commit a0229de1f333a04eb0c05090e94c773571f2cf12 Author: Robert Kaussow Date: Fri Sep 23 23:03:22 2022 +0200 initial commit diff --git a/.drone.jsonnet b/.drone.jsonnet new file mode 100644 index 0000000..17e4e8a --- /dev/null +++ b/.drone.jsonnet @@ -0,0 +1,159 @@ +local PipelineLinting = { + kind: 'pipeline', + name: 'linting', + platform: { + os: 'linux', + arch: 'amd64', + }, + steps: [ + { + name: 'ansible-later', + image: 'thegeeklab/ansible-later', + commands: [ + 'ansible-later', + ], + }, + { + name: 'python-format', + image: 'python:3.9', + environment: { + PY_COLORS: 1, + }, + commands: [ + 'pip install -qq yapf', + '[ ! -z "$(find . -type f -name *.py)" ] && yapf -rd ./', + ], + }, + { + name: 'python-flake8', + image: 'python:3.9', + environment: { + PY_COLORS: 1, + }, + commands: [ + 'pip install -qq flake8', + 'flake8', + ], + }, + ], + trigger: { + ref: ['refs/heads/master', 'refs/tags/**', 'refs/pull/**'], + }, +}; + +local PipelineDeployment(scenario='rocky9') = { + kind: 'pipeline', + name: 'testing-' + scenario, + platform: { + os: 'linux', + arch: 'amd64', + }, + concurrency: { + limit: 1, + }, + workspace: { + base: '/drone/src', + path: '${DRONE_REPO_NAME}', + }, + steps: [ + { + name: 'ansible-molecule', + image: 'thegeeklab/molecule:3', + environment: { + HCLOUD_TOKEN: { from_secret: 'hcloud_token' }, + }, + commands: [ + 'molecule test -s ' + scenario, + ], + }, + ], + depends_on: [ + 'linting', + ], + trigger: { + ref: ['refs/heads/master', 'refs/tags/**'], + }, +}; + +local PipelineDocumentation = { + kind: 'pipeline', + name: 'documentation', + platform: { + os: 'linux', + arch: 'amd64', + }, + steps: [ + { + name: 'generate', + image: 'thegeeklab/ansible-doctor', + environment: { + ANSIBLE_DOCTOR_LOG_LEVEL: 'INFO', + ANSIBLE_DOCTOR_FORCE_OVERWRITE: true, + ANSIBLE_DOCTOR_EXCLUDE_FILES: 'molecule/', + ANSIBLE_DOCTOR_TEMPLATE: 'hugo-book', + ANSIBLE_DOCTOR_ROLE_NAME: '${DRONE_REPO_NAME#*.}', + ANSIBLE_DOCTOR_OUTPUT_DIR: '_docs/', + }, + }, + { + name: 'publish', + image: 'plugins/gh-pages', + settings: { + remote_url: 'https://gitea.rknet.org/ansible/${DRONE_REPO_NAME}', + netrc_machine: 'gitea.rknet.org', + username: { from_secret: 'gitea_username' }, + password: { from_secret: 'gitea_token' }, + pages_directory: '_docs/', + target_branch: 'docs', + }, + when: { + ref: ['refs/heads/master'], + }, + }, + ], + trigger: { + ref: ['refs/heads/master', 'refs/tags/**', 'refs/pull/**'], + }, + depends_on: [ + 'testing-rocky9', + ], +}; + +local PipelineNotification = { + kind: 'pipeline', + name: 'notification', + platform: { + os: 'linux', + arch: 'amd64', + }, + clone: { + disable: true, + }, + steps: [ + { + name: 'matrix', + image: 'thegeeklab/drone-matrix', + settings: { + homeserver: { from_secret: 'matrix_homeserver' }, + roomid: { from_secret: 'matrix_roomid' }, + template: 'Status: **{{ build.Status }}**
Build: [{{ repo.Owner }}/{{ repo.Name }}]({{ build.Link }}){{#if build.Branch}} ({{ build.Branch }}){{/if}} by {{ commit.Author }}
Message: {{ commit.Message.Title }}', + username: { from_secret: 'matrix_username' }, + password: { from_secret: 'matrix_password' }, + }, + }, + ], + depends_on: [ + 'documentation', + ], + trigger: { + status: ['success', 'failure'], + ref: ['refs/heads/master', 'refs/tags/**'], + }, +}; + +[ + PipelineLinting, + PipelineDeployment(scenario='rocky9'), + PipelineDocumentation, + PipelineNotification, +] diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d97b7cd --- /dev/null +++ b/.gitignore @@ -0,0 +1,11 @@ +# ---> Ansible +*.retry +plugins +library + +# ---> Python +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + diff --git a/.later.yml b/.later.yml new file mode 100644 index 0000000..0efe5d5 --- /dev/null +++ b/.later.yml @@ -0,0 +1,19 @@ +--- +ansible: + custom_modules: + - iptables_raw + - openssl_pkcs12 + - proxmox_kvm + - ucr + - corenetworks_dns + - corenetworks_token + +rules: + exclude_files: + - molecule/ + - "LICENSE*" + - "**/*.md" + - "**/*.ini" + + exclude_filter: + - LINT0009 diff --git a/.prettierignore b/.prettierignore new file mode 100644 index 0000000..ef05acb --- /dev/null +++ b/.prettierignore @@ -0,0 +1 @@ +.drone* diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..3812eb4 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2022 Robert Kaussow + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is furnished +to do so, subject to the following conditions: + +The above copyright notice and this permission notice (including the next +paragraph) shall be included in all copies or substantial portions of the +Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS +OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF +OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..b9ba12a --- /dev/null +++ b/README.md @@ -0,0 +1,10 @@ +# xoxys.auditd + +[![Build Status](https://img.shields.io/drone/build/ansible/xoxys.auditd?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.auditd) +[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](LICENSE) + +Setup the Linux Auditing System. You can find the full documentation at [https://galaxy.geekdocs.de](https://galaxy.geekdocs.de/roles/security/auditd/). + +## License + +This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details. diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..ba7b846 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,135 @@ +--- +# @var auditd_exclude_rule_stages:description: > +# There is a set of pre-defined rule stages you can exclude if needed. Availabe stages: +# 10-start.rules, 11-self-audit.rules, 12-filter.rules, 30-main.rules, 50-optional.rules, 90-finalize +# @var auditd_exclude_rule_stages:example: $ ["10-start.rules", "90-finalize"] +auditd_exclude_rule_stages: [] + +# @var auditd_refuse_manual_stop:description: > +# This option prevents auditd from performing change/restart actions at runtime and requires a reboot instead. +# For security reasons, this option should only be disabled for testing purposes. +auditd_refuse_manual_stop: True + +# @var auditd_config_immutable:description: > +# The auditd daemon is configured to use the augenrules program to read audit rules during +# daemon startup (the default), use this option to make the auditd configuration immutable. +auditd_config_immutable: False + +auditd_buffer_size: 8192 +# @var auditd_failure_mode:description: > +# Possible values: 0 (silent) | 1 (printk, print a failure message) | 2 (panic, halt the system) +auditd_failure_mode: 1 + +# @var auditd_max_log_file:description: Maximum size of a single logfile (MB) +auditd_max_log_file: 10 +# @var auditd_num_logs:description: Number of logs to keep +auditd_num_logs: 5 + +auditd_space_left_action: SYSLOG +auditd_action_mail_acct: root +auditd_admin_space_left_action: SUSPEND + +auditd_max_log_file_action: ROTATE + +# @var auditd_filter_rules_extra:example: > +# auditd_filter_rules_extra: +# - comment: Ignore current working directory records # defaults to not set +# rule: '-a always,exclude -F msgtype=CWD' # can be list or string +# state: present # defaults to present +auditd_filter_rules_default: + - comment: Ignore current working directory records + rule: "-a always,exclude -F msgtype=CWD" + - comment: Ignore EOE records (End Of Event, not needed) + rule: "-a always,exclude -F msgtype=EOE" + - comment: Cron jobs fill the logs with stuff we normally don't want + rule: + - "-a never,user -F subj_type=crond_t" + - "-a exit,never -F subj_type=crond_t" + - comment: This is not very interesting and wastes a lot of space if the server is public facing + rule: "-a always,exclude -F msgtype=CRYPTO_KEY_USER" + - comment: High Volume Event Filter + rule: + - "-a exit,never -F arch=b32 -F dir=/dev/shm -k sharedmemaccess" + - "-a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess" + - "-a exit,never -F arch=b32 -F dir=/var/lock/lvm -k locklvm" + - "-a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm" + +auditd_filter_rules_extra: [] + +auditd_main_rules_default: + - comment: CIS 4.1.4 - Changes to the time + rule: + - "-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change" + - "-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change" + - "-a always,exit -F arch=b64 -S clock_settime -k time-change" + - "-a always,exit -F arch=b32 -S clock_settime -k time-change" + - "-w /etc/localtime -p wa -k time-change" + - comment: CIS 4.1.5 - Changes to user/group information + rule: + - "-w /etc/group -p wa -k identity" + - "-w /etc/passwd -p wa -k identity" + - "-w /etc/gshadow -p wa -k identity" + - "-w /etc/shadow -p wa -k identity" + - "-w /etc/security/opasswd -p wa -k identity" + - comment: CIS 4.1.6 - Changes to the network environment + rule: + - "-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale" + - "-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale" + - "-w /etc/issue -p wa -k system-locale" + - "-w /etc/issue.net -p wa -k system-locale" + - "-w /etc/hosts -p wa -k system-locale" + - "-w /etc/network -p wa -k system-locale" + - comment: CIS 4.1.7 - Changes to system's Mandatory Access Controls + rule: + - "-w /etc/apparmor/ -p wa -k MAC-policy" + - "-w /etc/apparmor.d/ -p wa -k MAC-policy" + - comment: CIS 4.1.8 - Log login/logout events + rule: + - "-w /var/log/faillog -p wa -k logins" + - "-w /var/log/lastlog -p wa -k logins" + - "-w /var/log/tallylog -p wa -k logins" + - comment: CIS 4.1.9 - Log session initiation information + rule: + - "-w /var/run/utmp -p wa -k session" + - "-w /var/log/wtmp -p wa -k logins" + - "-w /var/log/btmp -p wa -k logins" + - comment: CIS 4.1.10 - Log Discretionary Access Control modifications + rule: + - "-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod" + - "-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod" + - "-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod" + - "-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod" + - "-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod" + - "-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod" + - comment: CIS 4.1.11 - Log unsuccessful unauthorized file access attempts + rule: + - "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access" + - "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access" + - "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access" + - "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access" + - comment: CIS 4.1.13 - Log successful file system mounts + rule: + - "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts" + - "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts" + - comment: CIS 4.1.14 - Log file deletion Events by User + rule: + - "-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete" + - "-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete" + - comment: CIS 4.1.15 - Log changes to sudoers + rule: + - "-w /etc/sudoers -p wa -k scope" + - "-w /etc/sudoers.d/ -p wa -k scope" + - comment: CIS 4.1.16 - Log sudolog + rule: + - "-w /var/log/sudo.log -p wa -k actions" + - comment: CIS 4.1.17 - Log kernel module actions + rule: + - "-w /sbin/insmod -p x -k modules" + - "-w /sbin/rmmod -p x -k modules" + - "-w /sbin/modprobe -p x -k modules" + - "-a always,exit -F arch=b64 -S init_module -S delete_module -k modules" + +auditd_main_rules_extra: [] + +auditd_optional_rules_default: [] +auditd_optional_rules_extra: [] diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..0d56292 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,9 @@ +--- +- name: Restart auditd + service: + name: auditd + daemon_reload: yes + enabled: yes + state: started + when: not auditd_refuse_manual_stop | bool + listen: __auditd_restart diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..157bb08 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,23 @@ +# Standards: 0.2 +--- +galaxy_info: + # @meta author:value: [Robert Kaussow](https://gitea.rknet.org/xoxys) + author: "Robert Kaussow " + namespace: xoxys + role_name: auditd + # @meta description: > + # [![Source Code](https://img.shields.io/badge/gitea-source%20code-blue?logo=gitea&logoColor=white)](https://gitea.rknet.org/ansible/xoxys.auditd) + # [![Build Status](https://img.shields.io/drone/build/ansible/xoxys.auditd?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.auditd) + # [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.auditd/src/branch/main/LICENSE) + # + # Setup the Linux Auditing System. + # @end + description: Setup the Linux Auditing System + license: MIT + min_ansible_version: 2.10 + platforms: + - name: EL + versions: + - 7 + galaxy_tags: [] +dependencies: [] diff --git a/molecule/default b/molecule/default new file mode 120000 index 0000000..afa9fc6 --- /dev/null +++ b/molecule/default @@ -0,0 +1 @@ +rocky9 \ No newline at end of file diff --git a/molecule/pytest.ini b/molecule/pytest.ini new file mode 100644 index 0000000..c24fe5b --- /dev/null +++ b/molecule/pytest.ini @@ -0,0 +1,3 @@ +[pytest] +filterwarnings = + ignore::DeprecationWarning diff --git a/molecule/requirements.yml b/molecule/requirements.yml new file mode 100644 index 0000000..46da115 --- /dev/null +++ b/molecule/requirements.yml @@ -0,0 +1,6 @@ +--- +collections: + - name: https://gitea.rknet.org/ansible/xoxys.general/releases/download/v2.1.1/xoxys-general-2.1.1.tar.gz + - name: community.general + +roles: [] diff --git a/molecule/rocky9/converge.yml b/molecule/rocky9/converge.yml new file mode 100644 index 0000000..e2ddda9 --- /dev/null +++ b/molecule/rocky9/converge.yml @@ -0,0 +1,7 @@ +--- +- name: Converge + hosts: all + vars: + auditd_refuse_manual_stop: False + roles: + - role: xoxys.auditd diff --git a/molecule/rocky9/create.yml b/molecule/rocky9/create.yml new file mode 100644 index 0000000..719600d --- /dev/null +++ b/molecule/rocky9/create.yml @@ -0,0 +1,120 @@ +--- +- name: Create + hosts: localhost + connection: local + gather_facts: false + no_log: "{{ molecule_no_log }}" + vars: + ssh_port: 22 + ssh_user: root + ssh_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/ssh_key" + tasks: + - name: Create SSH key + user: + name: "{{ lookup('env', 'USER') }}" + generate_ssh_key: true + ssh_key_file: "{{ ssh_path }}" + force: true + register: generated_ssh_key + + - name: Register the SSH key name + set_fact: + ssh_key_name: "molecule-generated-{{ 12345 | random | to_uuid }}" + + - name: Register SSH key for test instance(s) + hcloud_ssh_key: + name: "{{ ssh_key_name }}" + public_key: "{{ generated_ssh_key.ssh_public_key }}" + state: present + + - name: Create molecule instance(s) + hcloud_server: + name: "{{ item.name }}" + server_type: "{{ item.server_type }}" + ssh_keys: + - "{{ ssh_key_name }}" + image: "{{ item.image }}" + location: "{{ item.location | default(omit) }}" + datacenter: "{{ item.datacenter | default(omit) }}" + user_data: "{{ item.user_data | default(omit) }}" + api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}" + state: present + register: server + loop: "{{ molecule_yml.platforms }}" + async: 7200 + poll: 0 + + - name: Wait for instance(s) creation to complete + async_status: + jid: "{{ item.ansible_job_id }}" + register: hetzner_jobs + until: hetzner_jobs.finished + retries: 300 + loop: "{{ server.results }}" + + - name: Create volume(s) + hcloud_volume: + name: "{{ item.name }}" + server: "{{ item.name }}" + location: "{{ item.location | default(omit) }}" + size: "{{ item.volume_size | default(10) }}" + api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}" + state: "present" + loop: "{{ molecule_yml.platforms }}" + when: item.volume | default(False) | bool + register: volumes + async: 7200 + poll: 0 + + - name: Wait for volume(s) creation to complete + async_status: + jid: "{{ item.ansible_job_id }}" + register: hetzner_volumes + until: hetzner_volumes.finished + retries: 300 + when: volumes.changed + loop: "{{ volumes.results }}" + + # Mandatory configuration for Molecule to function. + + - name: Populate instance config dict + set_fact: + instance_conf_dict: + { + "instance": "{{ item.hcloud_server.name }}", + "ssh_key_name": "{{ ssh_key_name }}", + "address": "{{ item.hcloud_server.ipv4_address }}", + "user": "{{ ssh_user }}", + "port": "{{ ssh_port }}", + "identity_file": "{{ ssh_path }}", + "volume": "{{ item.item.item.volume | default(False) | bool }}", + } + loop: "{{ hetzner_jobs.results }}" + register: instance_config_dict + when: server.changed | bool + + - name: Convert instance config dict to a list + set_fact: + instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}" + when: server.changed | bool + + - name: Dump instance config + copy: + content: | + # Molecule managed + + {{ instance_conf | to_nice_yaml(indent=2) }} + dest: "{{ molecule_instance_config }}" + when: server.changed | bool + + - name: Wait for SSH + wait_for: + port: "{{ ssh_port }}" + host: "{{ item.address }}" + search_regex: SSH + delay: 10 + loop: "{{ lookup('file', molecule_instance_config) | from_yaml }}" + + - name: Wait for VM to settle down + pause: + seconds: 30 \ No newline at end of file diff --git a/molecule/rocky9/destroy.yml b/molecule/rocky9/destroy.yml new file mode 100644 index 0000000..ed0b2ed --- /dev/null +++ b/molecule/rocky9/destroy.yml @@ -0,0 +1,78 @@ +--- +- name: Destroy + hosts: localhost + connection: local + gather_facts: false + no_log: "{{ molecule_no_log }}" + tasks: + - name: Check existing instance config file + stat: + path: "{{ molecule_instance_config }}" + register: cfg + + - name: Populate the instance config + set_fact: + instance_conf: "{{ (lookup('file', molecule_instance_config) | from_yaml) if cfg.stat.exists else [] }}" + + - name: Destroy molecule instance(s) + hcloud_server: + name: "{{ item.instance }}" + api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}" + state: absent + register: server + loop: "{{ instance_conf }}" + async: 7200 + poll: 0 + + - name: Wait for instance(s) deletion to complete + async_status: + jid: "{{ item.ansible_job_id }}" + register: hetzner_jobs + until: hetzner_jobs.finished + retries: 300 + loop: "{{ server.results }}" + + - pause: + seconds: 5 + + - name: Destroy volume(s) + hcloud_volume: + name: "{{ item.instance }}" + server: "{{ item.instance }}" + api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}" + state: "absent" + register: volumes + loop: "{{ instance_conf }}" + when: item.volume | default(False) | bool + async: 7200 + poll: 0 + + - name: Wait for volume(s) deletion to complete + async_status: + jid: "{{ item.ansible_job_id }}" + register: hetzner_volumes + until: hetzner_volumes.finished + retries: 300 + when: volumes.changed + loop: "{{ volumes.results }}" + + - name: Remove registered SSH key + hcloud_ssh_key: + name: "{{ instance_conf[0].ssh_key_name }}" + state: absent + when: (instance_conf | default([])) | length > 0 + + # Mandatory configuration for Molecule to function. + + - name: Populate instance config + set_fact: + instance_conf: {} + + - name: Dump instance config + copy: + content: | + # Molecule managed + + {{ instance_conf | to_nice_yaml(indent=2) }} + dest: "{{ molecule_instance_config }}" + when: server.changed | bool \ No newline at end of file diff --git a/molecule/rocky9/molecule.yml b/molecule/rocky9/molecule.yml new file mode 100644 index 0000000..ac41a1e --- /dev/null +++ b/molecule/rocky9/molecule.yml @@ -0,0 +1,24 @@ +--- +dependency: + name: galaxy + options: + role-file: molecule/requirements.yml + requirements-file: molecule/requirements.yml + env: + ANSIBLE_GALAXY_DISPLAY_PROGRESS: "false" +driver: + name: delegated +platforms: + - name: rocky9-auditd + image: rocky-9 + server_type: cx11 +lint: | + /usr/local/bin/flake8 +provisioner: + name: ansible + env: + ANSIBLE_FILTER_PLUGINS: ${ANSIBLE_FILTER_PLUGINS:-./plugins/filter} + ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-./library} + log: False +verifier: + name: testinfra diff --git a/molecule/rocky9/prepare.yml b/molecule/rocky9/prepare.yml new file mode 100644 index 0000000..183f4d3 --- /dev/null +++ b/molecule/rocky9/prepare.yml @@ -0,0 +1,15 @@ +--- +- name: Prepare + hosts: all + gather_facts: false + tasks: + - name: Bootstrap python for Ansible + raw: | + command -v python3 python || ( + (test -e /usr/bin/dnf && sudo dnf install -y python3) || + (test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) || + (test -e /usr/bin/yum && sudo yum -y -qq install python3) || + echo "Warning: Python not boostrapped due to unknown platform." + ) + become: true + changed_when: false diff --git a/molecule/rocky9/tests/test_default.py b/molecule/rocky9/tests/test_default.py new file mode 100644 index 0000000..18236da --- /dev/null +++ b/molecule/rocky9/tests/test_default.py @@ -0,0 +1,7 @@ +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ["MOLECULE_INVENTORY_FILE"] +).get_hosts("all") diff --git a/setup.cfg b/setup.cfg new file mode 100644 index 0000000..2bb8674 --- /dev/null +++ b/setup.cfg @@ -0,0 +1,12 @@ +[flake8] +ignore = D100, D101, D102, D103, D105, D107, E402, W503 +max-line-length = 99 +inline-quotes = double +exclude = .git,.tox,__pycache__,build,dist,tests,*.pyc,*.egg-info,.cache,.eggs,env* + +[yapf] +based_on_style = google +column_limit = 99 +dedent_closing_brackets = true +coalesce_brackets = true +split_before_logical_operator = true diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..b6c37f3 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,77 @@ +--- +- block: + - name: Install required packages + loop: + - audit + - audispd-plugins + package: + name: "{{ item }}" + state: present + + - name: Create folders + file: + name: "{{ item }}" + state: directory + owner: root + group: root + mode: 0750 + loop: + - /etc/audit/rules.d/ + - /etc/systemd/system/auditd.service.d/ + + - name: Create systemd override + template: + src: etc/systemd/system/auditd.service.d/override.conf.j2 + dest: "/etc/systemd/system/auditd.service.d/override.conf" + owner: root + group: root + mode: 0644 + notify: __auditd_restart + + - name: Create config file + template: + src: etc/audit/auditd.conf.j2 + dest: "/etc/audit/auditd.conf" + owner: root + group: root + mode: 0640 + notify: __auditd_restart + + - name: Create rules files + template: + src: "etc/audit/rules.d/{{ item }}.j2" + dest: "/etc/audit/rules.d/{{ item }}" + owner: root + group: root + mode: 0640 + loop: "{{ __auditd_rule_templates }}" + loop_control: + label: "/etc/audit/rules.d/{{ item }}" + when: item not in auditd_exclude_rule_stages + notify: __auditd_restart + + - name: Register rules files + find: + paths: /etc/audit/rules.d/ + file_type: file + patterns: "*.rules" + register: __auditd_rules_active + changed_when: False + failed_when: False + + - name: Remove unmanaged rules files + file: + path: "{{ item }}" + state: absent + loop: "{{ __auditd_rules_active.files | map(attribute='path') | list }}" + notify: __auditd_restart + when: item | basename not in __auditd_rule_templates + + - name: Ensure audit service is up and running + service: + name: auditd + daemon_reload: yes + enabled: yes + state: started + become: True + become_user: root diff --git a/templates/etc/audit/auditd.conf.j2 b/templates/etc/audit/auditd.conf.j2 new file mode 100644 index 0000000..e26e2cd --- /dev/null +++ b/templates/etc/audit/auditd.conf.j2 @@ -0,0 +1,38 @@ +#jinja2: lstrip_blocks: True +{{ ansible_managed | comment }} +local_events = yes +write_logs = yes +log_file = /var/log/audit/audit.log +log_group = root +log_format = ENRICHED +flush = INCREMENTAL_ASYNC +freq = 50 +max_log_file = {{ auditd_max_log_file }} +num_logs = {{ auditd_num_logs }} +priority_boost = 4 +name_format = NONE +##name = mydomain +max_log_file_action = {{ auditd_max_log_file_action }} +space_left = 75 +space_left_action = {{ auditd_space_left_action }} +verify_email = yes +action_mail_acct = {{ auditd_action_mail_acct }} +admin_space_left = 50 +admin_space_left_action = {{ auditd_admin_space_left_action }} +disk_full_action = SUSPEND +disk_error_action = SUSPEND +use_libwrap = yes +##tcp_listen_port = 60 +tcp_listen_queue = 5 +tcp_max_per_addr = 1 +##tcp_client_ports = 1024-65535 +tcp_client_max_idle = 0 +transport = TCP +krb5_principal = auditd +##krb5_key_file = /etc/audit/audit.key +distribute_network = no +q_depth = 1200 +overflow_action = SYSLOG +max_restarts = 10 +plugin_dir = /etc/audit/plugins.d +end_of_event_timeout = 2 diff --git a/templates/etc/audit/rules.d/10-start.rules.j2 b/templates/etc/audit/rules.d/10-start.rules.j2 new file mode 100644 index 0000000..8dcaf3a --- /dev/null +++ b/templates/etc/audit/rules.d/10-start.rules.j2 @@ -0,0 +1,13 @@ +## Make the loginuid immutable. This prevents tampering with the auid. +--loginuid-immutable + +## Remove any existing rules +-D + +## Buffer Size +# Feel free to increase this if the machine panic's +-b {{ auditd_buffer_size }} + +## Failure Mode +# Possible values: 0 (silent), 1 (printk, print a failure message), 2 (panic, halt the system) +-f {{ auditd_failure_mode }} diff --git a/templates/etc/audit/rules.d/20-selfaudit.rules.j2 b/templates/etc/audit/rules.d/20-selfaudit.rules.j2 new file mode 100644 index 0000000..44b2c80 --- /dev/null +++ b/templates/etc/audit/rules.d/20-selfaudit.rules.j2 @@ -0,0 +1,11 @@ +## Audit the audit logs +-w /var/log/audit/ -k auditlog + +## Auditd configuration +-w /etc/audit/ -p wa -k auditconfig +-w /etc/libaudit.conf -p wa -k auditconfig +-w /etc/audisp/ -p wa -k audispconfig + +## Monitor for use of audit management tools +-w /sbin/auditctl -p x -k audittools +-w /sbin/auditd -p x -k audittools diff --git a/templates/etc/audit/rules.d/30-filter.rules.j2 b/templates/etc/audit/rules.d/30-filter.rules.j2 new file mode 100644 index 0000000..cf64482 --- /dev/null +++ b/templates/etc/audit/rules.d/30-filter.rules.j2 @@ -0,0 +1,15 @@ +{% for item in (auditd_filter_rules_default + auditd_filter_rules_extra )%} +{% if item.state | default("present") == "present" %} +{% if item.comment is defined and item.comment %} +## {{ item.comment }} +{% endif %} +{% if not item.rule is string and item.rule is iterable %} +{% for rule in item.rule %} +{{ rule }} +{% endfor %} +{% else %} +{{ item.rule }} +{% endif %} + +{% endif %} +{% endfor %} diff --git a/templates/etc/audit/rules.d/40-main.rules.j2 b/templates/etc/audit/rules.d/40-main.rules.j2 new file mode 100644 index 0000000..1ecf099 --- /dev/null +++ b/templates/etc/audit/rules.d/40-main.rules.j2 @@ -0,0 +1,13 @@ +{% for item in (auditd_main_rules_default + auditd_main_rules_extra) %} +{% if item.comment is defined and item.comment %} +## {{ item.comment }} +{% endif %} +{% if not item.rule is string and item.rule is iterable %} +{% for rule in item.rule %} +{{ rule }} +{% endfor %} +{% else %} +{{ item.rule }} +{% endif %} + +{% endfor %} diff --git a/templates/etc/audit/rules.d/50-optional.rules.j2 b/templates/etc/audit/rules.d/50-optional.rules.j2 new file mode 100644 index 0000000..0b2fe5b --- /dev/null +++ b/templates/etc/audit/rules.d/50-optional.rules.j2 @@ -0,0 +1,13 @@ +{% for item in (auditd_optional_rules_default + auditd_optional_rules_extra) %} +{% if item.comment is defined and item.comment %} +## {{ item.comment }} +{% endif %} +{% if not item.rule is string and item.rule is iterable %} +{% for rule in item.rule %} +{{ rule }} +{% endfor %} +{% else %} +{{ item.rule }} +{% endif %} + +{% endfor %} diff --git a/templates/etc/audit/rules.d/90-finalize.rules.j2 b/templates/etc/audit/rules.d/90-finalize.rules.j2 new file mode 100644 index 0000000..eb21f5d --- /dev/null +++ b/templates/etc/audit/rules.d/90-finalize.rules.j2 @@ -0,0 +1,4 @@ +{% if auditd_config_immutable %} +## Make the configuration immutable +-e 2 +{% endif %} diff --git a/templates/etc/systemd/system/auditd.service.d/override.conf.j2 b/templates/etc/systemd/system/auditd.service.d/override.conf.j2 new file mode 100644 index 0000000..eb859a6 --- /dev/null +++ b/templates/etc/systemd/system/auditd.service.d/override.conf.j2 @@ -0,0 +1,9 @@ +#jinja2: lstrip_blocks: True +{{ ansible_managed | comment }} +{% if not auditd_refuse_manual_stop | bool %} +[Unit] +RefuseManualStop=no + +{% endif %} +[Service] +ExecStartPost=-/sbin/augenrules --load diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..f6889b6 --- /dev/null +++ b/vars/main.yml @@ -0,0 +1,8 @@ +--- +__auditd_rule_templates: + - 10-start.rules + - 20-selfaudit.rules + - 30-filter.rules + - 40-main.rules + - 50-optional.rules + - 90-finalize.rules