Add template for audit rules
This patch adds audit rules for the following STIG controls: - RHEL-07-030492 - RHEL-07-030510 - RHEL-07-030511 - RHEL-07-030512 - RHEL-07-030513 - RHEL-07-030514 - RHEL-07-030521 - RHEL-07-030522 - RHEL-07-030523 - RHEL-07-030524 - RHEL-07-030525 - RHEL-07-030526 - RHEL-07-030530 - RHEL-07-030531 - RHEL-07-030540 - RHEL-07-030541 - RHEL-07-030550 - RHEL-07-030560 - RHEL-07-030561 - RHEL-07-030630 - RHEL-07-030670 - RHEL-07-030671 - RHEL-07-030672 - RHEL-07-030673 - RHEL-07-030674 - RHEL-07-030750 - RHEL-07-030751 - RHEL-07-030752 - RHEL-07-030753 - RHEL-07-030754 Implements: blueprint security-rhel7-stig Change-Id: I538d3013720d107d0a0a83a0bf0d1dea16cf7692
This commit is contained in:
Major Hayden
parent
f383afe691
commit
09487fd13d
|
|
@ -389,6 +389,39 @@ security_unattended_upgrades_notifications: false
|
|||
#security_audisp_remote_server: '10.0.21.1' # RHEL-07-030330
|
||||
# Encrypt audit records when they are transmitted over the network.
|
||||
#security_audisp_enable_krb5: yes # RHEL-07-030331
|
||||
# Rules for auditd are enabled if 'yes', disabled if 'no'. See the
|
||||
# documentation for each STIG control before enabling or disabling any rules.
|
||||
security_rhel7_audit_account_access: yes # RHEL-07-030492
|
||||
security_rhel7_audit_passwd_command: yes # RHEL-07-030510
|
||||
security_rhel7_audit_unix_chkpwd: yes # RHEL-07-030511
|
||||
security_rhel7_audit_gpasswd: yes # RHEL-07-030512
|
||||
security_rhel7_audit_chage: yes # RHEL-07-030513
|
||||
security_rhel7_audit_userhelper: yes # RHEL-07-030514
|
||||
security_rhel7_audit_su: yes # RHEL-07-030521
|
||||
security_rhel7_audit_sudo: yes # RHEL-07-030522
|
||||
security_rhel7_audit_sudo_config_changes: yes # RHEL-07-030523
|
||||
security_rhel7_audit_newgrp: yes # RHEL-07-030524
|
||||
security_rhel7_audit_chsh: yes # RHEL-07-030525
|
||||
security_rhel7_audit_sudoedit: yes # RHEL-07-030526
|
||||
security_rhel7_audit_mount: yes # RHEL-07-030530
|
||||
security_rhel7_audit_umount: yes # RHEL-07-030531
|
||||
security_rhel7_audit_postdrop: yes # RHEL-07-030540
|
||||
security_rhel7_audit_postqueue: yes # RHEL-07-030541
|
||||
security_rhel7_audit_ssh_keysign: yes # RHEL-07-030550
|
||||
security_rhel7_audit_pt_chown: yes # RHEL-07-030560
|
||||
security_rhel7_audit_crontab: yes # RHEL-07-030561
|
||||
security_rhel7_audit_pam_timestamp_check: yes # RHEL-07-030630
|
||||
security_rhel7_audit_init_module: yes # RHEL-07-030670
|
||||
security_rhel7_audit_delete_module: yes # RHEL-07-030671
|
||||
security_rhel7_audit_insmod: yes # RHEL-07-030672
|
||||
security_rhel7_audit_rmmod: yes # RHEL-07-030673
|
||||
security_rhel7_audit_modprobe: yes # RHEL-07-030674
|
||||
security_rhel7_audit_account_actions: yes # RHEL-07-030710
|
||||
security_rhel7_audit_rename: yes # RHEL-07-030750
|
||||
security_rhel7_audit_renameat: yes # RHEL-07-030751
|
||||
security_rhel7_audit_rmdir: yes # RHEL-07-030752
|
||||
security_rhel7_audit_unlink: yes # RHEL-07-030753
|
||||
security_rhel7_audit_unlinkat: yes # RHEL-07-030754
|
||||
|
||||
## Authentication (auth)
|
||||
# Disallow logins from accounts with blank/null passwords via PAM.
|
||||
|
|
|
|||
|
|
@ -13,6 +13,14 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Verify that auditd.conf exists
|
||||
stat:
|
||||
path: /etc/audit/auditd.conf
|
||||
register: auditd_conf
|
||||
check_mode: no
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: RHEL-07-030330 - The operating system must off-load audit records onto a different system or media from the system being audited
|
||||
lineinfile:
|
||||
dest: /etc/audisp/audisp-remote.conf
|
||||
|
|
@ -20,6 +28,7 @@
|
|||
line: "remote_server = {{ security_audisp_remote_server }}"
|
||||
when:
|
||||
- security_audisp_remote_server is defined
|
||||
- auditd_conf.stat.exists
|
||||
notify:
|
||||
- restart auditd
|
||||
tags:
|
||||
|
|
@ -34,9 +43,69 @@
|
|||
line: "enable_krb5 = yes"
|
||||
when:
|
||||
- security_audisp_enable_krb5 is defined
|
||||
- auditd_conf.stat.exists
|
||||
notify:
|
||||
- restart auditd
|
||||
tags:
|
||||
- medium
|
||||
- auditd
|
||||
- RHEL-07-030331
|
||||
|
||||
- name: Get valid system architectures for audit rules
|
||||
set_fact:
|
||||
auditd_architectures: "{{ (ansible_architecture == 'ppc64le') | ternary(['ppc64'], ['b32', 'b64']) }}"
|
||||
check_mode: no
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: Remove old RHEL 6 audit rules file
|
||||
file:
|
||||
path: /etc/audit/rules.d/osas-auditd.rules
|
||||
state: absent
|
||||
when:
|
||||
- auditd_conf.stat.exists
|
||||
notify:
|
||||
- generate auditd rules
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: Deploy rules for auditd based on STIG requirements
|
||||
template:
|
||||
src: osas-auditd-rhel7.j2
|
||||
dest: /etc/audit/rules.d/osas-auditd-rhel7.rules
|
||||
when:
|
||||
- auditd_conf.stat.exists
|
||||
notify:
|
||||
- generate auditd rules
|
||||
tags:
|
||||
- auditd
|
||||
- RHEL-07-030492
|
||||
- RHEL-07-030510
|
||||
- RHEL-07-030511
|
||||
- RHEL-07-030512
|
||||
- RHEL-07-030513
|
||||
- RHEL-07-030514
|
||||
- RHEL-07-030521
|
||||
- RHEL-07-030522
|
||||
- RHEL-07-030523
|
||||
- RHEL-07-030524
|
||||
- RHEL-07-030525
|
||||
- RHEL-07-030526
|
||||
- RHEL-07-030530
|
||||
- RHEL-07-030531
|
||||
- RHEL-07-030540
|
||||
- RHEL-07-030541
|
||||
- RHEL-07-030550
|
||||
- RHEL-07-030560
|
||||
- RHEL-07-030561
|
||||
- RHEL-07-030630
|
||||
- RHEL-07-030670
|
||||
- RHEL-07-030671
|
||||
- RHEL-07-030672
|
||||
- RHEL-07-030673
|
||||
- RHEL-07-030674
|
||||
- RHEL-07-030750
|
||||
- RHEL-07-030751
|
||||
- RHEL-07-030752
|
||||
- RHEL-07-030753
|
||||
- RHEL-07-030754
|
||||
|
|
|
|||
|
|
@ -27,6 +27,10 @@
|
|||
when:
|
||||
- not check_mode | bool
|
||||
|
||||
# Package installations and removals must come first so that configuration
|
||||
# changes can be made later.
|
||||
- include: packages.yml
|
||||
|
||||
# Package managers are managed first since the changes in these tasks will
|
||||
# affect the remainder of the tasks in the role.
|
||||
- include: apt.yml
|
||||
|
|
@ -39,10 +43,10 @@
|
|||
# each file are tagged with the same name (for example, tasks in `auth.yml`
|
||||
# are tagged with `auth`). Also, the tag name matches up with the "STIG
|
||||
# Controls by Tag" section of the role documentation.
|
||||
- include: auditd.yml
|
||||
- include: auth.yml
|
||||
- include: file_perms.yml
|
||||
- include: graphical.yml
|
||||
- include: packages.yml
|
||||
- include: sshd.yml
|
||||
|
||||
- name: Remove the temporary directory
|
||||
|
|
|
|||
|
|
@ -0,0 +1,179 @@
|
|||
{% if security_rhel7_audit_account_access | bool %}
|
||||
# RHEL-07-030492 - The operating system must generate audit records for all
|
||||
# successful account access events.
|
||||
-w /var/log/lastlog -p wa -k RHEL-07-030492
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_passwd_command | bool %}
|
||||
# RHEL-07-030510 - All uses of the passwd command must be audited.
|
||||
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030510
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_unix_chkpwd | bool %}
|
||||
# RHEL-07-030511 - All uses of the unix_chkpwd command must be audited.
|
||||
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030511
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_gpasswd | bool %}
|
||||
# RHEL-07-030512 - All uses of the gpasswd command must be audited.
|
||||
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030512
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_chage | bool %}
|
||||
# RHEL-07-030513 - All uses of the chage command must be audited.
|
||||
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030513
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_userhelper | bool %}
|
||||
# RHEL-07-030514 - All uses of the userhelper command must be audited.
|
||||
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030514
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_su | bool %}
|
||||
# RHEL-07-030521 - All uses of the su command must be audited.
|
||||
-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030521
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_sudo | bool %}
|
||||
# RHEL-07-030522 - All uses of the sudo command must be audited.
|
||||
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030522
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_sudo_config_changes | bool %}
|
||||
# RHEL-07-030523 - The operating system must generate audit records containing the full-text recording of modifications to sudo configuration files.
|
||||
-w /etc/sudoers -p wa -k RHEL-07-030523
|
||||
-w /etc/sudoers.d/ -p wa -k RHEL-07-030523
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_newgrp | bool %}
|
||||
# RHEL-07-030524 - All uses of the newgrp command must be audited.
|
||||
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030524
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_chsh | bool %}
|
||||
# RHEL-07-030525 - All uses of the chsh command must be audited.
|
||||
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030525
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_sudoedit | bool %}
|
||||
# RHEL-07-030526 - All uses of the sudoedit command must be audited.
|
||||
-a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030526
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_mount | bool %}
|
||||
# RHEL-07-030530 - All uses of the mount command must be audited.
|
||||
-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030530
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_umount | bool %}
|
||||
# RHEL-07-030531 - All uses of the umount command must be audited.
|
||||
-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030531
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_postdrop | bool %}
|
||||
# RHEL-07-030540 - All uses of the postdrop command must be audited.
|
||||
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030540
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_postqueue | bool %}
|
||||
# RHEL-07-030541 - All uses of the postqueue command must be audited.
|
||||
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030541
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_ssh_keysign | bool %}
|
||||
# RHEL-07-030550 - All uses of the ssh-keysign command must be audited.
|
||||
{% if ansible_os_family | lower == 'debian' %}
|
||||
-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030550
|
||||
{% else %}
|
||||
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030550
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_pt_chown | bool and ansible_os_family | lower == 'redhat' %}
|
||||
# RHEL-07-030560 - All uses of the pt_chown command must be audited.
|
||||
-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030560
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_crontab | bool %}
|
||||
# RHEL-07-030561 - All uses of the crontab command must be audited.
|
||||
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030561
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_pam_timestamp_check | bool %}
|
||||
# RHEL-07-030630 - All uses of the pam_timestamp_check command must be audited.
|
||||
-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -F auid!=4294967295 -k RHEL-07-030630
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_init_module | bool %}
|
||||
# RHEL-07-030670 - All uses of the init_module command must be audited.
|
||||
{% for arch in auditd_architectures %}
|
||||
-a always,exit -F arch={{ arch }} -S init_module -k RHEL-07-030670
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_delete_module | bool %}
|
||||
# RHEL-07-030671 - All uses of the delete_module command must be audited.
|
||||
{% for arch in auditd_architectures %}
|
||||
-a always,exit -F arch={{ arch }} -S delete_module -k RHEL-07-030671
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_insmod | bool %}
|
||||
# RHEL-07-030672 - All uses of the insmod command must be audited.
|
||||
-w /sbin/insmod -p x -F auid!=4294967295 -k RHEL-07-030672
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_rmmod | bool %}
|
||||
# RHEL-07-030673 - All uses of the rmmod command must be audited.
|
||||
-w /sbin/rmmod -p x -F auid!=4294967295 -k RHEL-07-030673
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_modprobe | bool %}
|
||||
# RHEL-07-030674 - All uses of the modprobe command must be audited.
|
||||
-w /sbin/modprobe -p x -F auid!=4294967295 -k RHEL-07-030674
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_account_actions | bool %}
|
||||
# RHEL-07-030710 - The operating system must generate audit records for all
|
||||
# account creations, modifications, disabling, and termination events.
|
||||
-w /etc/group -p wa -k RHEL-07-030710
|
||||
-w /etc/passwd -p wa -k RHEL-07-030710
|
||||
-w /etc/gshadow -p wa -k RHEL-07-030710
|
||||
-w /etc/shadow -p wa -k RHEL-07-030710
|
||||
-w /etc/security/opasswd -p wa -k RHEL-07-030710
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_rename | bool %}
|
||||
# RHEL-07-030750 - All uses of the rename command must be audited.
|
||||
{% for arch in auditd_architectures %}
|
||||
-a always,exit -F arch={{ arch }} -S rename -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030750
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_renameat | bool %}
|
||||
# RHEL-07-030751 - All uses of the renameat command must be audited.
|
||||
{% for arch in auditd_architectures %}
|
||||
-a always,exit -F arch={{ arch }} -S renameat -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030751
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_rmdir | bool %}
|
||||
# RHEL-07-030752 - All uses of the rmdir command must be audited.
|
||||
{% for arch in auditd_architectures %}
|
||||
-a always,exit -F arch={{ arch }} -S rmdir -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030752
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_unlink | bool %}
|
||||
# RHEL-07-030753 - All uses of the unlink command must be audited.
|
||||
{% for arch in auditd_architectures %}
|
||||
-a always,exit -F arch={{ arch }} -S unlink -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030753
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if security_rhel7_audit_unlinkat | bool %}
|
||||
# RHEL-07-030754 - All uses of the unlinkat command must be audited.
|
||||
{% for arch in auditd_architectures %}
|
||||
-a always,exit -F arch={{ arch }} -S unlinkat -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030754
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
Loading…
Reference in New Issue