dev-sec · m41kc0d3 · Jul 22, 2021 · Jul 23, 2021 · Jul 23, 2021 · Jul 23, 2021
diff --git a/NOTICE b/NOTICE
@@ -0,0 +1,5 @@
+Ansible Collection - devsec.hardening
+
+Huge parts of the audit rules in roles/os_hardening/vars/*.yml
+was created by Deutsche Telekom AG. (https://github.com/telekom/tel-it-security-automation/blob/21dacf83ab1245bf7c42c12d1d25292562599b79/hardening-linux-server/vars/main.yml & https://github.com/telekom/tel-it-security-automation)
+Copyright (c) 2020 Maximilian Hertstein [...] Deutsche Telekom AG
diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md
@@ -217,6 +217,15 @@ We know that this is the case on Raspberry Pi.
 - `os_auditd_max_log_file`
  - Default: `6`
  - Description: This keyword specifies the maximum file size in megabytes. When this limit is reached, it will trigger a configurable action. The value given must be numeric.
+- `os_auditd_rules_enabled`
+ - Default: `true`
+ - Description: Set to false to disable configuring auditd rules.
+- `os_auditd_rules_failure_mode`
+ - Default: `1`
+ - Description: Set failure mode of auditd 0=silent 1=printk 2=panic. This option lets you determine how you want the kernel to handle critical errors. The value given must be numeric.
+- `os_auditd_rules_events_extra`
+ - Default: `[]`
+ - Description: Add additional event rules for auditd. You can also delete predefined rules with `-d list,action` or `-W path`.
 - `hidepid_option`
  - Default: `2` (on RHEL/CentOS7 `0`, see known limitations)
  - Description: `0`: This is the default setting and gives you the default behaviour. `1`: With this option an normal user would not see other processes but their own about ps, top etc, but he is still able to see process IDs in /proc. `2`: Users are only able too see their own processes (like with hidepid=1), but also the other process IDs are hidden for them in /proc.

diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml
@@ -322,6 +322,10 @@ os_hardening_enabled: true
 os_auditd_enabled: true
 os_auditd_max_log_file: 6
 os_auditd_max_log_file_action: keep_logs
+# Set to false to disable configuring auditd rules.
+os_auditd_rules_enabled: true
+os_auditd_rules_failure_mode: 1
+os_auditd_rules_events_extra: []
 
 # Set the SELinux state, which can be either disabled, permissive, or enforcing.
 os_selinux_state: enforcing

diff --git a/roles/os_hardening/tasks/auditd.yml b/roles/os_hardening/tasks/auditd.yml
@@ -14,3 +14,14 @@
  mode: '0640'
  notify: 'restart-auditd'
  tags: auditd
+
+- name: Configure auditd rules
+ template:
+ src: 'etc/audit/rules.d/audit.rules.j2'
+ dest: "{{ os_auditd_rules_path }}"
+ owner: 'root'
+ group: 'root'
+ mode: '0640'
+ notify: 'restart-auditd'
+ tags: auditd
+ when: os_auditd_rules_enabled | bool
diff --git a/roles/os_hardening/templates/etc/audit/rules.d/audit.rules.j2 b/roles/os_hardening/templates/etc/audit/rules.d/audit.rules.j2
@@ -0,0 +1,26 @@
+{{ ansible_managed | comment }}
+# Generated by Ansible role {{ ansible_role_name }}
+
+## First rule - delete all
+-D
+
+## Increase the buffers to survive stress events.
+## Make this bigger for busy systems
+-b 8192
+
+## Set failure mode to syslog
+-f {{ os_auditd_rules_failure_mode }}
+
+## List of events to log
+{% for rule in os_auditd_rules_events %}
+{{rule}}
+{% endfor %}
+{% for ruleos in os_auditd_rules_events_os %}
+{{ruleos}}
+{% endfor %}
+{% for ruleextra in os_auditd_rules_events_extra %}
+{{ruleextra}}
+{% endfor %}
+
+## Lock the Audit configuration
+-e 2
diff --git a/roles/os_hardening/vars/Amazon.yml b/roles/os_hardening/vars/Amazon.yml
@@ -41,6 +41,22 @@ os_useradd_create_home: true
 
 modprobe_package: 'module-init-tools'
 auditd_package: 'audit'
+os_auditd_rules_events_os:
+ # System events must be logged. Telekom SoC 3.65 ReqID 32213164
+ # (Un)Installation of software
+ - "-w /usr/bin/rpm -p x -k software_mgmt"
+ - "-w /usr/bin/yum -p x -k software_mgmt"
+ # Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34
+ # Logon and Logoff
+ - "-w /var/run/faillock -p wa -k logins"
+ # Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110
+ # Deletion and unauthorized modification of logs
+ - "-w /var/log/messages"
+ # Change of network configuration
+ - "-w /etc/sysconfig/network -p wa -k system-locale"
+ - "-w /etc/sysconfig/network-scripts -p wa -k system-locale"
+ # Change of SELinux configuration
+ - "-w /etc/selinux -p wa -k MAC-policy"
 
 # system accounts that do not get their login disabled and pasword changed
 os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt', 'ec2-user']

diff --git a/roles/os_hardening/vars/Archlinux.yml b/roles/os_hardening/vars/Archlinux.yml
@@ -31,5 +31,18 @@ os_auth_sub_gid_count: 65536
 
 modprobe_package: 'kmod'
 auditd_package: 'audit'
+os_auditd_rules_events_os:
+ # System events must be logged. Telekom SoC 3.65 ReqID 32213164
+ # (Un)Installation of software
+ - "-w /usr/bin/pacman -p x -k software_mgmt"
+ # Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34
+ # Logon and Logoff
+ - "-w /var/run/faillock -p wa -k logins"
+ # Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110
+ # Change of SELinux configuration
+ - "-w /etc/selinux -p wa -k MAC-policy"
+ # Change of AppArmor configuration
+ - "-w /etc/apparmor -p wa -k MAC-policy"
+ - "-w /etc/apparmor.d -p wa -k MAC-policy"
 
 hidepid_option: '2' # allowed values: 0, 1, 2
diff --git a/roles/os_hardening/vars/Debian.yml b/roles/os_hardening/vars/Debian.yml
@@ -38,6 +38,26 @@ os_useradd_mail_dir: /var/mail
 
 modprobe_package: 'kmod'
 auditd_package: 'auditd'
+os_auditd_rules_events_os:
+ # System events must be logged. Telekom SoC 3.65 ReqID 32213164
+ # (Un)Installation of software
+ - "-w /usr/bin/dpkg -p x -k software_mgmt"
+ - "-w /usr/bin/apt-add-repository -p x -k software_mgmt"
+ - "-w /usr/bin/apt-get -p x -k software_mgmt"
+ - "-w /usr/bin/aptitude -p x -k software_mgmt"
+ # Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34
+ # Logon and Logoff
+ - "-w /var/log/faillog -p wa -k logins"
+ - "-w /var/log/tallylog -p wa -k logins"
+ # Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110
+ # Deletion and unauthorized modification of logs
+ - "-w /var/log/auth.log"
+ - "-w /var/log/system.log"
+ # Change of network configuration
+ - "-w /etc/network/interfaces -p wa -k system-locale"
+ # Change of AppArmor configuration
+ - "-w /etc/apparmor -p wa -k MAC-policy"
+ - "-w /etc/apparmor.d -p wa -k MAC-policy"
 
 tally2_path: '/usr/share/pam-configs/tally2'
 passwdqc_path: '/usr/share/pam-configs/passwdqc'

diff --git a/roles/os_hardening/vars/Fedora.yml b/roles/os_hardening/vars/Fedora.yml
@@ -41,5 +41,21 @@ os_useradd_create_home: true
 
 modprobe_package: 'module-init-tools'
 auditd_package: 'audit'
+os_auditd_rules_events_os:
+ # System events must be logged. Telekom SoC 3.65 ReqID 32213164
+ # (Un)Installation of software
+ - "-w /usr/bin/rpm -p x -k software_mgmt"
+ - "-w /usr/bin/yum -p x -k software_mgmt"
+ # Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34
+ # Logon and Logoff
+ - "-w /var/run/faillock -p wa -k logins"
+ # Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110
+ # Deletion and unauthorized modification of logs
+ - "-w /var/log/messages"
+ # Change of network configuration
+ - "-w /etc/sysconfig/network -p wa -k system-locale"
+ - "-w /etc/sysconfig/network-scripts -p wa -k system-locale"
+ # Change of SELinux configuration
+ - "-w /etc/selinux -p wa -k MAC-policy"
 
 hidepid_option: '2' # allowed values: 0, 1, 2
diff --git a/roles/os_hardening/vars/RedHat.yml b/roles/os_hardening/vars/RedHat.yml
@@ -41,5 +41,21 @@ os_useradd_create_home: true
 
 modprobe_package: 'module-init-tools'
 auditd_package: 'audit'
+os_auditd_rules_events_os:
+ # System events must be logged. Telekom SoC 3.65 ReqID 32213164
+ # (Un)Installation of software
+ - "-w /usr/bin/rpm -p x -k software_mgmt"
+ - "-w /usr/bin/yum -p x -k software_mgmt"
+ # Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34
+ # Logon and Logoff
+ - "-w /var/run/faillock -p wa -k logins"
+ # Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110
+ # Deletion and unauthorized modification of logs
+ - "-w /var/log/messages"
+ # Change of network configuration
+ - "-w /etc/sysconfig/network -p wa -k system-locale"
+ - "-w /etc/sysconfig/network-scripts -p wa -k system-locale"
+ # Change of SELinux configuration
+ - "-w /etc/selinux -p wa -k MAC-policy"
 
 hidepid_option: '2' # allowed values: 0, 1, 2
diff --git a/roles/os_hardening/vars/RedHat_7.yml b/roles/os_hardening/vars/RedHat_7.yml
@@ -41,5 +41,21 @@ os_useradd_create_home: true
 
 modprobe_package: 'module-init-tools'
 auditd_package: 'audit'
+os_auditd_rules_events_os:
+ # System events must be logged. Telekom SoC 3.65 ReqID 32213164
+ # (Un)Installation of software
+ - "-w /usr/bin/rpm -p x -k software_mgmt"
+ - "-w /usr/bin/yum -p x -k software_mgmt"
+ # Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34
+ # Logon and Logoff
+ - "-w /var/run/faillock -p wa -k logins"
+ # Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110
+ # Deletion and unauthorized modification of logs
+ - "-w /var/log/messages"
+ # Change of network configuration
+ - "-w /etc/sysconfig/network -p wa -k system-locale"
+ - "-w /etc/sysconfig/network-scripts -p wa -k system-locale"
+ # Change of SELinux configuration
+ - "-w /etc/selinux -p wa -k MAC-policy"
 
 hidepid_option: '0' # allowed values: 0, 1, 2
diff --git a/roles/os_hardening/vars/RedHat_8.yml b/roles/os_hardening/vars/RedHat_8.yml
@@ -41,5 +41,21 @@ os_useradd_create_home: true
 
 modprobe_package: 'module-init-tools'
 auditd_package: 'audit'
+os_auditd_rules_events_os:
+ # System events must be logged. Telekom SoC 3.65 ReqID 32213164
+ # (Un)Installation of software
+ - "-w /usr/bin/rpm -p x -k software_mgmt"
+ - "-w /usr/bin/yum -p x -k software_mgmt"
+ # Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34
+ # Logon and Logoff
+ - "-w /var/run/faillock -p wa -k logins"
+ # Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110
+ # Deletion and unauthorized modification of logs
+ - "-w /var/log/messages"
+ # Change of network configuration
+ - "-w /etc/sysconfig/network -p wa -k system-locale"
+ - "-w /etc/sysconfig/network-scripts -p wa -k system-locale"
+ # Change of SELinux configuration
+ - "-w /etc/selinux -p wa -k MAC-policy"
 
 hidepid_option: '2' # allowed values: 0, 1, 2
diff --git a/roles/os_hardening/vars/Rocky_8.yml b/roles/os_hardening/vars/Rocky_8.yml
@@ -41,5 +41,21 @@ os_useradd_create_home: true
 
 modprobe_package: 'module-init-tools'
 auditd_package: 'audit'
+os_auditd_rules_events_os:
+ # System events must be logged. Telekom SoC 3.65 ReqID 32213164
+ # (Un)Installation of software
+ - "-w /usr/bin/rpm -p x -k software_mgmt"
+ - "-w /usr/bin/yum -p x -k software_mgmt"
+ # Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34
+ # Logon and Logoff
+ - "-w /var/run/faillock -p wa -k logins"
+ # Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110
+ # Deletion and unauthorized modification of logs
+ - "-w /var/log/messages"
+ # Change of network configuration
+ - "-w /etc/sysconfig/network -p wa -k system-locale"
+ - "-w /etc/sysconfig/network-scripts -p wa -k system-locale"
+ # Change of SELinux configuration
+ - "-w /etc/selinux -p wa -k MAC-policy"
 
 hidepid_option: '2' # allowed values: 0, 1, 2
diff --git a/roles/os_hardening/vars/Suse.yml b/roles/os_hardening/vars/Suse.yml
@@ -38,5 +38,22 @@ os_useradd_create_home: false
 
 modprobe_package: 'kmod-compat'
 auditd_package: 'audit'
+os_auditd_rules_events_os:
+ # System events must be logged. Telekom SoC 3.65 ReqID 32213164
+ # (Un)Installation of software
+ - "-w /usr/bin/rpm -p x -k software_mgmt"
+ - "-w /usr/bin/zypper -p x -k software_mgmt"
+ # Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34
+ # Logon and Logoff
+ - "-w /var/log/faillog -p wa -k logins"
+ # Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110
+ # Deletion and unauthorized modification of logs
+ - "-w /var/log/messages"
+ # Change of network configuration
+ - "-w /etc/sysconfig/network -p wa -k system-locale"
+ - "-w /etc/sysconfig/network-scripts -p wa -k system-locale"
+ # Change of AppArmor configuration
+ - "-w /etc/apparmor -p wa -k MAC-policy"
+ - "-w /etc/apparmor.d -p wa -k MAC-policy"
 
 hidepid_option: '2' # allowed values: 0, 1, 2
diff --git a/roles/os_hardening/vars/main.yml b/roles/os_hardening/vars/main.yml
@@ -110,3 +110,83 @@ os_security_suid_sgid_system_whitelist:
 
 # system accounts that do not get their login disabled and pasword changed
 os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt']
+
+# path to audit.rules file
+os_auditd_rules_path: "/etc/audit/rules.d/audit.rules"
+# Huge parts of the rules are from https://github.com/telekom/tel-it-security-automation
+os_auditd_rules_events:
+ # Syscalls "execve" (execute program) must be logged. Telekom SoC 3.65 ReqID 31d021a2
+ - "-a always,exit -F arch=b64 -S execve"
+ # System events must be logged. Telekom SoC 3.65 ReqID 32213164
+ # Change of system time
+ - "-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change"
+ - "-a always,exit -F arch=b64 -S clock_settime -k time-change"
+ - "-w /etc/localtime -p wa -k time-change"
+ # Connection of external device (storage)
+ - "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts"
+ - "-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export"
+ # Loading/unloading of kernel modules
+ - "-w /sbin/insmod -p x -k modules"
+ - "-w /sbin/rmmod -p x -k modules"
+ - "-w /sbin/modprobe -p x -k modules"
+ - "-a always,exit -F arch=b64 -S init_module -S delete_module -k modules"
+ # Change of scheduled jobs
+ - "-w /etc/at.allow"
+ - "-w /etc/at.deny"
+ - "-w /var/spool/at"
+ - "-w /etc/crontab"
+ - "-w /etc/anacrontab"
+ - "-w /etc/cron.allow"
+ - "-w /etc/cron.deny"
+ - "-w /etc/cron.d"
+ - "-w /etc/cron.hourly"
+ - "-w /etc/cron.daily"
+ - "-w /etc/cron.weekly"
+ - "-w /etc/cron.monthly"
+ # Access and Authentication events must be logged. Telekom SoC 3.65 ReqID f081ec34
+ # Logon and Logoff
+ - "-w /var/log/lastlog -p wa -k logins"
+ # Password Change
+ - "-w /etc/shadow -p wa -k identity"
+ - "-w /etc/gshadow -p wa -k identity"
+ - "-w /etc/security/opasswd -p wa -k identity"
+ # Escalation of privileges (sudo/sudoers)
+ - "-w /etc/sudoers -p wa -k scope"
+ - "-w /etc/sudoers.d -p wa -k scope"
+ - "-w /var/log/sudo.log -p wa -k actions"
+ # Modification of DAC permissions
+ - "-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod"
+ - "-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod"
+ - "-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod"
+ # Account and Group Management events must be logged. Telekom SoC 3.65 ReqID 101afb5f
+ # Creation, modification and deletion of users
+ - "-w /etc/passwd -p wa -k identity"
+ # Creation, modification and deletion of groups
+ - "-w /etc/group -p wa -k identity"
+ # Configuration Change events must be logged. Telekom SoC 3.65 ReqID 5a090110
+ # Deletion and unauthorized modification of logs
+ - "-w /var/log/audit/audit.log"
+ - "-w /var/log/audit/audit[1-9].log"
+ # Change of logging configuration
+ - "-w /etc/syslog"
+ - "-w /etc/rsyslog.conf"
+ - "-w /etc/rsyslog.d/conf"
+ - "-w /etc/audit/auditd.conf -p wa"
+ - "-w /etc/audit/audit.rules -p wa"
+ # Change of network configuration
+ - "-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale"
+ - "-w /etc/issue -p wa -k system-locale"
+ - "-w /etc/issue.net -p wa -k system-locale"
+ - "-w /etc/hosts -p wa -k system-locale"
+ - "-w /etc/network -p wa -k system-locale"
+ - "-w /etc/networks -p wa -k system-locale"
+ # Authentication Subsystem changes
+ - "-w /etc/pam.d"
+ - "-w /etc/nsswitch.conf"
+ # Critical File changes
+ - "-w /etc/ssh/sshd_config"
+ - "-w /etc/sysctl.conf"
+ - "-w /etc/modprobe.conf"
+ - "-w /etc/profile.d"
+ - "-w /etc/profile"
+ - "-w /etc/shells"