Disable DAC change auditing

This patch disables all of the discretionary access control (DAC)
auditing in auditd. This should reduce the volume of logs created
during deployments and during OpenStack CI jobs.

The patch also corrects an incorrect key in the audit logs for
V-38568.

Manual backport of I193f739647cfb7d0ce395984b51867bf6bd46cd8.

Closes-Bug: 1620849
Change-Id: I77b1322874ca3c55cc8d52476bb1eda5d86de2dc
This commit is contained in:
Major Hayden 2016-09-07 07:38:11 -05:00
parent 775f641513
commit ca9b7decdf
12 changed files with 144 additions and 32 deletions

View File

@ -59,17 +59,17 @@ security_audit_clock_settime: yes # V-38527
security_audit_clock_settimeofday: yes # V-38522
security_audit_clock_stime: yes # V-38525
security_audit_DAC_chmod: no # V-38543
security_audit_DAC_chown: yes # V-38545
security_audit_DAC_lchown: yes # V-38558
security_audit_DAC_chown: no # V-38545
security_audit_DAC_lchown: no # V-38558
security_audit_DAC_fchmod: no # V-38547
security_audit_DAC_fchmodat: no # V-38550
security_audit_DAC_fchown: yes # V-38552
security_audit_DAC_fchownat: yes # V-38554
security_audit_DAC_fremovexattr: yes # V-38556
security_audit_DAC_lremovexattr: yes # V-38559
security_audit_DAC_fsetxattr: yes # V-38557
security_audit_DAC_lsetxattr: yes # V-38561
security_audit_DAC_setxattr: yes # V-38565
security_audit_DAC_fchown: no # V-38552
security_audit_DAC_fchownat: no # V-38554
security_audit_DAC_fremovexattr: no # V-38556
security_audit_DAC_lremovexattr: no # V-38559
security_audit_DAC_fsetxattr: no # V-38557
security_audit_DAC_lsetxattr: no # V-38561
security_audit_DAC_setxattr: no # V-38565
security_audit_deletions: no # V-38575
security_audit_failed_access: no # V-38566
security_audit_filesystem_mounts: yes # V-38568

View File

@ -1,2 +1,12 @@
Rules are added for auditd to log discretionary access control permission
changes done with chown.
**Exception**
The audit rules for permission changes made with ``chown`` are disabled by
default as they can generate an excessive amount of logs in a short period of
time, especially during a deployment.
Deployers can enable auditing for ``chown`` usage by setting the following
Ansible variable:
.. code-block:: yaml
security_audit_DAC_chown: yes

View File

@ -1,2 +1,12 @@
Rules are added for auditing discretionary access control changes
made by fchown.
**Exception**
The audit rules for permission changes made with ``fchown`` are disabled by
default as they can generate an excessive amount of logs in a short period of
time, especially during a deployment.
Deployers can enable auditing for ``fchown`` usage by setting the following
Ansible variable:
.. code-block:: yaml
security_audit_DAC_fchown: yes

View File

@ -1,2 +1,12 @@
Rules are added for auditing discretionary access control changes made by
fchownat.
**Exception**
The audit rules for permission changes made with ``fchownat`` are disabled by
default as they can generate an excessive amount of logs in a short period of
time, especially during a deployment.
Deployers can enable auditing for ``fchownat`` usage by setting the following
Ansible variable:
.. code-block:: yaml
security_audit_DAC_fchownat: yes

View File

@ -1,2 +1,12 @@
Rules are added for auditing discretionary access control changes made
by ``fremovexattr``.
**Exception**
The audit rules for permission changes made with ``fremovexattr`` are disabled
by default as they can generate an excessive amount of logs in a short period
of time, especially during a deployment.
Deployers can enable auditing for ``fremovexattr`` usage by setting the
following Ansible variable:
.. code-block:: yaml
security_audit_DAC_fremovexattr: yes

View File

@ -1,2 +1,12 @@
Rules are added for auditing discretionary access control changes made via
``fsetxattr``.
**Exception**
The audit rules for permission changes made with ``fsetxattr`` are disabled by
default as they can generate an excessive amount of logs in a short period of
time, especially during a deployment.
Deployers can enable auditing for ``fsetxattr`` usage by setting the following
Ansible variable:
.. code-block:: yaml
security_audit_DAC_fsetxattr: yes

View File

@ -1,2 +1,12 @@
Rules are added for auditing discretionary access control changes made via
``lchown``.
**Exception**
The audit rules for permission changes made with ``lchown`` are disabled by
default as they can generate an excessive amount of logs in a short period of
time, especially during a deployment.
Deployers can enable auditing for ``lchown`` usage by setting the following
Ansible variable:
.. code-block:: yaml
security_audit_DAC_lchown: yes

View File

@ -1,2 +1,12 @@
Rules are added for auditing discretionary access control changes made via
``lremovexattr``.
**Exception**
The audit rules for permission changes made with ``lremovexattr`` are disabled
by default as they can generate an excessive amount of logs in a short period
of time, especially during a deployment.
Deployers can enable auditing for ``lremovexattr`` usage by setting the
following Ansible variable:
.. code-block:: yaml
security_audit_DAC_lremovexattr: yes

View File

@ -1,3 +1,12 @@
Rules are added to auditd to log all DAC modifications using `lsetxattr`_.
**Exception**
.. _lsetxattr: http://linux.die.net/man/2/lsetxattr
The audit rules for permission changes made with ``lxsetxattr`` are disabled by
default as they can generate an excessive amount of logs in a short period of
time, especially during a deployment.
Deployers can enable auditing for ``lsetxattr`` usage by setting the following
Ansible variable:
.. code-block:: yaml
security_audit_DAC_lsetxattr: yes

View File

@ -1,4 +1,12 @@
Rules are added so that all permission modifications made via `setxattr`_ are
logged.
**Exception**
.. _setxattr: http://man7.org/linux/man-pages/man2/setxattr.2.html
The audit rules for permission changes made with ``setxattr`` are disabled by
default as they can generate an excessive amount of logs in a short period of
time, especially during a deployment.
Deployers can enable auditing for ``lsetxattr`` usage by setting the following
Ansible variable:
.. code-block:: yaml
security_audit_DAC_lsetxattr: yes

View File

@ -0,0 +1,25 @@
---
upgrade:
- |
All of the discretionary access control (DAC) auditing is now disabled by
default. This reduces the amount of logs generated during deployments and
minor upgrades. The following variables are now set to ``no``:
.. code-block:: yaml
security_audit_DAC_chmod: no
security_audit_DAC_chown: no
security_audit_DAC_lchown: no
security_audit_DAC_fchmod: no
security_audit_DAC_fchmodat: no
security_audit_DAC_fchown: no
security_audit_DAC_fchownat: no
security_audit_DAC_fremovexattr: no
security_audit_DAC_lremovexattr: no
security_audit_DAC_fsetxattr: no
security_audit_DAC_lsetxattr: no
security_audit_DAC_setxattr: no
fixes:
- The auditd rules for auditing V-38568 (filesystem mounts) were incorrectly
labeled in the auditd logs with the key of ``export-V-38568``. They are
now correctly logged with the key ``filesystem_mount-V-38568``.

View File

@ -177,10 +177,10 @@
{% if security_audit_filesystem_mounts | bool %}
# RHEL 6 STIG V-38568
# Audits filesystem mounts
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export-V-38568
-a always,exit -F arch=b32 -S mount -F auid=0 -k export-V-38568
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export-V-38568
-a always,exit -F arch=b64 -S mount -F auid=0 -k export-V-38568
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k filesystem_mount-V-38568
-a always,exit -F arch=b32 -S mount -F auid=0 -k filesystem_mount-V-38568
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k filesystem_mount-V-38568
-a always,exit -F arch=b64 -S mount -F auid=0 -k filesystem_mount-V-38568
{% endif %}
{% if security_audit_deletions | bool %}