From da156fd5695998261afadeef5f9b493faf04029c Mon Sep 17 00:00:00 2001 From: Maik Stuebner Date: Thu, 22 Jul 2021 15:03:09 +0200 Subject: [PATCH 1/4] Add Configuration of auditd rules see Telekom 2021.07-01 SoC 3.65 Req 32-36 Signed-off-by: Maik Stuebner --- roles/os_hardening/README.md | 9 +++ roles/os_hardening/defaults/main.yml | 4 + roles/os_hardening/tasks/auditd.yml | 11 +++ .../etc/audit/rules.d/audit.rules.j2 | 26 ++++++ roles/os_hardening/vars/Amazon.yml | 16 ++++ roles/os_hardening/vars/Archlinux.yml | 13 +++ roles/os_hardening/vars/Debian.yml | 20 +++++ roles/os_hardening/vars/Fedora.yml | 16 ++++ roles/os_hardening/vars/RedHat.yml | 16 ++++ roles/os_hardening/vars/RedHat_7.yml | 16 ++++ roles/os_hardening/vars/RedHat_8.yml | 16 ++++ roles/os_hardening/vars/Rocky_8.yml | 16 ++++ roles/os_hardening/vars/Suse.yml | 17 ++++ roles/os_hardening/vars/main.yml | 80 +++++++++++++++++++ 14 files changed, 276 insertions(+) create mode 100644 roles/os_hardening/templates/etc/audit/rules.d/audit.rules.j2 diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md index 5897d0f3e..cf169439e 100644 --- a/roles/os_hardening/README.md +++ b/roles/os_hardening/README.md @@ -217,6 +217,15 @@ We know that this is the case on Raspberry Pi. - `os_auditd_max_log_file` - Default: `6` - Description: This keyword specifies the maximum file size in megabytes. When this limit is reached, it will trigger a configurable action. The value given must be numeric. +- `os_auditd_rules_enabled` + - Default: `true` + - Description: Set to false to disable configuring auditd rules. +- `os_auditd_rules_failure_mode` + - Default: `1` + - Description: Set failure mode of auditd 0=silent 1=printk 2=panic. This option lets you determine how you want the kernel to handle critical errors. The value given must be numeric. +- `os_auditd_rules_events_extra` + - Default: `[]` + - Description: Add additional event rules for auditd. You can also delete predefined rules with `-d list,action` or `-W path`. - `hidepid_option` - Default: `2` (on RHEL/CentOS7 `0`, see known limitations) - Description: `0`: This is the default setting and gives you the default behaviour. `1`: With this option an normal user would not see other processes but their own about ps, top etc, but he is still able to see process IDs in /proc. `2`: Users are only able too see their own processes (like with hidepid=1), but also the other process IDs are hidden for them in /proc. diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml index 95906dd6c..de62bf5e0 100644 --- a/roles/os_hardening/defaults/main.yml +++ b/roles/os_hardening/defaults/main.yml @@ -314,6 +314,10 @@ os_hardening_enabled: true os_auditd_enabled: true os_auditd_max_log_file: 6 os_auditd_max_log_file_action: keep_logs +# Set to false to disable configuring auditd rules. +os_auditd_rules_enabled: true +os_auditd_rules_failure_mode: 1 +os_auditd_rules_events_extra: [] # Set the SELinux state, which can be either disabled, permissive, or enforcing. os_selinux_state: enforcing diff --git a/roles/os_hardening/tasks/auditd.yml b/roles/os_hardening/tasks/auditd.yml index 059087639..fad45434a 100644 --- a/roles/os_hardening/tasks/auditd.yml +++ b/roles/os_hardening/tasks/auditd.yml @@ -14,3 +14,14 @@ mode: '0640' notify: 'restart-auditd' tags: auditd + +- name: Configure auditd rules + template: + src: 'etc/audit/rules.d/audit.rules.j2' + dest: "{{ os_auditd_rules_path }}" + owner: 'root' + group: 'root' + mode: '0640' + notify: 'restart-auditd' + tags: auditd + when: os_auditd_rules_enabled | bool diff --git a/roles/os_hardening/templates/etc/audit/rules.d/audit.rules.j2 b/roles/os_hardening/templates/etc/audit/rules.d/audit.rules.j2 new file mode 100644 index 000000000..33fa5f457 --- /dev/null +++ b/roles/os_hardening/templates/etc/audit/rules.d/audit.rules.j2 @@ -0,0 +1,26 @@ +{{ ansible_managed | comment }} +# Generated by Ansible role {{ ansible_role_name }} + +## First rule - delete all +-D + +## Increase the buffers to survive stress events. +## Make this bigger for busy systems +-b 8192 + +## Set failure mode to syslog +-f {{ os_auditd_rules_failure_mode }} + +## List of events to log +{% for rule in os_auditd_rules_events %} +{{rule}} +{% endfor %} +{% for ruleos in os_auditd_rules_events_os %} +{{ruleos}} +{% endfor %} +{% for ruleextra in os_auditd_rules_events_extra %} +{{ruleextra}} +{% endfor %} + +## Lock the Audit configuration +-e 2 diff --git a/roles/os_hardening/vars/Amazon.yml b/roles/os_hardening/vars/Amazon.yml index 9ac48c2b3..30b260b28 100644 --- a/roles/os_hardening/vars/Amazon.yml +++ b/roles/os_hardening/vars/Amazon.yml @@ -41,6 +41,22 @@ os_useradd_create_home: true modprobe_package: 'module-init-tools' auditd_package: 'audit' +os_auditd_rules_events_os: + # System events must be logged. Telekom SoC 3.65 ReqID 32213164 + # (Un)Installation of software + - "-w /usr/bin/rpm -p x -k software_mgmt" + - "-w /usr/bin/yum -p x -k software_mgmt" + # Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34 + # Logon and Logoff + - "-w /var/run/faillock/ -p wa -k logins" + # Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110 + # Deletion and unauthorized modification of logs + - "-w /var/log/messages" + # Change of network configuration + - "-w /etc/sysconfig/network -p wa -k system-locale" + - "-w /etc/sysconfig/network-scripts/ -p wa -k system-locale" + # Change of SELinux configuration + - "-w /etc/selinux/ -p wa -k MAC-policy" # system accounts that do not get their login disabled and pasword changed os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt', 'ec2-user'] diff --git a/roles/os_hardening/vars/Archlinux.yml b/roles/os_hardening/vars/Archlinux.yml index 275525461..cc1839767 100644 --- a/roles/os_hardening/vars/Archlinux.yml +++ b/roles/os_hardening/vars/Archlinux.yml @@ -31,5 +31,18 @@ os_auth_sub_gid_count: 65536 modprobe_package: 'kmod' auditd_package: 'audit' +os_auditd_rules_events_os: + # System events must be logged. Telekom SoC 3.65 ReqID 32213164 + # (Un)Installation of software + - "-w /usr/bin/pacman -p x -k software_mgmt" + # Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34 + # Logon and Logoff + - "-w /var/run/faillock/ -p wa -k logins" + # Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110 + # Change of SELinux configuration + - "-w /etc/selinux/ -p wa -k MAC-policy" + # Change of AppArmor configuration + - "-w /etc/apparmor/ -p wa -k MAC-policy" + - "-w /etc/apparmor.d/ -p wa -k MAC-policy" hidepid_option: '2' # allowed values: 0, 1, 2 diff --git a/roles/os_hardening/vars/Debian.yml b/roles/os_hardening/vars/Debian.yml index efb086087..3bce0d2ac 100644 --- a/roles/os_hardening/vars/Debian.yml +++ b/roles/os_hardening/vars/Debian.yml @@ -38,6 +38,26 @@ os_useradd_mail_dir: /var/mail modprobe_package: 'kmod' auditd_package: 'auditd' +os_auditd_rules_events_os: + # System events must be logged. Telekom SoC 3.65 ReqID 32213164 + # (Un)Installation of software + - "-w /usr/bin/dpkg -p x -k software_mgmt" + - "-w /usr/bin/apt-add-repository -p x -k software_mgmt" + - "-w /usr/bin/apt-get -p x -k software_mgmt" + - "-w /usr/bin/aptitude -p x -k software_mgmt" + # Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34 + # Logon and Logoff + - "-w /var/log/faillog -p wa -k logins" + - "-w /var/log/tallylog -p wa -k logins" + # Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110 + # Deletion and unauthorized modification of logs + - "-w /var/log/auth.log" + - "-w /var/log/system.log" + # Change of network configuration + - "-w /etc/network/interfaces -p wa -k system-locale" + # Change of AppArmor configuration + - "-w /etc/apparmor/ -p wa -k MAC-policy" + - "-w /etc/apparmor.d/ -p wa -k MAC-policy" tally2_path: '/usr/share/pam-configs/tally2' passwdqc_path: '/usr/share/pam-configs/passwdqc' diff --git a/roles/os_hardening/vars/Fedora.yml b/roles/os_hardening/vars/Fedora.yml index d9253b8a0..27073019c 100644 --- a/roles/os_hardening/vars/Fedora.yml +++ b/roles/os_hardening/vars/Fedora.yml @@ -41,5 +41,21 @@ os_useradd_create_home: true modprobe_package: 'module-init-tools' auditd_package: 'audit' +os_auditd_rules_events_os: + # System events must be logged. Telekom SoC 3.65 ReqID 32213164 + # (Un)Installation of software + - "-w /usr/bin/rpm -p x -k software_mgmt" + - "-w /usr/bin/yum -p x -k software_mgmt" + # Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34 + # Logon and Logoff + - "-w /var/run/faillock/ -p wa -k logins" + # Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110 + # Deletion and unauthorized modification of logs + - "-w /var/log/messages" + # Change of network configuration + - "-w /etc/sysconfig/network -p wa -k system-locale" + - "-w /etc/sysconfig/network-scripts/ -p wa -k system-locale" + # Change of SELinux configuration + - "-w /etc/selinux/ -p wa -k MAC-policy" hidepid_option: '2' # allowed values: 0, 1, 2 diff --git a/roles/os_hardening/vars/RedHat.yml b/roles/os_hardening/vars/RedHat.yml index a54384ace..cf25be9e6 100644 --- a/roles/os_hardening/vars/RedHat.yml +++ b/roles/os_hardening/vars/RedHat.yml @@ -41,5 +41,21 @@ os_useradd_create_home: true modprobe_package: 'module-init-tools' auditd_package: 'audit' +os_auditd_rules_events_os: + # System events must be logged. Telekom SoC 3.65 ReqID 32213164 + # (Un)Installation of software + - "-w /usr/bin/rpm -p x -k software_mgmt" + - "-w /usr/bin/yum -p x -k software_mgmt" + # Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34 + # Logon and Logoff + - "-w /var/run/faillock/ -p wa -k logins" + # Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110 + # Deletion and unauthorized modification of logs + - "-w /var/log/messages" + # Change of network configuration + - "-w /etc/sysconfig/network -p wa -k system-locale" + - "-w /etc/sysconfig/network-scripts/ -p wa -k system-locale" + # Change of SELinux configuration + - "-w /etc/selinux/ -p wa -k MAC-policy" hidepid_option: '2' # allowed values: 0, 1, 2 diff --git a/roles/os_hardening/vars/RedHat_7.yml b/roles/os_hardening/vars/RedHat_7.yml index c33088503..0d7cee498 100644 --- a/roles/os_hardening/vars/RedHat_7.yml +++ b/roles/os_hardening/vars/RedHat_7.yml @@ -41,5 +41,21 @@ os_useradd_create_home: true modprobe_package: 'module-init-tools' auditd_package: 'audit' +os_auditd_rules_events_os: + # System events must be logged. Telekom SoC 3.65 ReqID 32213164 + # (Un)Installation of software + - "-w /usr/bin/rpm -p x -k software_mgmt" + - "-w /usr/bin/yum -p x -k software_mgmt" + # Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34 + # Logon and Logoff + - "-w /var/run/faillock/ -p wa -k logins" + # Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110 + # Deletion and unauthorized modification of logs + - "-w /var/log/messages" + # Change of network configuration + - "-w /etc/sysconfig/network -p wa -k system-locale" + - "-w /etc/sysconfig/network-scripts/ -p wa -k system-locale" + # Change of SELinux configuration + - "-w /etc/selinux/ -p wa -k MAC-policy" hidepid_option: '0' # allowed values: 0, 1, 2 diff --git a/roles/os_hardening/vars/RedHat_8.yml b/roles/os_hardening/vars/RedHat_8.yml index 2a0aa3294..aea35cfd6 100644 --- a/roles/os_hardening/vars/RedHat_8.yml +++ b/roles/os_hardening/vars/RedHat_8.yml @@ -41,5 +41,21 @@ os_useradd_create_home: true modprobe_package: 'module-init-tools' auditd_package: 'audit' +os_auditd_rules_events_os: + # System events must be logged. Telekom SoC 3.65 ReqID 32213164 + # (Un)Installation of software + - "-w /usr/bin/rpm -p x -k software_mgmt" + - "-w /usr/bin/yum -p x -k software_mgmt" + # Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34 + # Logon and Logoff + - "-w /var/run/faillock/ -p wa -k logins" + # Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110 + # Deletion and unauthorized modification of logs + - "-w /var/log/messages" + # Change of network configuration + - "-w /etc/sysconfig/network -p wa -k system-locale" + - "-w /etc/sysconfig/network-scripts/ -p wa -k system-locale" + # Change of SELinux configuration + - "-w /etc/selinux/ -p wa -k MAC-policy" hidepid_option: '2' # allowed values: 0, 1, 2 diff --git a/roles/os_hardening/vars/Rocky_8.yml b/roles/os_hardening/vars/Rocky_8.yml index 2a0aa3294..aea35cfd6 100644 --- a/roles/os_hardening/vars/Rocky_8.yml +++ b/roles/os_hardening/vars/Rocky_8.yml @@ -41,5 +41,21 @@ os_useradd_create_home: true modprobe_package: 'module-init-tools' auditd_package: 'audit' +os_auditd_rules_events_os: + # System events must be logged. Telekom SoC 3.65 ReqID 32213164 + # (Un)Installation of software + - "-w /usr/bin/rpm -p x -k software_mgmt" + - "-w /usr/bin/yum -p x -k software_mgmt" + # Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34 + # Logon and Logoff + - "-w /var/run/faillock/ -p wa -k logins" + # Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110 + # Deletion and unauthorized modification of logs + - "-w /var/log/messages" + # Change of network configuration + - "-w /etc/sysconfig/network -p wa -k system-locale" + - "-w /etc/sysconfig/network-scripts/ -p wa -k system-locale" + # Change of SELinux configuration + - "-w /etc/selinux/ -p wa -k MAC-policy" hidepid_option: '2' # allowed values: 0, 1, 2 diff --git a/roles/os_hardening/vars/Suse.yml b/roles/os_hardening/vars/Suse.yml index 45286e5ce..3ac5839a0 100644 --- a/roles/os_hardening/vars/Suse.yml +++ b/roles/os_hardening/vars/Suse.yml @@ -38,5 +38,22 @@ os_useradd_create_home: false modprobe_package: 'kmod-compat' auditd_package: 'audit' +os_auditd_rules_events_os: + # System events must be logged. Telekom SoC 3.65 ReqID 32213164 + # (Un)Installation of software + - "-w /usr/bin/rpm -p x -k software_mgmt" + - "-w /usr/bin/zypper -p x -k software_mgmt" + # Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34 + # Logon and Logoff + - "-w /var/log/faillog -p wa -k logins" + # Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110 + # Deletion and unauthorized modification of logs + - "-w /var/log/messages" + # Change of network configuration + - "-w /etc/sysconfig/network -p wa -k system-locale" + - "-w /etc/sysconfig/network-scripts/ -p wa -k system-locale" + # Change of AppArmor configuration + - "-w /etc/apparmor/ -p wa -k MAC-policy" + - "-w /etc/apparmor.d/ -p wa -k MAC-policy" hidepid_option: '2' # allowed values: 0, 1, 2 diff --git a/roles/os_hardening/vars/main.yml b/roles/os_hardening/vars/main.yml index beeaba147..81353c97a 100644 --- a/roles/os_hardening/vars/main.yml +++ b/roles/os_hardening/vars/main.yml @@ -110,3 +110,83 @@ os_security_suid_sgid_system_whitelist: # system accounts that do not get their login disabled and pasword changed os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt'] + +# path to audit.rules file +os_auditd_rules_path: "/etc/audit/rules.d/audit.rules" +os_auditd_rules_events: + # Syscalls "execve" (execute program) must be logged. Telekom SoC 3.65 ReqID 31d021a2 + - "-a exit,always -F arch=b64 -S execve" + # System events must be logged. Telekom SoC 3.65 ReqID 32213164 + # Change of system time + - "-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change" + - "-a always,exit -F arch=b64 -S clock_settime -k time-change" + - "-w /etc/localtime -p wa -k time-change" + # Connection of external device (storage) + - "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts" + - "-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export" + # Loading/unloading of kernel modules + - "-w /sbin/insmod -p x -k modules" + - "-w /sbin/rmmod -p x -k modules" + - "-w /sbin/modprobe -p x -k modules" + - "-a always,exit -F arch=b64 -S init_module -S delete_module -k modules" + # Change of scheduled jobs + - "-w /etc/at.allow" + - "-w /etc/at.deny" + - "-w /var/spool/at/" + - "-w /etc/crontab" + - "-w /etc/anacrontab" + - "-w /etc/cron.allow" + - "-w /etc/cron.deny" + - "-w /etc/cron.d/" + - "-w /etc/cron.hourly/" + - "-w /etc/cron.daily" + - "-w /etc/cron.weekly/" + - "-w /etc/cron.monthly/" + # Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34 + # Logon and Logoff + - "-w /var/log/lastlog -p wa -k logins" + # Password Change + - "-w /etc/shadow -p wa -k identity" + - "-w /etc/gshadow -p wa -k identity" + - "-w /etc/security/opasswd -p wa -k identity" + # Escalation of privileges (sudo/sudoers) + - "-w /etc/sudoers -p wa -k scope" + - "-w /etc/sudoers.d -p wa -k scope" + - "-w /var/log/sudo.log -p wa -k actions" + # Modification of DAC permissions + - "-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod" + - "-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod" + - "-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod" + # Account and Group Management events must be logged. Telekom SoC 3.65 ReqID 101afb5f + # Creation, modification and deletion of users + - "-w /etc/passwd -p wa -k identity" + # Creation, modification and deletion of groups + - "-w /etc/group -p wa -k identity" + # Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110 + # Deletion and unauthorized modification of logs + - "-w /var/log/audit/audit.log" + - "-w /var/log/audit/audit[1-9].log" + # Change of logging configuration + - "-w /etc/syslog." + - "-w /etc/rsyslog.conf" + - "-w /etc/rsyslog.d/conf" + - "-w /etc/audit/auditd.conf -p wa" + - "-w /etc/audit/audit.rules -p wa" + # Change of network configuration + - "-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale" + - "-w /etc/issue -p wa -k system-locale" + - "-w /etc/issue.net -p wa -k system-locale" + - "-w /etc/hosts -p wa -k system-locale" + - "-w /etc/network -p wa -k system-locale" + - "-w /etc/networks -p wa -k system-locale" + # Authentication Subsystem changes + - "-w /etc/pam.d/" + - "-w /etc/nsswitch.conf" + # Critical File changes + - "-w /etc/ssh/sshd_config" + - "-w /etc/sysctl.conf" + - "-w /etc/modprobe.conf" + - "-w /etc/profile.d/" + - "-w /etc/profile" + - "-w /etc/shells" + \ No newline at end of file From c133a411cc46d10ffee77940bb338c96a0d79b91 Mon Sep 17 00:00:00 2001 From: Maik Stuebner Date: Fri, 23 Jul 2021 09:35:14 +0200 Subject: [PATCH 2/4] add a link to TelIT repo where rules are from Signed-off-by: Maik Stuebner --- roles/os_hardening/vars/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/os_hardening/vars/main.yml b/roles/os_hardening/vars/main.yml index 81353c97a..fc6c973fe 100644 --- a/roles/os_hardening/vars/main.yml +++ b/roles/os_hardening/vars/main.yml @@ -113,9 +113,10 @@ os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt'] # path to audit.rules file os_auditd_rules_path: "/etc/audit/rules.d/audit.rules" +# Huge parts of the rules are from https://github.com/telekom/tel-it-security-automation os_auditd_rules_events: # Syscalls "execve" (execute program) must be logged. Telekom SoC 3.65 ReqID 31d021a2 - - "-a exit,always -F arch=b64 -S execve" + - "-a always,exit -F arch=b64 -S execve" # System events must be logged. Telekom SoC 3.65 ReqID 32213164 # Change of system time - "-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change" @@ -189,4 +190,3 @@ os_auditd_rules_events: - "-w /etc/profile.d/" - "-w /etc/profile" - "-w /etc/shells" - \ No newline at end of file From 9b015f3b5aed968f37ed677ee306fd103b31c367 Mon Sep 17 00:00:00 2001 From: Maik Stuebner Date: Fri, 23 Jul 2021 12:12:23 +0200 Subject: [PATCH 3/4] add NOTICE file for code reuse Signed-off-by: Maik Stuebner --- NOTICE | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 NOTICE diff --git a/NOTICE b/NOTICE new file mode 100644 index 000000000..265134442 --- /dev/null +++ b/NOTICE @@ -0,0 +1,5 @@ +Ansible Collection - devsec.hardening + +Huge parts of the audit rules in roles/os_hardening/vars/*.yml +was created by Deutsche Telekom AG. (https://github.com/telekom/tel-it-security-automation/blob/21dacf83ab1245bf7c42c12d1d25292562599b79/hardening-linux-server/vars/main.yml & https://github.com/telekom/tel-it-security-automation) +Copyright (c) 2020 Maximilian Hertstein [...] Deutsche Telekom AG \ No newline at end of file From d4d84d51c7921111899b83bbca4c49d205f472e6 Mon Sep 17 00:00:00 2001 From: Maik Stuebner Date: Fri, 23 Jul 2021 15:08:50 +0200 Subject: [PATCH 4/4] Fix syntax of auditd rules Signed-off-by: Maik Stuebner --- roles/os_hardening/vars/Amazon.yml | 6 +++--- roles/os_hardening/vars/Archlinux.yml | 8 ++++---- roles/os_hardening/vars/Debian.yml | 4 ++-- roles/os_hardening/vars/Fedora.yml | 6 +++--- roles/os_hardening/vars/RedHat.yml | 6 +++--- roles/os_hardening/vars/RedHat_7.yml | 6 +++--- roles/os_hardening/vars/RedHat_8.yml | 6 +++--- roles/os_hardening/vars/Rocky_8.yml | 6 +++--- roles/os_hardening/vars/Suse.yml | 6 +++--- roles/os_hardening/vars/main.yml | 16 ++++++++-------- 10 files changed, 35 insertions(+), 35 deletions(-) diff --git a/roles/os_hardening/vars/Amazon.yml b/roles/os_hardening/vars/Amazon.yml index 30b260b28..8c6e7acd2 100644 --- a/roles/os_hardening/vars/Amazon.yml +++ b/roles/os_hardening/vars/Amazon.yml @@ -48,15 +48,15 @@ os_auditd_rules_events_os: - "-w /usr/bin/yum -p x -k software_mgmt" # Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34 # Logon and Logoff - - "-w /var/run/faillock/ -p wa -k logins" + - "-w /var/run/faillock -p wa -k logins" # Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110 # Deletion and unauthorized modification of logs - "-w /var/log/messages" # Change of network configuration - "-w /etc/sysconfig/network -p wa -k system-locale" - - "-w /etc/sysconfig/network-scripts/ -p wa -k system-locale" + - "-w /etc/sysconfig/network-scripts -p wa -k system-locale" # Change of SELinux configuration - - "-w /etc/selinux/ -p wa -k MAC-policy" + - "-w /etc/selinux -p wa -k MAC-policy" # system accounts that do not get their login disabled and pasword changed os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt', 'ec2-user'] diff --git a/roles/os_hardening/vars/Archlinux.yml b/roles/os_hardening/vars/Archlinux.yml index cc1839767..7aa170040 100644 --- a/roles/os_hardening/vars/Archlinux.yml +++ b/roles/os_hardening/vars/Archlinux.yml @@ -37,12 +37,12 @@ os_auditd_rules_events_os: - "-w /usr/bin/pacman -p x -k software_mgmt" # Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34 # Logon and Logoff - - "-w /var/run/faillock/ -p wa -k logins" + - "-w /var/run/faillock -p wa -k logins" # Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110 # Change of SELinux configuration - - "-w /etc/selinux/ -p wa -k MAC-policy" + - "-w /etc/selinux -p wa -k MAC-policy" # Change of AppArmor configuration - - "-w /etc/apparmor/ -p wa -k MAC-policy" - - "-w /etc/apparmor.d/ -p wa -k MAC-policy" + - "-w /etc/apparmor -p wa -k MAC-policy" + - "-w /etc/apparmor.d -p wa -k MAC-policy" hidepid_option: '2' # allowed values: 0, 1, 2 diff --git a/roles/os_hardening/vars/Debian.yml b/roles/os_hardening/vars/Debian.yml index 3bce0d2ac..b25a88e22 100644 --- a/roles/os_hardening/vars/Debian.yml +++ b/roles/os_hardening/vars/Debian.yml @@ -56,8 +56,8 @@ os_auditd_rules_events_os: # Change of network configuration - "-w /etc/network/interfaces -p wa -k system-locale" # Change of AppArmor configuration - - "-w /etc/apparmor/ -p wa -k MAC-policy" - - "-w /etc/apparmor.d/ -p wa -k MAC-policy" + - "-w /etc/apparmor -p wa -k MAC-policy" + - "-w /etc/apparmor.d -p wa -k MAC-policy" tally2_path: '/usr/share/pam-configs/tally2' passwdqc_path: '/usr/share/pam-configs/passwdqc' diff --git a/roles/os_hardening/vars/Fedora.yml b/roles/os_hardening/vars/Fedora.yml index 27073019c..9747d8b43 100644 --- a/roles/os_hardening/vars/Fedora.yml +++ b/roles/os_hardening/vars/Fedora.yml @@ -48,14 +48,14 @@ os_auditd_rules_events_os: - "-w /usr/bin/yum -p x -k software_mgmt" # Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34 # Logon and Logoff - - "-w /var/run/faillock/ -p wa -k logins" + - "-w /var/run/faillock -p wa -k logins" # Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110 # Deletion and unauthorized modification of logs - "-w /var/log/messages" # Change of network configuration - "-w /etc/sysconfig/network -p wa -k system-locale" - - "-w /etc/sysconfig/network-scripts/ -p wa -k system-locale" + - "-w /etc/sysconfig/network-scripts -p wa -k system-locale" # Change of SELinux configuration - - "-w /etc/selinux/ -p wa -k MAC-policy" + - "-w /etc/selinux -p wa -k MAC-policy" hidepid_option: '2' # allowed values: 0, 1, 2 diff --git a/roles/os_hardening/vars/RedHat.yml b/roles/os_hardening/vars/RedHat.yml index cf25be9e6..8bbf6e62a 100644 --- a/roles/os_hardening/vars/RedHat.yml +++ b/roles/os_hardening/vars/RedHat.yml @@ -48,14 +48,14 @@ os_auditd_rules_events_os: - "-w /usr/bin/yum -p x -k software_mgmt" # Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34 # Logon and Logoff - - "-w /var/run/faillock/ -p wa -k logins" + - "-w /var/run/faillock -p wa -k logins" # Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110 # Deletion and unauthorized modification of logs - "-w /var/log/messages" # Change of network configuration - "-w /etc/sysconfig/network -p wa -k system-locale" - - "-w /etc/sysconfig/network-scripts/ -p wa -k system-locale" + - "-w /etc/sysconfig/network-scripts -p wa -k system-locale" # Change of SELinux configuration - - "-w /etc/selinux/ -p wa -k MAC-policy" + - "-w /etc/selinux -p wa -k MAC-policy" hidepid_option: '2' # allowed values: 0, 1, 2 diff --git a/roles/os_hardening/vars/RedHat_7.yml b/roles/os_hardening/vars/RedHat_7.yml index 0d7cee498..bfc363739 100644 --- a/roles/os_hardening/vars/RedHat_7.yml +++ b/roles/os_hardening/vars/RedHat_7.yml @@ -48,14 +48,14 @@ os_auditd_rules_events_os: - "-w /usr/bin/yum -p x -k software_mgmt" # Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34 # Logon and Logoff - - "-w /var/run/faillock/ -p wa -k logins" + - "-w /var/run/faillock -p wa -k logins" # Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110 # Deletion and unauthorized modification of logs - "-w /var/log/messages" # Change of network configuration - "-w /etc/sysconfig/network -p wa -k system-locale" - - "-w /etc/sysconfig/network-scripts/ -p wa -k system-locale" + - "-w /etc/sysconfig/network-scripts -p wa -k system-locale" # Change of SELinux configuration - - "-w /etc/selinux/ -p wa -k MAC-policy" + - "-w /etc/selinux -p wa -k MAC-policy" hidepid_option: '0' # allowed values: 0, 1, 2 diff --git a/roles/os_hardening/vars/RedHat_8.yml b/roles/os_hardening/vars/RedHat_8.yml index aea35cfd6..fe08da387 100644 --- a/roles/os_hardening/vars/RedHat_8.yml +++ b/roles/os_hardening/vars/RedHat_8.yml @@ -48,14 +48,14 @@ os_auditd_rules_events_os: - "-w /usr/bin/yum -p x -k software_mgmt" # Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34 # Logon and Logoff - - "-w /var/run/faillock/ -p wa -k logins" + - "-w /var/run/faillock -p wa -k logins" # Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110 # Deletion and unauthorized modification of logs - "-w /var/log/messages" # Change of network configuration - "-w /etc/sysconfig/network -p wa -k system-locale" - - "-w /etc/sysconfig/network-scripts/ -p wa -k system-locale" + - "-w /etc/sysconfig/network-scripts -p wa -k system-locale" # Change of SELinux configuration - - "-w /etc/selinux/ -p wa -k MAC-policy" + - "-w /etc/selinux -p wa -k MAC-policy" hidepid_option: '2' # allowed values: 0, 1, 2 diff --git a/roles/os_hardening/vars/Rocky_8.yml b/roles/os_hardening/vars/Rocky_8.yml index aea35cfd6..fe08da387 100644 --- a/roles/os_hardening/vars/Rocky_8.yml +++ b/roles/os_hardening/vars/Rocky_8.yml @@ -48,14 +48,14 @@ os_auditd_rules_events_os: - "-w /usr/bin/yum -p x -k software_mgmt" # Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34 # Logon and Logoff - - "-w /var/run/faillock/ -p wa -k logins" + - "-w /var/run/faillock -p wa -k logins" # Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110 # Deletion and unauthorized modification of logs - "-w /var/log/messages" # Change of network configuration - "-w /etc/sysconfig/network -p wa -k system-locale" - - "-w /etc/sysconfig/network-scripts/ -p wa -k system-locale" + - "-w /etc/sysconfig/network-scripts -p wa -k system-locale" # Change of SELinux configuration - - "-w /etc/selinux/ -p wa -k MAC-policy" + - "-w /etc/selinux -p wa -k MAC-policy" hidepid_option: '2' # allowed values: 0, 1, 2 diff --git a/roles/os_hardening/vars/Suse.yml b/roles/os_hardening/vars/Suse.yml index 3ac5839a0..890e535fb 100644 --- a/roles/os_hardening/vars/Suse.yml +++ b/roles/os_hardening/vars/Suse.yml @@ -51,9 +51,9 @@ os_auditd_rules_events_os: - "-w /var/log/messages" # Change of network configuration - "-w /etc/sysconfig/network -p wa -k system-locale" - - "-w /etc/sysconfig/network-scripts/ -p wa -k system-locale" + - "-w /etc/sysconfig/network-scripts -p wa -k system-locale" # Change of AppArmor configuration - - "-w /etc/apparmor/ -p wa -k MAC-policy" - - "-w /etc/apparmor.d/ -p wa -k MAC-policy" + - "-w /etc/apparmor -p wa -k MAC-policy" + - "-w /etc/apparmor.d -p wa -k MAC-policy" hidepid_option: '2' # allowed values: 0, 1, 2 diff --git a/roles/os_hardening/vars/main.yml b/roles/os_hardening/vars/main.yml index fc6c973fe..8bd8b34f2 100644 --- a/roles/os_hardening/vars/main.yml +++ b/roles/os_hardening/vars/main.yml @@ -133,16 +133,16 @@ os_auditd_rules_events: # Change of scheduled jobs - "-w /etc/at.allow" - "-w /etc/at.deny" - - "-w /var/spool/at/" + - "-w /var/spool/at" - "-w /etc/crontab" - "-w /etc/anacrontab" - "-w /etc/cron.allow" - "-w /etc/cron.deny" - - "-w /etc/cron.d/" - - "-w /etc/cron.hourly/" + - "-w /etc/cron.d" + - "-w /etc/cron.hourly" - "-w /etc/cron.daily" - - "-w /etc/cron.weekly/" - - "-w /etc/cron.monthly/" + - "-w /etc/cron.weekly" + - "-w /etc/cron.monthly" # Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34 # Logon and Logoff - "-w /var/log/lastlog -p wa -k logins" @@ -168,7 +168,7 @@ os_auditd_rules_events: - "-w /var/log/audit/audit.log" - "-w /var/log/audit/audit[1-9].log" # Change of logging configuration - - "-w /etc/syslog." + - "-w /etc/syslog" - "-w /etc/rsyslog.conf" - "-w /etc/rsyslog.d/conf" - "-w /etc/audit/auditd.conf -p wa" @@ -181,12 +181,12 @@ os_auditd_rules_events: - "-w /etc/network -p wa -k system-locale" - "-w /etc/networks -p wa -k system-locale" # Authentication Subsystem changes - - "-w /etc/pam.d/" + - "-w /etc/pam.d" - "-w /etc/nsswitch.conf" # Critical File changes - "-w /etc/ssh/sshd_config" - "-w /etc/sysctl.conf" - "-w /etc/modprobe.conf" - - "-w /etc/profile.d/" + - "-w /etc/profile.d" - "-w /etc/profile" - "-w /etc/shells"