ansible/xoxys.auditd
0
0
Fork 0
Code Issues Pull Requests Releases Activity

initial commit

Browse Source
This commit is contained in:
Robert Kaussow 2022-09-23 23:03:22 +02:00
commit a0229de1f3
Signed by: xoxys
GPG Key ID: 4E692A2EAECC03C0
29 changed files with 862 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

159
.drone.jsonnet Normal file
View File

@ -0,0 +1,159 @@
local PipelineLinting = {
kind: 'pipeline',
name: 'linting',
platform: {
os: 'linux',
arch: 'amd64',
},
steps: [
{
name: 'ansible-later',
image: 'thegeeklab/ansible-later',
commands: [
'ansible-later',
],
},
{
name: 'python-format',
image: 'python:3.9',
environment: {
PY_COLORS: 1,
},
commands: [
'pip install -qq yapf',
'[ ! -z "$(find . -type f -name *.py)" ] && yapf -rd ./',
],
},
{
name: 'python-flake8',
image: 'python:3.9',
environment: {
PY_COLORS: 1,
},
commands: [
'pip install -qq flake8',
'flake8',
],
},
],
trigger: {
ref: ['refs/heads/master', 'refs/tags/**', 'refs/pull/**'],
},
};
local PipelineDeployment(scenario='rocky9') = {
kind: 'pipeline',
name: 'testing-' + scenario,
platform: {
os: 'linux',
arch: 'amd64',
},
concurrency: {
limit: 1,
},
workspace: {
base: '/drone/src',
path: '${DRONE_REPO_NAME}',
},
steps: [
{
name: 'ansible-molecule',
image: 'thegeeklab/molecule:3',
environment: {
HCLOUD_TOKEN: { from_secret: 'hcloud_token' },
},
commands: [
'molecule test -s ' + scenario,
],
},
],
depends_on: [
'linting',
],
trigger: {
ref: ['refs/heads/master', 'refs/tags/**'],
},
};
local PipelineDocumentation = {
kind: 'pipeline',
name: 'documentation',
platform: {
os: 'linux',
arch: 'amd64',
},
steps: [
{
name: 'generate',
image: 'thegeeklab/ansible-doctor',
environment: {
ANSIBLE_DOCTOR_LOG_LEVEL: 'INFO',
ANSIBLE_DOCTOR_FORCE_OVERWRITE: true,
ANSIBLE_DOCTOR_EXCLUDE_FILES: 'molecule/',
ANSIBLE_DOCTOR_TEMPLATE: 'hugo-book',
ANSIBLE_DOCTOR_ROLE_NAME: '${DRONE_REPO_NAME#*.}',
ANSIBLE_DOCTOR_OUTPUT_DIR: '_docs/',
},
},
{
name: 'publish',
image: 'plugins/gh-pages',
settings: {
remote_url: 'https://gitea.rknet.org/ansible/${DRONE_REPO_NAME}',
netrc_machine: 'gitea.rknet.org',
username: { from_secret: 'gitea_username' },
password: { from_secret: 'gitea_token' },
pages_directory: '_docs/',
target_branch: 'docs',
},
when: {
ref: ['refs/heads/master'],
},
},
],
trigger: {
ref: ['refs/heads/master', 'refs/tags/**', 'refs/pull/**'],
},
depends_on: [
'testing-rocky9',
],
};
local PipelineNotification = {
kind: 'pipeline',
name: 'notification',
platform: {
os: 'linux',
arch: 'amd64',
},
clone: {
disable: true,
},
steps: [
{
name: 'matrix',
image: 'thegeeklab/drone-matrix',
settings: {
homeserver: { from_secret: 'matrix_homeserver' },
roomid: { from_secret: 'matrix_roomid' },
template: 'Status: **{{ build.Status }}**<br/> Build: [{{ repo.Owner }}/{{ repo.Name }}]({{ build.Link }}){{#if build.Branch}} ({{ build.Branch }}){{/if}} by {{ commit.Author }}<br/> Message: {{ commit.Message.Title }}',
username: { from_secret: 'matrix_username' },
password: { from_secret: 'matrix_password' },
},
},
],
depends_on: [
'documentation',
],
trigger: {
status: ['success', 'failure'],
ref: ['refs/heads/master', 'refs/tags/**'],
},
};
[
PipelineLinting,
PipelineDeployment(scenario='rocky9'),
PipelineDocumentation,
PipelineNotification,
]

11
.gitignore vendored Normal file
View File

@ -0,0 +1,11 @@
# ---> Ansible
*.retry
plugins
library
# ---> Python
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class

19
.later.yml Normal file
View File

@ -0,0 +1,19 @@
---
ansible:
custom_modules:
- iptables_raw
- openssl_pkcs12
- proxmox_kvm
- ucr
- corenetworks_dns
- corenetworks_token
rules:
exclude_files:
- molecule/
- "LICENSE*"
- "**/*.md"
- "**/*.ini"
exclude_filter:
- LINT0009

1
.prettierignore Normal file
View File

@ -0,0 +1 @@
.drone*

21
LICENSE Normal file
View File

@ -0,0 +1,21 @@
MIT License
Copyright (c) 2022 Robert Kaussow <mail@thegeeklab.de>
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is furnished
to do so, subject to the following conditions:
The above copyright notice and this permission notice (including the next
paragraph) shall be included in all copies or substantial portions of the
Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF
OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

10
README.md Normal file
View File

@ -0,0 +1,10 @@
# xoxys.auditd
[![Build Status](https://img.shields.io/drone/build/ansible/xoxys.auditd?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.auditd)
[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](LICENSE)
Setup the Linux Auditing System. You can find the full documentation at [https://galaxy.geekdocs.de](https://galaxy.geekdocs.de/roles/security/auditd/).
## License
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

135
defaults/main.yml Normal file
View File

@ -0,0 +1,135 @@
---
# @var auditd_exclude_rule_stages:description: >
# There is a set of pre-defined rule stages you can exclude if needed. Availabe stages:
# 10-start.rules, 11-self-audit.rules, 12-filter.rules, 30-main.rules, 50-optional.rules, 90-finalize
# @var auditd_exclude_rule_stages:example: $ ["10-start.rules", "90-finalize"]
auditd_exclude_rule_stages: []
# @var auditd_refuse_manual_stop:description: >
# This option prevents auditd from performing change/restart actions at runtime and requires a reboot instead.
# For security reasons, this option should only be disabled for testing purposes.
auditd_refuse_manual_stop: True
# @var auditd_config_immutable:description: >
# The auditd daemon is configured to use the augenrules program to read audit rules during
# daemon startup (the default), use this option to make the auditd configuration immutable.
auditd_config_immutable: False
auditd_buffer_size: 8192
# @var auditd_failure_mode:description: >
# Possible values: 0 (silent) | 1 (printk, print a failure message) | 2 (panic, halt the system)
auditd_failure_mode: 1
# @var auditd_max_log_file:description: Maximum size of a single logfile (MB)
auditd_max_log_file: 10
# @var auditd_num_logs:description: Number of logs to keep
auditd_num_logs: 5
auditd_space_left_action: SYSLOG
auditd_action_mail_acct: root
auditd_admin_space_left_action: SUSPEND
auditd_max_log_file_action: ROTATE
# @var auditd_filter_rules_extra:example: >
# auditd_filter_rules_extra:
# - comment: Ignore current working directory records # defaults to not set
# rule: '-a always,exclude -F msgtype=CWD' # can be list or string
# state: present # defaults to present
auditd_filter_rules_default:
- comment: Ignore current working directory records
rule: "-a always,exclude -F msgtype=CWD"
- comment: Ignore EOE records (End Of Event, not needed)
rule: "-a always,exclude -F msgtype=EOE"
- comment: Cron jobs fill the logs with stuff we normally don't want
rule:
- "-a never,user -F subj_type=crond_t"
- "-a exit,never -F subj_type=crond_t"
- comment: This is not very interesting and wastes a lot of space if the server is public facing
rule: "-a always,exclude -F msgtype=CRYPTO_KEY_USER"
- comment: High Volume Event Filter
rule:
- "-a exit,never -F arch=b32 -F dir=/dev/shm -k sharedmemaccess"
- "-a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess"
- "-a exit,never -F arch=b32 -F dir=/var/lock/lvm -k locklvm"
- "-a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm"
auditd_filter_rules_extra: []
auditd_main_rules_default:
- comment: CIS 4.1.4 - Changes to the time
rule:
- "-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change"
- "-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change"
- "-a always,exit -F arch=b64 -S clock_settime -k time-change"
- "-a always,exit -F arch=b32 -S clock_settime -k time-change"
- "-w /etc/localtime -p wa -k time-change"
- comment: CIS 4.1.5 - Changes to user/group information
rule:
- "-w /etc/group -p wa -k identity"
- "-w /etc/passwd -p wa -k identity"
- "-w /etc/gshadow -p wa -k identity"
- "-w /etc/shadow -p wa -k identity"
- "-w /etc/security/opasswd -p wa -k identity"
- comment: CIS 4.1.6 - Changes to the network environment
rule:
- "-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale"
- "-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale"
- "-w /etc/issue -p wa -k system-locale"
- "-w /etc/issue.net -p wa -k system-locale"
- "-w /etc/hosts -p wa -k system-locale"
- "-w /etc/network -p wa -k system-locale"
- comment: CIS 4.1.7 - Changes to system's Mandatory Access Controls
rule:
- "-w /etc/apparmor/ -p wa -k MAC-policy"
- "-w /etc/apparmor.d/ -p wa -k MAC-policy"
- comment: CIS 4.1.8 - Log login/logout events
rule:
- "-w /var/log/faillog -p wa -k logins"
- "-w /var/log/lastlog -p wa -k logins"
- "-w /var/log/tallylog -p wa -k logins"
- comment: CIS 4.1.9 - Log session initiation information
rule:
- "-w /var/run/utmp -p wa -k session"
- "-w /var/log/wtmp -p wa -k logins"
- "-w /var/log/btmp -p wa -k logins"
- comment: CIS 4.1.10 - Log Discretionary Access Control modifications
rule:
- "-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod"
- "-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod"
- "-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod"
- "-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod"
- "-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod"
- "-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod"
- comment: CIS 4.1.11 - Log unsuccessful unauthorized file access attempts
rule:
- "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access"
- "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access"
- "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access"
- "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access"
- comment: CIS 4.1.13 - Log successful file system mounts
rule:
- "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts"
- "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts"
- comment: CIS 4.1.14 - Log file deletion Events by User
rule:
- "-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete"
- "-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete"
- comment: CIS 4.1.15 - Log changes to sudoers
rule:
- "-w /etc/sudoers -p wa -k scope"
- "-w /etc/sudoers.d/ -p wa -k scope"
- comment: CIS 4.1.16 - Log sudolog
rule:
- "-w /var/log/sudo.log -p wa -k actions"
- comment: CIS 4.1.17 - Log kernel module actions
rule:
- "-w /sbin/insmod -p x -k modules"
- "-w /sbin/rmmod -p x -k modules"
- "-w /sbin/modprobe -p x -k modules"
- "-a always,exit -F arch=b64 -S init_module -S delete_module -k modules"
auditd_main_rules_extra: []
auditd_optional_rules_default: []
auditd_optional_rules_extra: []

9
handlers/main.yml Normal file
View File

@ -0,0 +1,9 @@
---
- name: Restart auditd
service:
name: auditd
daemon_reload: yes
enabled: yes
state: started
when: not auditd_refuse_manual_stop | bool
listen: __auditd_restart

23
meta/main.yml Normal file
View File

@ -0,0 +1,23 @@
# Standards: 0.2
---
galaxy_info:
# @meta author:value: [Robert Kaussow](https://gitea.rknet.org/xoxys)
author: "Robert Kaussow <mail@thegeeklab.de>"
namespace: xoxys
role_name: auditd
# @meta description: >
# [![Source Code](https://img.shields.io/badge/gitea-source%20code-blue?logo=gitea&logoColor=white)](https://gitea.rknet.org/ansible/xoxys.auditd)
# [![Build Status](https://img.shields.io/drone/build/ansible/xoxys.auditd?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.auditd)
# [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.auditd/src/branch/main/LICENSE)
#
# Setup the Linux Auditing System.
# @end
description: Setup the Linux Auditing System
license: MIT
min_ansible_version: 2.10
platforms:
- name: EL
versions:
- 7
galaxy_tags: []
dependencies: []

1
molecule/default Symbolic link
View File

@ -0,0 +1 @@
rocky9

3
molecule/pytest.ini Normal file
View File

@ -0,0 +1,3 @@
[pytest]
filterwarnings =
ignore::DeprecationWarning

6
molecule/requirements.yml Normal file
View File

@ -0,0 +1,6 @@
---
collections:
- name: https://gitea.rknet.org/ansible/xoxys.general/releases/download/v2.1.1/xoxys-general-2.1.1.tar.gz
- name: community.general
roles: []

7
molecule/rocky9/converge.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Converge
hosts: all
vars:
auditd_refuse_manual_stop: False
roles:
- role: xoxys.auditd

120
molecule/rocky9/create.yml Normal file
View File

@ -0,0 +1,120 @@
---
- name: Create
hosts: localhost
connection: local
gather_facts: false
no_log: "{{ molecule_no_log }}"
vars:
ssh_port: 22
ssh_user: root
ssh_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/ssh_key"
tasks:
- name: Create SSH key
user:
name: "{{ lookup('env', 'USER') }}"
generate_ssh_key: true
ssh_key_file: "{{ ssh_path }}"
force: true
register: generated_ssh_key
- name: Register the SSH key name
set_fact:
ssh_key_name: "molecule-generated-{{ 12345 | random | to_uuid }}"
- name: Register SSH key for test instance(s)
hcloud_ssh_key:
name: "{{ ssh_key_name }}"
public_key: "{{ generated_ssh_key.ssh_public_key }}"
state: present
- name: Create molecule instance(s)
hcloud_server:
name: "{{ item.name }}"
server_type: "{{ item.server_type }}"
ssh_keys:
- "{{ ssh_key_name }}"
image: "{{ item.image }}"
location: "{{ item.location | default(omit) }}"
datacenter: "{{ item.datacenter | default(omit) }}"
user_data: "{{ item.user_data | default(omit) }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: present
register: server
loop: "{{ molecule_yml.platforms }}"
async: 7200
poll: 0
- name: Wait for instance(s) creation to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_jobs
until: hetzner_jobs.finished
retries: 300
loop: "{{ server.results }}"
- name: Create volume(s)
hcloud_volume:
name: "{{ item.name }}"
server: "{{ item.name }}"
location: "{{ item.location | default(omit) }}"
size: "{{ item.volume_size | default(10) }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: "present"
loop: "{{ molecule_yml.platforms }}"
when: item.volume | default(False) | bool
register: volumes
async: 7200
poll: 0
- name: Wait for volume(s) creation to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_volumes
until: hetzner_volumes.finished
retries: 300
when: volumes.changed
loop: "{{ volumes.results }}"
# Mandatory configuration for Molecule to function.
- name: Populate instance config dict
set_fact:
instance_conf_dict:
{
"instance": "{{ item.hcloud_server.name }}",
"ssh_key_name": "{{ ssh_key_name }}",
"address": "{{ item.hcloud_server.ipv4_address }}",
"user": "{{ ssh_user }}",
"port": "{{ ssh_port }}",
"identity_file": "{{ ssh_path }}",
"volume": "{{ item.item.item.volume | default(False) | bool }}",
}
loop: "{{ hetzner_jobs.results }}"
register: instance_config_dict
when: server.changed | bool
- name: Convert instance config dict to a list
set_fact:
instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}"
when: server.changed | bool
- name: Dump instance config
copy:
content: |
# Molecule managed
{{ instance_conf | to_nice_yaml(indent=2) }}
dest: "{{ molecule_instance_config }}"
when: server.changed | bool
- name: Wait for SSH
wait_for:
port: "{{ ssh_port }}"
host: "{{ item.address }}"
search_regex: SSH
delay: 10
loop: "{{ lookup('file', molecule_instance_config) | from_yaml }}"
- name: Wait for VM to settle down
pause:
seconds: 30

78
molecule/rocky9/destroy.yml Normal file
View File

@ -0,0 +1,78 @@
---
- name: Destroy
hosts: localhost
connection: local
gather_facts: false
no_log: "{{ molecule_no_log }}"
tasks:
- name: Check existing instance config file
stat:
path: "{{ molecule_instance_config }}"
register: cfg
- name: Populate the instance config
set_fact:
instance_conf: "{{ (lookup('file', molecule_instance_config) | from_yaml) if cfg.stat.exists else [] }}"
- name: Destroy molecule instance(s)
hcloud_server:
name: "{{ item.instance }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: absent
register: server
loop: "{{ instance_conf }}"
async: 7200
poll: 0
- name: Wait for instance(s) deletion to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_jobs
until: hetzner_jobs.finished
retries: 300
loop: "{{ server.results }}"
- pause:
seconds: 5
- name: Destroy volume(s)
hcloud_volume:
name: "{{ item.instance }}"
server: "{{ item.instance }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: "absent"
register: volumes
loop: "{{ instance_conf }}"
when: item.volume | default(False) | bool
async: 7200
poll: 0
- name: Wait for volume(s) deletion to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_volumes
until: hetzner_volumes.finished
retries: 300
when: volumes.changed
loop: "{{ volumes.results }}"
- name: Remove registered SSH key
hcloud_ssh_key:
name: "{{ instance_conf[0].ssh_key_name }}"
state: absent
when: (instance_conf | default([])) | length > 0
# Mandatory configuration for Molecule to function.
- name: Populate instance config
set_fact:
instance_conf: {}
- name: Dump instance config
copy:
content: |
# Molecule managed
{{ instance_conf | to_nice_yaml(indent=2) }}
dest: "{{ molecule_instance_config }}"
when: server.changed | bool

24
molecule/rocky9/molecule.yml Normal file
View File

@ -0,0 +1,24 @@
---
dependency:
name: galaxy
options:
role-file: molecule/requirements.yml
requirements-file: molecule/requirements.yml
env:
ANSIBLE_GALAXY_DISPLAY_PROGRESS: "false"
driver:
name: delegated
platforms:
- name: rocky9-auditd
image: rocky-9
server_type: cx11
lint: |
/usr/local/bin/flake8
provisioner:
name: ansible
env:
ANSIBLE_FILTER_PLUGINS: ${ANSIBLE_FILTER_PLUGINS:-./plugins/filter}
ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-./library}
log: False
verifier:
name: testinfra

15
molecule/rocky9/prepare.yml Normal file
View File

@ -0,0 +1,15 @@
---
- name: Prepare
hosts: all
gather_facts: false
tasks:
- name: Bootstrap python for Ansible
raw: |
command -v python3 python || (
(test -e /usr/bin/dnf && sudo dnf install -y python3) ||
(test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) ||
(test -e /usr/bin/yum && sudo yum -y -qq install python3) ||
echo "Warning: Python not boostrapped due to unknown platform."
)
become: true
changed_when: false

7
molecule/rocky9/tests/test_default.py Normal file
View File

@ -0,0 +1,7 @@
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ["MOLECULE_INVENTORY_FILE"]
).get_hosts("all")

12
setup.cfg Normal file
View File

@ -0,0 +1,12 @@
[flake8]
ignore = D100, D101, D102, D103, D105, D107, E402, W503
max-line-length = 99
inline-quotes = double
exclude = .git,.tox,__pycache__,build,dist,tests,*.pyc,*.egg-info,.cache,.eggs,env*
[yapf]
based_on_style = google
column_limit = 99
dedent_closing_brackets = true
coalesce_brackets = true
split_before_logical_operator = true

77
tasks/main.yml Normal file
View File

@ -0,0 +1,77 @@
---
- block:
- name: Install required packages
loop:
- audit
- audispd-plugins
package:
name: "{{ item }}"
state: present
- name: Create folders
file:
name: "{{ item }}"
state: directory
owner: root
group: root
mode: 0750
loop:
- /etc/audit/rules.d/
- /etc/systemd/system/auditd.service.d/
- name: Create systemd override
template:
src: etc/systemd/system/auditd.service.d/override.conf.j2
dest: "/etc/systemd/system/auditd.service.d/override.conf"
owner: root
group: root
mode: 0644
notify: __auditd_restart
- name: Create config file
template:
src: etc/audit/auditd.conf.j2
dest: "/etc/audit/auditd.conf"
owner: root
group: root
mode: 0640
notify: __auditd_restart
- name: Create rules files
template:
src: "etc/audit/rules.d/{{ item }}.j2"
dest: "/etc/audit/rules.d/{{ item }}"
owner: root
group: root
mode: 0640
loop: "{{ __auditd_rule_templates }}"
loop_control:
label: "/etc/audit/rules.d/{{ item }}"
when: item not in auditd_exclude_rule_stages
notify: __auditd_restart
- name: Register rules files
find:
paths: /etc/audit/rules.d/
file_type: file
patterns: "*.rules"
register: __auditd_rules_active
changed_when: False
failed_when: False
- name: Remove unmanaged rules files
file:
path: "{{ item }}"
state: absent
loop: "{{ __auditd_rules_active.files | map(attribute='path') | list }}"
notify: __auditd_restart
when: item | basename not in __auditd_rule_templates
- name: Ensure audit service is up and running
service:
name: auditd
daemon_reload: yes
enabled: yes
state: started
become: True
become_user: root

38
templates/etc/audit/auditd.conf.j2 Normal file
View File

@ -0,0 +1,38 @@
#jinja2: lstrip_blocks: True
{{ ansible_managed | comment }}
local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = root
log_format = ENRICHED
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = {{ auditd_max_log_file }}
num_logs = {{ auditd_num_logs }}
priority_boost = 4
name_format = NONE
##name = mydomain
max_log_file_action = {{ auditd_max_log_file_action }}
space_left = 75
space_left_action = {{ auditd_space_left_action }}
verify_email = yes
action_mail_acct = {{ auditd_action_mail_acct }}
admin_space_left = 50
admin_space_left_action = {{ auditd_admin_space_left_action }}
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
transport = TCP
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no
q_depth = 1200
overflow_action = SYSLOG
max_restarts = 10
plugin_dir = /etc/audit/plugins.d
end_of_event_timeout = 2

13
templates/etc/audit/rules.d/10-start.rules.j2 Normal file
View File

@ -0,0 +1,13 @@
## Make the loginuid immutable. This prevents tampering with the auid.
--loginuid-immutable
## Remove any existing rules
-D
## Buffer Size
# Feel free to increase this if the machine panic's
-b {{ auditd_buffer_size }}
## Failure Mode
# Possible values: 0 (silent), 1 (printk, print a failure message), 2 (panic, halt the system)
-f {{ auditd_failure_mode }}

11
templates/etc/audit/rules.d/20-selfaudit.rules.j2 Normal file
View File

@ -0,0 +1,11 @@
## Audit the audit logs
-w /var/log/audit/ -k auditlog
## Auditd configuration
-w /etc/audit/ -p wa -k auditconfig
-w /etc/libaudit.conf -p wa -k auditconfig
-w /etc/audisp/ -p wa -k audispconfig
## Monitor for use of audit management tools
-w /sbin/auditctl -p x -k audittools
-w /sbin/auditd -p x -k audittools

15
templates/etc/audit/rules.d/30-filter.rules.j2 Normal file
View File

@ -0,0 +1,15 @@
{% for item in (auditd_filter_rules_default + auditd_filter_rules_extra )%}
{% if item.state | default("present") == "present" %}
{% if item.comment is defined and item.comment %}
## {{ item.comment }}
{% endif %}
{% if not item.rule is string and item.rule is iterable %}
{% for rule in item.rule %}
{{ rule }}
{% endfor %}
{% else %}
{{ item.rule }}
{% endif %}
{% endif %}
{% endfor %}

13
templates/etc/audit/rules.d/40-main.rules.j2 Normal file
View File

@ -0,0 +1,13 @@
{% for item in (auditd_main_rules_default + auditd_main_rules_extra) %}
{% if item.comment is defined and item.comment %}
## {{ item.comment }}
{% endif %}
{% if not item.rule is string and item.rule is iterable %}
{% for rule in item.rule %}
{{ rule }}
{% endfor %}
{% else %}
{{ item.rule }}
{% endif %}
{% endfor %}

13
templates/etc/audit/rules.d/50-optional.rules.j2 Normal file
View File

@ -0,0 +1,13 @@
{% for item in (auditd_optional_rules_default + auditd_optional_rules_extra) %}
{% if item.comment is defined and item.comment %}
## {{ item.comment }}
{% endif %}
{% if not item.rule is string and item.rule is iterable %}
{% for rule in item.rule %}
{{ rule }}
{% endfor %}
{% else %}
{{ item.rule }}
{% endif %}
{% endfor %}

4
templates/etc/audit/rules.d/90-finalize.rules.j2 Normal file
View File

@ -0,0 +1,4 @@
{% if auditd_config_immutable %}
## Make the configuration immutable
-e 2
{% endif %}

9
templates/etc/systemd/system/auditd.service.d/override.conf.j2 Normal file
View File

@ -0,0 +1,9 @@
#jinja2: lstrip_blocks: True
{{ ansible_managed | comment }}
{% if not auditd_refuse_manual_stop | bool %}
[Unit]
RefuseManualStop=no
{% endif %}
[Service]
ExecStartPost=-/sbin/augenrules --load

8
vars/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
__auditd_rule_templates:
- 10-start.rules
- 20-selfaudit.rules
- 30-filter.rules
- 40-main.rules
- 50-optional.rules
- 90-finalize.rules