ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 14:23:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

compliant with 2.19

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2025-10-16 15:24:49 +01:00
parent 278813694b
commit afcfda9ef0
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
1 changed files with 14 additions and 84 deletions
Download patch file Download diff file Expand all files Collapse all files

98
templates/audit/99_auditd.rules.j2
View file

@ -10,12 +10,7 @@
{% endif %}
{% if rhel9cis_rule_6_3_3_2 %}
{% set syscalls = ["execve"] %}
{% set arch_syscalls = [] %}
{%- for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append(syscall) }}
{% endif %}
{% endfor -%}
{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation
-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation
{% endif %}
@ -24,33 +19,18 @@
{% endif %}
{% if rhel9cis_rule_6_3_3_4 %}
{% set syscalls = ["adjtimex","settimeofday"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append(syscall) }}
{% endif %}
{% endfor %}
{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k time-change
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k time-change
{% set syscalls = ["clock_settime"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append(syscall) }}
{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F a0=0x0 -k time-change
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F a0=0x0 -k time-change
{% endif %}
{% endfor %}
-w /etc/localtime -p wa -k time-change
{% endif %}
{% if rhel9cis_rule_6_3_3_5 %}
{% set syscalls = ["sethostname","setdomainname"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append(syscall) }}
{% endif %}
{% endfor %}
{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k system-locale
-w /etc/issue -p wa -k system-locale
@ -68,12 +48,7 @@
{% endif %}
{% if rhel9cis_rule_6_3_3_7 %}
{% set syscalls = ["creat","open","openat","truncate","ftruncate"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append(syscall) }}
{% endif %}
{% endfor %}
{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
@ -91,62 +66,27 @@
{% endif %}
{% if rhel9cis_rule_6_3_3_9 %}
{% set syscalls = ["chmod","fchmod","fchmodat"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append(syscall) }}
{% endif %}
{% endfor %}
{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
{% set syscalls = ["chown","fchown","lchown","fchownat"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append(syscall) }}
{% endif %}
{% endfor %}
{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
{% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append(syscall) }}
{% endif %}
{% endfor %}
{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
{% set syscalls = ["chmod","fchmod","fchmodat"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append(syscall) }}
{% endif %}
{% endfor %}
{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
{% set syscalls = ["chown","fchown","lchown","fchownat"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append(syscall) }}
{% endif %}
{% endfor %}
{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
{% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append(syscall) }}
{% endif %}
{% endfor %}
{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
{% endif %}
{% if rhel9cis_rule_6_3_3_10 %}
{% set syscalls = ["mount"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append(syscall) }}
{% endif %}
{% endfor %}
{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts
{% endif %}
@ -161,12 +101,7 @@
{% endif %}
{% if rhel9cis_rule_6_3_3_13 %}
{% set syscalls = ["unlink","unlinkat","rename","renameat"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append( syscall) }}
{% endif %}
{% endfor %}
{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k delete
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k delete
{% endif %}
@ -189,12 +124,7 @@
{% if rhel9cis_rule_6_3_3_19 %}
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k kernel_modules
{% set syscalls = ["init_module","finit_module","delete_module","create_module","query_module"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append( syscall) }}
{% endif %}
{% endfor %}
{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k kernel_modules
{% endif %}
{% if rhel9cis_rule_6_3_3_20 %}