openstack/openstack-ansible-security
Code Issues Proposed changes

Switch from dict to individual variables

Browse Source 
The dictionary-based variables didn't work properly and this patch
changes them to individual variables. If users followed the existing
documentation, their environments will be unaffected by this change
(they are still broken).

The new variables follow the pattern `security_VARIABLENAME` which
will soon become the standard for the role to avoid variable name
collisions with other playbooks and roles.

Release notes are included with this patch.

Closes-bug: 1577944

Change-Id: I455f66a0b4f423e2cf0e753b129367427f29479f
(cherry picked from commit f5061fd0222cd068934726231244c2dca82d9d43)
This commit is contained in:
Major Hayden 2016-05-05 08:32:32 -05:00
parent f0f53671b8
commit e2b39907d6
29 changed files with 174 additions and 144 deletions

103
defaults/main.yml

@ -50,32 +50,31 @@ initialize_aide: false
# will be deployed onto the host and auditd will get the new rules loaded
# automatically with augenrules.
#
auditd_rules:
account_modification: yes # V-38531, V-38534, V-38538
apparmor_changes: yes # V-38541
change_localtime: yes # V-38530
change_system_time: yes # V-38635
clock_settime: yes # V-38527
clock_settimeofday: yes # V-38522
clock_stime: yes # V-38525
DAC_chmod: no # V-38543
DAC_chown: yes # V-38545
DAC_lchown: yes # V-38558
DAC_fchmod: no # V-38547
DAC_fchmodat: no # V-38550
DAC_fchown: yes # V-38552
DAC_fchownat: yes # V-38554
DAC_fremovexattr: yes # V-38556
DAC_lremovexattr: yes # V-38559
DAC_fsetxattr: yes # V-38557
DAC_lsetxattr: yes # V-38561
DAC_setxattr: yes # V-38565
deletions: no # V-38575
failed_access: no # V-38566
filesystem_mounts: yes # V-38568
kernel_modules: yes # V-38580
network_changes: yes # V-38540
sudoers: yes # V-38578
security_audit_account_modification: yes # V-38531, V-38534, V-38538
security_audit_apparmor_changes: yes # V-38541
security_audit_change_localtime: yes # V-38530
security_audit_change_system_time: yes # V-38635
security_audit_clock_settime: yes # V-38527
security_audit_clock_settimeofday: yes # V-38522
security_audit_clock_stime: yes # V-38525
security_audit_DAC_chmod: no # V-38543
security_audit_DAC_chown: yes # V-38545
security_audit_DAC_lchown: yes # V-38558
security_audit_DAC_fchmod: no # V-38547
security_audit_DAC_fchmodat: no # V-38550
security_audit_DAC_fchown: yes # V-38552
security_audit_DAC_fchownat: yes # V-38554
security_audit_DAC_fremovexattr: yes # V-38556
security_audit_DAC_lremovexattr: yes # V-38559
security_audit_DAC_fsetxattr: yes # V-38557
security_audit_DAC_lsetxattr: yes # V-38561
security_audit_DAC_setxattr: yes # V-38565
security_audit_deletions: no # V-38575
security_audit_failed_access: no # V-38566
security_audit_filesystem_mounts: yes # V-38568
security_audit_kernel_modules: yes # V-38580
security_audit_network_changes: yes # V-38540
security_audit_sudoers: yes # V-38578
#
# **DANGER**
# Changing the options below can cause systems to go offline unexpectedly or
@ -150,31 +149,29 @@ disable_core_dumps: yes # V-38675
# Setting a 'no' will ensure that this Ansible role does not alter the service
# in any way from its current configuration.
#
disable_services:
abrtd: yes # V-38641
atd: yes # V-38640
autofs: yes # V-38437
avahi: yes # V-31618
bluetooth: yes # V-38691
qpidd: yes # V-38648
rsh: yes # V-38594
ypbind: yes # V-38604
xinetd: yes # V-38582
security_disable_abrtd: yes # V-38641
security_disable_atd: yes # V-38640
security_disable_autofs: yes # V-38437
security_disable_avahi: yes # V-31618
security_disable_bluetooth: yes # V-38691
security_disable_qpidd: yes # V-38648
security_disable_rsh: yes # V-38594
security_disable_ypbind: yes # V-38604
security_disable_xinetd: yes # V-38582
#
# The STIG recommends ensuring that some services aren't installed at ANY time.
# Those services are listed here. Setting a boolean here to 'yes' wiil
# ensure that the STIG is followed and the service is removed. Setting a
# boolean to 'no' means that the playbook will not alter the service.
#
remove_services:
ldap-server: yes # V-38627
rsh-server: yes # V-38591
sendmail: yes # V-38671
telnet_server: yes # V-38587
tftp-server: yes # V-38606
xinetd: yes # V-38584
xorg: yes # v-38676
ypserv: yes # V-38603
security_remove_ldap_server: yes # V-38627
security_remove_rsh_server: yes # V-38591
security_remove_sendmail: yes # V-38671
security_remove_telnet_server: yes # V-38587
security_remove_tftp_server: yes # V-38606
security_remove_xinetd: yes # V-38584
security_remove_xorg: yes # v-38676
security_remove_ypserv: yes # V-38603
## SSH configuration
# The following configuration items will adjust how the ssh daemon is
@ -196,13 +193,12 @@ ssh_permit_root_login: 'yes' # V-38613
## Kernel
# Set these booleans to 'yes' to disable the kernel module (following the
# STIG requirements). Set the boolean to 'no' to ensure no changes are made.
disable_module:
bluetooth: yes # V-38682
dccp: yes # V-38514
rds: yes # V-38516
sctp: yes # V-38515
tipc: yes # V-38517
usb_storage: no # V-38490
security_disable_module_bluetooth: yes # V-38682
security_disable_module_dccp: yes # V-38514
security_disable_module_rds: yes # V-38516
security_disable_module_sctp: yes # V-38515
security_disable_module_tipc: yes # V-38517
security_disable_module_usb_storage: no # V-38490
#
# ** DANGER **
# It's strongly recommended to fully understand the effects of changing the
@ -210,8 +206,7 @@ disable_module:
# Notes' for each of the STIGs below before making any changes.
# ** DANGER **
#
sysctl_tunable:
tcp_syncookies: 1 # V-38539
security_sysctl_tcp_syncookies: 1 # V-38539
#
# Deployers who wish to disable IPv6 entirely must set this configuration
# variable to 'yes'. See the documentation for V-38546 before making this

43
doc/source/configuration.rst

@ -54,14 +54,17 @@ critical events on a Linux server.
Rules for auditd
^^^^^^^^^^^^^^^^
The openstack-ansible-security creates a file full of audit rules for hosts
and these rules can be configured via the ``auditd_rules`` dictionary in
``defaults/main.yml``.
The openstack-ansible-security role creates a file containing audit rules for
hosts.
Each key within the dictionary refers to a block of rules that perform a
certain function. Setting a value of ``yes`` for these keys will ensure that
the rules are present in the final auditd configuration file. Setting a value
of ``no`` will ensure that they are omitted.
Each group of rules are controlled by Ansible variables that begin with
``security_audit_``. To omit a set of rules on a host, set the variable to
``no``. To include a set of rules on a host, set the variable to ``yes``.
For example, setting ``security_audit_filesystem_mounts`` to ``yes`` will
ensure that the rules for auditing filesystem mounts are included on each host.
Setting ``security_audit_filesystem_mounts`` to ``no`` will omit that group of
rules on each host.
To review the full list of rules and variables, refer to
``templates/osas-auditd.j2``.
@ -109,10 +112,14 @@ Kernel
Kernel modules
^^^^^^^^^^^^^^
Certain kernel modules are restricted by the STIG and those are reflected in
the ``disable_module`` dictionary within ``defaults/main.yml``. A setting of
``yes`` means that the module will be disabled on the next boot and a setting
of ``no`` means that the state of the module will not be changed.
Certain kernel modules are restricted by the STIG because they can become a
security threat to a server. The Ansible tasks will disable most of these
variables in accordance with the STIG. These changes are controlled by Ansible
variables matching the pattern ``security_disable_module_MODULENAME``. Refer to
``defaults/main.yml`` for a full list of these variables.
A setting of ``yes`` means that the module will be disabled on the next boot
and a setting of ``no`` means that the state of the module will not be changed.
All of the defaults are set in accordance with the STIG's requitements with
the exception of the ``usb_storage`` kernel module. This module is used
@ -156,8 +163,9 @@ Disabling services
^^^^^^^^^^^^^^^^^^
By default, the role will disable any services that are recommended to be
disabled by the STIG. The list of these services can be found within the
``disable_services`` dictionary in ``defaults/main.yml``.
disabled by the STIG. These changes are controlled by Ansible variables that
match the ``security_disable_SERVICENAME`` pattern. Review these variables in
``defaults/main.yml`` for more details.
A setting of ``yes`` for a service will cause the service to be disabled in
accordance to the STIG's requirements.
@ -169,10 +177,11 @@ it will remain stopped.
Removing services
^^^^^^^^^^^^^^^^^
The STIG requires that some packages are completely removed from the server.
By default, the role will remove the packages in accordance with the STIG's
requirements. These services are found within the ``remove_services``
dictionary within ``defaults/main.yml``.
The STIG requires that some packages are completely removed from the server. By
default, the role will remove the packages in accordance with the STIG's
requirements. These changes are controlled by Ansible variables that match the
``security_remove_SERVICENAME`` pattern. Review these variables in
``defaults/main.yml`` for more details.
A setting of ``yes`` for a service will cause the package that contains the
service to be removed from the system. If the service happens to be running

2
doc/source/developer-notes/V-38437.rst

@ -3,4 +3,4 @@ of this change, adjust the following variable:
.. code-block:: yaml
disable_services['autofs'] = no
security_disable_autofs: no

2
doc/source/developer-notes/V-38490.rst

@ -6,6 +6,6 @@ set the following variable to ``yes``:
.. code-block:: yaml
disable_module['usb_storage']: yes
security_disable_module_usb_storage: yes
**NOTE:** The module will be disabled on the next reboot.

2
doc/source/developer-notes/V-38514.rst

@ -6,6 +6,6 @@ To opt-out of this change, simply change the following variable to ``no``:
.. code-block:: yaml
disable_module['dccp']: no
security_disable_module_dccp: no
**NOTE:** The module will be disabled on the next reboot.

2
doc/source/developer-notes/V-38515.rst

@ -5,6 +5,6 @@ To opt-out of this change, set the following variable to ``no``:
.. code-block:: yaml
disable_module['sctp']: no
security_disable_module_sctp: no
**NOTE:** The module will be disabled on the next reboot.

2
doc/source/developer-notes/V-38516.rst

@ -8,6 +8,6 @@ To opt-out of this change, set the following variable to ``no``:
.. code-block:: yaml
disable_module['rds']: no
security_disable_module_rds: no
**NOTE:** The module will be disabled on the next reboot.

2
doc/source/developer-notes/V-38517.rst

@ -8,6 +8,6 @@ To opt-out of this change, set the following variable to ``no``:
.. code-block:: yaml
disable_module['tipc']: no
security_disable_module_tipc: no
**NOTE:** The module will be disabled on the next reboot.

6
doc/source/developer-notes/V-38539.rst

@ -9,6 +9,12 @@ events. Putting well-configured hardware network devices in front of OpenStack
environments is always recommended and this may allow some deployers to turn
off SYN cookies within their environment.
Deployers can disable TCP SYN cookies by setting an Ansible variable:
.. code-block:: yaml
security_sysctl_tcp_syncookies: 0
For more information on TCP SYN cookies and TCP SYN floods, refer to these
links:

6
doc/source/developer-notes/V-38543.rst

@ -8,6 +8,6 @@ These audit rules can be enabled by setting any of the following variables:
.. code-block:: yaml
auditd_rules['DAC_chmod']: yes
auditd_rules['DAC_fchmod']: yes
auditd_rules['DAC_fchmodat']: yes
security_audit_DAC_chmod: yes
security_audit_DAC_fchmod: yes
security_audit_DAC_fchmodat: yes

2
doc/source/developer-notes/V-38566.rst

@ -9,4 +9,4 @@ the following Ansible variable:
.. code-block:: yaml
auditd_rules['failed_access']: yes
security_auditd_failed_access: yes

2
doc/source/developer-notes/V-38575.rst

@ -10,4 +10,4 @@ following Ansible variable:
.. code-block:: yaml
auditd_rules['deletions'] = yes
security_audit_deletions: yes

2
doc/source/developer-notes/V-38582.rst

@ -6,4 +6,4 @@ To opt-out of this change, simply adjust the following configuration item to
.. code-block:: yaml
disable_services['xinetd'] = no
security_disable_xinetd: no

2
doc/source/developer-notes/V-38584.rst

@ -4,4 +4,4 @@ to ``no``:
.. code-block:: yaml
remove_services['xinetd'] = no
security_remove_xinetd: no

11
doc/source/developer-notes/V-38587.rst

@ -1,3 +1,8 @@
The telnet server package will be removed by default. To control which
services will be removed, review the ``remove_services`` list in
``defaults/main.yml``.
The ``telnetd`` service will be removed by the Ansible tasks, if it is
installed. To opt-out of this change, adjust the following variable
to ``no``:
.. code-block:: yaml
security_remove_telnet_server: no

10
doc/source/developer-notes/V-38591.rst

@ -1,2 +1,8 @@
The rshd service will be removed by default. To control what services will
be removed, review the ``remove_services`` list in ``defaults/main.yml``.
The ``rshd`` service will be removed by the Ansible tasks, if it is
installed. To opt-out of this change, adjust the following variable
to ``no``:
.. code-block:: yaml
security_remove_rsh_server: no

2
doc/source/developer-notes/V-38603.rst

@ -4,4 +4,4 @@ opt-out of this change, adjust the following configuration variable to ``no``:
.. code-block:: yaml
remove_services['ypserv'] = no
security_remove_ypserv: no

2
doc/source/developer-notes/V-38606.rst

@ -3,4 +3,4 @@ following configuration variable to ``no``:
.. code-block:: yaml
remove_services['tftp-server'] = no
security_remove_tftp_server: no

2
doc/source/developer-notes/V-38627.rst

@ -5,4 +5,4 @@ To opt-out of this change, set the following Ansible variable to ``no``:
.. code-block:: yaml
remove_services['ldap-server']: no
security_remove_ldap_server: no

2
doc/source/developer-notes/V-38648.rst

@ -8,4 +8,4 @@ To opt-out of this change, adjust the following Ansible variable to ``no``:
.. code-block:: yaml
disable_services['qpidd']: no
security_disable_qpidd: no

2
doc/source/developer-notes/V-38671.rst

@ -6,4 +6,4 @@ To opt-out of this change, adjust the following Ansible variable to ``no``:
.. code-block:: yaml
remove_services['sendmail']: no
security_remove_sendmail: no

2
doc/source/developer-notes/V-38676.rst

@ -5,4 +5,4 @@ To opt-out of the change, set the following Ansible variable to ``no``:
.. code-block:: yaml
remove_services['xorg']: no
security_remove_xorg: no

2
doc/source/developer-notes/V-38691.rst

@ -6,4 +6,4 @@ To opt-out of this change, adjust the following Ansible variable to ``no``:
.. code-block:: yaml
disable_services['bluetooth']: no
security_disable_bluetooth: no

9
releasenotes/notes/dictionary-variables-removed-957c7b7b2108ba1f.yaml Normal file

@ -0,0 +1,9 @@
---
fixes:
- The dictionary-based variables in ``defaults/main.yml`` are now individual
variables. The dictionary-based variables could not be changed as the
documentation instructed. Instead it was required to override the entire
dictionary. Deployers must use the new variable names to enable or disable
the security configuration changes applied by the security role. For more
information, see
`Launchpad Bug 1577944 <https://bugs.launchpad.net/openstack-ansible/+bug/1577944>`_.

2
releasenotes/notes/disable-failed-access-audit-logging-789dc01c8bcbef17.yaml

@ -1,6 +1,6 @@
---
fixes:
- Failed access logging is now disabled by default and can be enabled by
changing ``auditd_rules['failed_access']`` to ``yes``. The rsyslog daemon
changing ``security_audit_failed_access`` to ``yes``. The rsyslog daemon
checks for the existence of log files regularly and this audit rule was
triggered very frequently, which led to very large audit logs.

4
tasks/auth.yml

@ -195,7 +195,7 @@
apt:
name: rsh-server
state: absent
when: remove_services['rsh-server'] | bool
when: security_remove_rsh_server | bool
tags:
- auth
- cat1
@ -205,7 +205,7 @@
apt:
name: telnetd
state: absent
when: remove_services['telnet_server'] | bool
when: security_remove_telnet_server | bool
tags:
- auth
- cat1

14
tasks/kernel.yml

@ -52,7 +52,7 @@
- name: V-38539 - Enable TCP syncookies
sysctl:
name: net.ipv4.tcp_syncookies
value: "{{ sysctl_tunable['tcp_syncookies'] }}"
value: "{{ security_sysctl_tcp_syncookies }}"
state: present
sysctl_set: yes
tags:
@ -99,7 +99,7 @@
dest: /etc/modprobe.d/V-38490-disable-usb-storage.conf
line: "install usb-storage /bin/true"
create: yes
when: disable_module['usb_storage'] | bool
when: security_disable_module_usb_storage | bool
tags:
- kernel
- cat2
@ -110,7 +110,7 @@
dest: /etc/modprobe.d/V-38514-disable-dccp.conf
line: "install dccp /bin/true"
create: yes
when: disable_module['dccp'] | bool
when: security_disable_module_dccp | bool
tags:
- kernel
- cat2
@ -121,7 +121,7 @@
dest: /etc/modprobe.d/V-38515-disable-sctp.conf
line: "install sctp /bin/true"
create: yes
when: disable_module['sctp'] | bool
when: security_disable_module_sctp | bool
tags:
- kernel
- cat2
@ -132,7 +132,7 @@
dest: /etc/modprobe.d/V-38516-disable-rds.conf
line: "install rds /bin/true"
create: yes
when: disable_module['rds'] | bool
when: security_disable_module_rds | bool
tags:
- kernel
- cat3
@ -143,7 +143,7 @@
dest: /etc/modprobe.d/V-38517-disable-tipc.conf
line: "install tipc /bin/true"
create: yes
when: disable_module['tipc'] | bool
when: security_disable_module_tipc | bool
tags:
- kernel
- cat2
@ -168,7 +168,7 @@
copy:
src: V-38682-modprobe.conf
dest: /etc/modprobe.d/disable-bluetooth.conf
when: disable_module['bluetooth'] | bool
when: security_disable_module_bluetooth | bool
tags:
- kernel
- cat2

26
tasks/services.yml

@ -29,7 +29,7 @@
name: autofs
state: stopped
enabled: no
when: disable_services['autofs'] | bool and 'autofs' in sysv_services.stdout
when: security_disable_autofs | bool and 'autofs' in sysv_services.stdout
tags:
- services
- cat3
@ -40,7 +40,7 @@
name: abrtd
state: stopped
enabled: no
when: disable_services['abrtd'] | bool and 'abrtd' in sysv_services.stdout
when: security_disable_abrtd | bool and 'abrtd' in sysv_services.stdout
tags:
- services
- cat3
@ -51,7 +51,7 @@
name: atd
state: stopped
enabled: no
when: disable_services['atd'] | bool and 'atd' in sysv_services.stdout
when: security_disable_atd | bool and 'atd' in sysv_services.stdout
tags:
- services
- cat3
@ -62,7 +62,7 @@
name: qpidd
state: stopped
enabled: no
when: disable_services['qpidd'] | bool and 'qpidd' in sysv_services.stdout
when: security_disable_qpidd | bool and 'qpidd' in sysv_services.stdout
tags:
- services
- cat3
@ -73,7 +73,7 @@
name: bluetooth
state: stopped
enabled: no
when: disable_services['bluetooth'] | bool and 'bluetooth' in sysv_services.stdout
when: security_disable_bluetooth | bool and 'bluetooth' in sysv_services.stdout
tags:
- services
- cat2
@ -84,7 +84,7 @@
name: xinetd
state: stopped
enabled: no
when: disable_services['xinetd'] | bool and 'xinetd' in sysv_services.stdout
when: security_disable_xinetd | bool and 'xinetd' in sysv_services.stdout
tags:
- services
- cat2
@ -94,7 +94,7 @@
apt:
name: xinetd
state: absent
when: remove_services['xinetd'] | bool
when: security_remove_xinetd | bool
tags:
- services
- cat3
@ -105,7 +105,7 @@
apt:
name: nis
state: absent
when: remove_services['ypserv'] | bool
when: security_remove_ypserv | bool
tags:
- services
- cat2
@ -125,7 +125,7 @@
apt:
name: tftpd
state: absent
when: remove_services['tftp-server'] | bool
when: security_remove_tftp_server | bool
tags:
- services
- cat2
@ -136,7 +136,7 @@
name: avahi-daemon
state: stopped
enabled: no
when: disable_services['avahi'] | bool and 'avahi' in sysv_services.stdout
when: security_disable_avahi | bool and 'avahi' in sysv_services.stdout
tags:
- services
- cat3
@ -146,7 +146,7 @@
apt:
name: slapd
state: absent
when: remove_services['ldap-server'] | bool
when: security_remove_ldap_server | bool
tags:
- services
- cat3
@ -156,7 +156,7 @@
apt:
name: sendmail
state: absent
when: remove_services['sendmail'] | bool
when: security_remove_sendmail | bool
tags:
- services
- cat2
@ -166,7 +166,7 @@
apt:
name: xserver-xorg
state: absent
when: remove_services['xorg'] | bool
when: security_remove_xorg | bool
tags:
- services
- cat3

50
templates/osas-auditd.j2

@ -1,31 +1,31 @@
{% if auditd_rules['clock_settimeofday'] | bool %}
{% if security_audit_clock_settimeofday | bool %}
# RHEL 6 STIG V-38522
# Audits changes to system time via settimeofday
-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules
-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules
{% endif %}
{% if auditd_rules['clock_stime'] | bool %}
{% if security_audit_clock_stime | bool %}
# RHEL 6 STIG V-38525
# Audits changes to system time via stime
-a always,exit -F arch=b32 -S stime -k audit_time_rules
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules
{% endif %}
{% if auditd_rules['clock_settime'] | bool %}
{% if security_audit_clock_settime | bool %}
# RHEL 6 STIG V-38527
# Audits changes to system time via clock_settime
-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules
-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules
{% endif %}
{% if auditd_rules['change_localtime'] | bool %}
{% if security_audit_change_localtime | bool %}
# RHEL 6 STIG V-38530
# Audits clock changes made via /etc/localtime
-w /etc/localtime -p wa -k audit_time_rules
{% endif %}
{% if auditd_rules['account_modification'] | bool %}
{% if security_audit_account_modification | bool %}
# RHEL 6 STIG V-38531, V-38534, V-38536, V-38538
# Audits account modifications and terminations
-w /etc/group -p wa -k audit_account_changes
@ -35,7 +35,7 @@
-w /etc/security/opasswd -p wa -k audit_account_changes
{% endif %}
{% if auditd_rules['network_changes'] | bool %}
{% if security_audit_network_changes | bool %}
# RHEL 6 STIG V-38540
# Audits network configuration changes
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications
@ -46,13 +46,13 @@
-w /etc/network -p wa -k audit_network_modifications
{% endif %}
{% if auditd_rules['apparmor_changes'] | bool %}
{% if security_audit_apparmor_changes | bool %}
# RHEL 6 STIG V-38541
# Audits changes to AppArmor policies
-w /etc/apparmor/ -p wa -k MAC-policy
{% endif %}
{% if auditd_rules['DAC_chmod'] | bool %}
{% if security_audit_DAC_chmod | bool %}
# RHEL 6 STIG V-38543
# Audits DAC changes via chmod
-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
@ -61,7 +61,7 @@
-a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod
{% endif %}
{% if auditd_rules['DAC_chown'] | bool %}
{% if security_audit_DAC_chown | bool %}
# RHEL 6 STIG V-38545
# Audits DAC changes via chown
-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod
@ -70,7 +70,7 @@
-a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod
{% endif %}
{% if auditd_rules['DAC_fchmod'] | bool %}
{% if security_audit_DAC_fchmod | bool %}
# RHEL 6 STIG V-38547
# Audits DAC changes via fchmod
-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod
@ -79,7 +79,7 @@
-a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod
{% endif %}
{% if auditd_rules['DAC_fchmodat'] | bool %}
{% if security_audit_DAC_fchmodat | bool %}
# RHEL 6 STIG V-38550
# Audits DAC changes via fchmodat
-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
@ -88,7 +88,7 @@
-a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod
{% endif %}
{% if auditd_rules['DAC_fchown'] | bool %}
{% if security_audit_DAC_fchown | bool %}
# RHEL 6 STIG V-38552
# Audits DAC changes via fchown
-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod
@ -97,7 +97,7 @@
-a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod
{% endif %}
{% if auditd_rules['DAC_fchownat'] | bool %}
{% if security_audit_DAC_fchownat | bool %}
# RHEL 6 STIG V-38554
# Audits DAC changes via fchownat
-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod
@ -106,7 +106,7 @@
-a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod
{% endif %}
{% if auditd_rules['DAC_fremovexattr'] | bool %}
{% if security_audit_DAC_fremovexattr | bool %}
# RHEL 6 STIG V-38556
# Audits DAC changes via fremovexattr
-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
@ -115,7 +115,7 @@
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod
{% endif %}
{% if auditd_rules['DAC_fsetxattr'] | bool %}
{% if security_audit_DAC_fsetxattr | bool %}
# RHEL 6 STIG V-38557
# Audits DAC changes via fsetxattr
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
@ -124,7 +124,7 @@
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod
{% endif %}
{% if auditd_rules['DAC_lchown'] | bool %}
{% if security_audit_DAC_lchown | bool %}
# RHEL 6 STIG V-38558
# Audits DAC changes via lchown
-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
@ -133,7 +133,7 @@
-a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod
{% endif %}
{% if auditd_rules['DAC_lremovexattr'] | bool %}
{% if security_audit_DAC_lremovexattr | bool %}
# RHEL 6 STIG V-38559
# Audits DAC changes via lremovexattr
-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
@ -142,7 +142,7 @@
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod
{% endif %}
{% if auditd_rules['DAC_lsetxattr'] | bool %}
{% if security_audit_DAC_lsetxattr | bool %}
# RHEL 6 STIG V-38561
# Audits DAC changes via lsetxattr
-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
@ -151,7 +151,7 @@
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod
{% endif %}
{% if auditd_rules['DAC_setxattr'] | bool %}
{% if security_audit_DAC_setxattr | bool %}
# RHEL 6 STIG V-38565
# Audits DAC changes via setxattr
-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
@ -160,7 +160,7 @@
-a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod
{% endif %}
{% if auditd_rules['failed_access'] | bool %}
{% if security_audit_failed_access | bool %}
# RHEL 6 STIG V-38566
# Audits failed attempts to access files and programs
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
@ -173,7 +173,7 @@
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid=0 -k access
{% endif %}
{% if auditd_rules['filesystem_mounts'] | bool %}
{% if security_audit_filesystem_mounts | bool %}
# RHEL 6 STIG V-38568
# Audits filesystem mounts
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
@ -182,7 +182,7 @@
-a always,exit -F arch=b64 -S mount -F auid=0 -k export
{% endif %}
{% if auditd_rules['deletions'] %}
{% if security_audit_deletions | bool %}
# RHEL 6 STIG V-38575
# Audits deletion of files and programs
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
@ -191,13 +191,13 @@
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete
{% endif %}
{% if auditd_rules['sudoers'] %}
{% if security_audit_sudoers | bool %}
# RHEL 6 STIG V-38578
# Audits /etc/sudoers changes
-w /etc/sudoers -p wa -k actions
{% endif %}
{% if auditd_rules['kernel_modules'] | bool %}
{% if security_audit_kernel_modules | bool %}
# RHEL 6 STIG V-38580
# Audits kernel module loading/unloading
-w /sbin/insmod -p x -k modules
@ -207,7 +207,7 @@
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
{% endif %}
{% if auditd_rules['change_system_time'] | bool %}
{% if security_audit_change_system_time | bool %}
# RHEL 6 STIG V-38635
# Audits system time changes
-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules