconfig/network -p wa -k system-locale"
- "-w /etc/sysconfig/network-scripts -p wa -k system-locale"
# Change of SELinux configuration
- "-w /etc/selinux -p wa -k MAC-policy"

hidepid_option: '2' # allowed values: 0, 1, 2
16 changes: 16 additions & 0 deletions roles/os_hardening/vars/RedHat_7.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,5 +41,21 @@ os_useradd_create_home: true

modprobe_package: 'module-init-tools'
auditd_package: 'audit'
os_auditd_rules_events_os:
# System events must be logged. Telekom SoC 3.65 ReqID 32213164
# (Un)Installation of software
- "-w /usr/bin/rpm -p x -k software_mgmt"
- "-w /usr/bin/yum -p x -k software_mgmt"
# Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34
# Logon and Logoff
- "-w /var/run/faillock -p wa -k logins"
# Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110
# Deletion and unauthorized modification of logs
- "-w /var/log/messages"
# Change of network configuration
- "-w /etc/sysconfig/network -p wa -k system-locale"
- "-w /etc/sysconfig/network-scripts -p wa -k system-locale"
# Change of SELinux configuration
- "-w /etc/selinux -p wa -k MAC-policy"

hidepid_option: '0' # allowed values: 0, 1, 2
16 changes: 16 additions & 0 deletions roles/os_hardening/vars/RedHat_8.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,5 +41,21 @@ os_useradd_create_home: true

modprobe_package: 'module-init-tools'
auditd_package: 'audit'
os_auditd_rules_events_os:
# System events must be logged. Telekom SoC 3.65 ReqID 32213164
# (Un)Installation of software
- "-w /usr/bin/rpm -p x -k software_mgmt"
- "-w /usr/bin/yum -p x -k software_mgmt"
# Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34
# Logon and Logoff
- "-w /var/run/faillock -p wa -k logins"
# Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110
# Deletion and unauthorized modification of logs
- "-w /var/log/messages"
# Change of network configuration
- "-w /etc/sysconfig/network -p wa -k system-locale"
- "-w /etc/sysconfig/network-scripts -p wa -k system-locale"
# Change of SELinux configuration
- "-w /etc/selinux -p wa -k MAC-policy"

hidepid_option: '2' # allowed values: 0, 1, 2
16 changes: 16 additions & 0 deletions roles/os_hardening/vars/Rocky_8.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,5 +41,21 @@ os_useradd_create_home: true

modprobe_package: 'module-init-tools'
auditd_package: 'audit'
os_auditd_rules_events_os:
# System events must be logged. Telekom SoC 3.65 ReqID 32213164
# (Un)Installation of software
- "-w /usr/bin/rpm -p x -k software_mgmt"
- "-w /usr/bin/yum -p x -k software_mgmt"
# Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34
# Logon and Logoff
- "-w /var/run/faillock -p wa -k logins"
# Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110
# Deletion and unauthorized modification of logs
- "-w /var/log/messages"
# Change of network configuration
- "-w /etc/sysconfig/network -p wa -k system-locale"
- "-w /etc/sysconfig/network-scripts -p wa -k system-locale"
# Change of SELinux configuration
- "-w /etc/selinux -p wa -k MAC-policy"

hidepid_option: '2' # allowed values: 0, 1, 2
17 changes: 17 additions & 0 deletions roles/os_hardening/vars/Suse.yml
Original file line number Diff line number Diff line change
Expand Up @@ -38,5 +38,22 @@ os_useradd_create_home: false

modprobe_package: 'kmod-compat'
auditd_package: 'audit'
os_auditd_rules_events_os:
# System events must be logged. Telekom SoC 3.65 ReqID 32213164
# (Un)Installation of software
- "-w /usr/bin/rpm -p x -k software_mgmt"
- "-w /usr/bin/zypper -p x -k software_mgmt"
# Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34
# Logon and Logoff
- "-w /var/log/faillog -p wa -k logins"
# Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110
# Deletion and unauthorized modification of logs
- "-w /var/log/messages"
# Change of network configuration
- "-w /etc/sysconfig/network -p wa -k system-locale"
- "-w /etc/sysconfig/network-scripts -p wa -k system-locale"
# Change of AppArmor configuration
- "-w /etc/apparmor -p wa -k MAC-policy"
- "-w /etc/apparmor.d -p wa -k MAC-policy"

hidepid_option: '2' # allowed values: 0, 1, 2
80 changes: 80 additions & 0 deletions roles/os_hardening/vars/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -110,3 +110,83 @@ os_security_suid_sgid_system_whitelist:

# system accounts that do not get their login disabled and pasword changed
os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt']

# path to audit.rules file
os_auditd_rules_path: "/etc/audit/rules.d/audit.rules"
# Huge parts of the rules are from https://github.com/telekom/tel-it-security-automation
os_auditd_rules_events:
# Syscalls "execve" (execute program) must be logged. Telekom SoC 3.65 ReqID 31d021a2
- "-a always,exit -F arch=b64 -S execve"
# System events must be logged. Telekom SoC 3.65 ReqID 32213164
# Change of system time
- "-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change"
- "-a always,exit -F arch=b64 -S clock_settime -k time-change"
- "-w /etc/localtime -p wa -k time-change"
# Connection of external device (storage)
- "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts"
- "-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export"
# Loading/unloading of kernel modules
- "-w /sbin/insmod -p x -k modules"
- "-w /sbin/rmmod -p x -k modules"
- "-w /sbin/modprobe -p x -k modules"
- "-a always,exit -F arch=b64 -S init_module -S delete_module -k modules"
# Change of scheduled jobs
- "-w /etc/at.allow"
- "-w /etc/at.deny"
- "-w /var/spool/at"
- "-w /etc/crontab"
- "-w /etc/anacrontab"
- "-w /etc/cron.allow"
- "-w /etc/cron.deny"
- "-w /etc/cron.d"
- "-w /etc/cron.hourly"
- "-w /etc/cron.daily"
- "-w /etc/cron.weekly"
- "-w /etc/cron.monthly"
# Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34
# Logon and Logoff
- "-w /var/log/lastlog -p wa -k logins"
# Password Change
- "-w /etc/shadow -p wa -k identity"
- "-w /etc/gshadow -p wa -k identity"
- "-w /etc/security/opasswd -p wa -k identity"
# Escalation of privileges (sudo/sudoers)
- "-w /etc/sudoers -p wa -k scope"
- "-w /etc/sudoers.d -p wa -k scope"
- "-w /var/log/sudo.log -p wa -k actions"
# Modification of DAC permissions
- "-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod"
- "-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod"
- "-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod"
# Account and Group Management events must be logged. Telekom SoC 3.65 ReqID 101afb5f
# Creation, modification and deletion of users
- "-w /etc/passwd -p wa -k identity"
# Creation, modification and deletion of groups
- "-w /etc/group -p wa -k identity"
# Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110
# Deletion and unauthorized modification of logs
- "-w /var/log/audit/audit.log"
- "-w /var/log/audit/audit[1-9].log"
# Change of logging configuration
- "-w /etc/syslog"
- "-w /etc/rsyslog.conf"
- "-w /etc/rsyslog.d/conf"
- "-w /etc/audit/auditd.conf -p wa"
- "-w /etc/audit/audit.rules -p wa"
# Change of network configuration
- "-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale"
- "-w /etc/issue -p wa -k system-locale"
- "-w /etc/issue.net -p wa -k system-locale"
- "-w /etc/hosts -p wa -k system-locale"
- "-w /etc/network -p wa -k system-locale"
- "-w /etc/networks -p wa -k system-locale"
# Authentication Subsystem changes
- "-w /etc/pam.d"
- "-w /etc/nsswitch.conf"
# Critical File changes
- "-w /etc/ssh/sshd_config"
- "-w /etc/sysctl.conf"
- "-w /etc/modprobe.conf"
- "-w /etc/profile.d"
- "-w /etc/profile"
- "-w /etc/shells"