diff --git a/defaults/main.yml b/defaults/main.yml index ba7b846..2a98ca1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -25,17 +25,11 @@ auditd_max_log_file: 10 # @var auditd_num_logs:description: Number of logs to keep auditd_num_logs: 5 -auditd_space_left_action: SYSLOG +auditd_space_left_action: email auditd_action_mail_acct: root -auditd_admin_space_left_action: SUSPEND +auditd_admin_space_left_action: halt +auditd_max_log_file_action: rotate -auditd_max_log_file_action: ROTATE - -# @var auditd_filter_rules_extra:example: > -# auditd_filter_rules_extra: -# - comment: Ignore current working directory records # defaults to not set -# rule: '-a always,exclude -F msgtype=CWD' # can be list or string -# state: present # defaults to present auditd_filter_rules_default: - comment: Ignore current working directory records rule: "-a always,exclude -F msgtype=CWD" @@ -54,81 +48,82 @@ auditd_filter_rules_default: - "-a exit,never -F arch=b32 -F dir=/var/lock/lvm -k locklvm" - "-a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm" +# @var auditd_filter_rules_extra:example: > +# auditd_filter_rules_extra: +# - comment: Ignore current working directory records # defaults to not set +# rule: '-a always,exclude -F msgtype=CWD' # can be list or string +# state: present # defaults to present auditd_filter_rules_extra: [] auditd_main_rules_default: - - comment: CIS 4.1.4 - Changes to the time + - comment: CIS 4.1.3.1 - Changes to system administration scope rule: - - "-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change" - - "-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change" - - "-a always,exit -F arch=b64 -S clock_settime -k time-change" - - "-a always,exit -F arch=b32 -S clock_settime -k time-change" + - "-w /etc/sudoers -p wa -k actions" + - "-w /etc/sudoers.d/ -p wa -k actions" + - comment: CIS 4.1.3.4 - Events that modify date and time information + rule: + - "-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time_change" + - "-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k time_change" - "-w /etc/localtime -p wa -k time-change" - - comment: CIS 4.1.5 - Changes to user/group information + - comment: CIS 4.1.3.5 - Changes to the network environment + rule: + - "-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale" + - "-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale" + - "-w /etc/issue -p wa -k system-locale" + - "-w /etc/issue.net -p wa -k system-locale" + - "-w /etc/hosts -p wa -k system-locale" + - "-w /etc/sysconfig/network -p wa -k system-locale" + - "-w /etc/sysconfig/network-scripts/ -p wa -k system-locale" + - comment: CIS 4.1.3.7 - Unsuccessful file access attempts + rule: + - "-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access" + - "-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access" + - "-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access" + - "-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access" + - comment: CIS 4.1.3.8 - Modify user/group information rule: - "-w /etc/group -p wa -k identity" - "-w /etc/passwd -p wa -k identity" - "-w /etc/gshadow -p wa -k identity" - "-w /etc/shadow -p wa -k identity" - "-w /etc/security/opasswd -p wa -k identity" - - comment: CIS 4.1.6 - Changes to the network environment + - comment: CIS 4.1.3.9 - Discretionary access control permission modifications rule: - - "-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale" - - "-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale" - - "-w /etc/issue -p wa -k system-locale" - - "-w /etc/issue.net -p wa -k system-locale" - - "-w /etc/hosts -p wa -k system-locale" - - "-w /etc/network -p wa -k system-locale" - - comment: CIS 4.1.7 - Changes to system's Mandatory Access Controls + - "-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod" + - "-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod" + - "-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod" + - "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod" + - "-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" + - "-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" + - comment: CIS 4.1.3.10 - Successful file system mounts rule: - - "-w /etc/apparmor/ -p wa -k MAC-policy" - - "-w /etc/apparmor.d/ -p wa -k MAC-policy" - - comment: CIS 4.1.8 - Log login/logout events - rule: - - "-w /var/log/faillog -p wa -k logins" - - "-w /var/log/lastlog -p wa -k logins" - - "-w /var/log/tallylog -p wa -k logins" - - comment: CIS 4.1.9 - Log session initiation information + - "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts" + - "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts" + - comment: CIS 4.1.3.11 - Session initiation information rule: - "-w /var/run/utmp -p wa -k session" - "-w /var/log/wtmp -p wa -k logins" - "-w /var/log/btmp -p wa -k logins" - - comment: CIS 4.1.10 - Log Discretionary Access Control modifications + - comment: CIS 4.1.3.12 - Login and logout events rule: - - "-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod" - - "-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod" - - "-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod" - - "-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod" - - "-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod" - - "-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod" - - comment: CIS 4.1.11 - Log unsuccessful unauthorized file access attempts + - "-w /var/log/lastlog -p wa -k logins" + - "-w /var/log/tallylog -p wa -k logins" + - "-w /var/run/faillock -p wa -k logins" + - comment: CIS 4.1.3.13 - File deletion events by users rule: - - "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access" - - "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access" - - "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access" - - "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access" - - comment: CIS 4.1.13 - Log successful file system mounts + - "-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete" + - "-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete" + - comment: CIS 4.1.3.14 - Changes to the Mandatory Access Controls rule: - - "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts" - - "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts" - - comment: CIS 4.1.14 - Log file deletion Events by User + - "-w /etc/selinux/ -p wa -k MAC-policy" + - "-w /usr/share/selinux/ -p wa -k MAC-policy" + - comment: CIS 4.1.3.19 - Kernel module loading unloading and modification rule: - - "-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete" - - "-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete" - - comment: CIS 4.1.15 - Log changes to sudoers - rule: - - "-w /etc/sudoers -p wa -k scope" - - "-w /etc/sudoers.d/ -p wa -k scope" - - comment: CIS 4.1.16 - Log sudolog - rule: - - "-w /var/log/sudo.log -p wa -k actions" - - comment: CIS 4.1.17 - Log kernel module actions - rule: - - "-w /sbin/insmod -p x -k modules" - - "-w /sbin/rmmod -p x -k modules" - - "-w /sbin/modprobe -p x -k modules" - - "-a always,exit -F arch=b64 -S init_module -S delete_module -k modules" - + - "-a always,exit -F arch=b64 -S finit_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel_modules" + - "-a always,exit -F arch=b32 -S finit_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel_modules" + - "-a always,exit -F arch=b64 -S init_module,delete_module -k kernel_modules" + - "-a always,exit -F arch=b32 -S init_module,delete_module -k kernel_modules" + - "-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules" auditd_main_rules_extra: [] auditd_optional_rules_default: [] diff --git a/handlers/main.yml b/handlers/main.yml index 0d56292..359b740 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -7,3 +7,5 @@ state: started when: not auditd_refuse_manual_stop | bool listen: __auditd_restart + become: True + become_user: root diff --git a/templates/etc/audit/rules.d/90-finalize.rules.j2 b/templates/etc/audit/rules.d/90-finalize.rules.j2 index eb21f5d..2a3f570 100644 --- a/templates/etc/audit/rules.d/90-finalize.rules.j2 +++ b/templates/etc/audit/rules.d/90-finalize.rules.j2 @@ -1,4 +1,4 @@ -{% if auditd_config_immutable %} +{% if auditd_config_immutable | bool %} ## Make the configuration immutable -e 2 {% endif %}