sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Updated audit rules for arch

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2025-01-29 13:54:13 +00:00
parent c178cba7bc
commit ed1a209635
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
2 changed files with 129 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

19
tasks/auditd.yml
View file

@ -1,17 +1,30 @@
--- ---
- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file # Since auditd rules are dependent on syscalls and syscall tables are architecture specific,
# we need to update the auditd rules depending on the architecture of the system.
# This task passed the syscalls table to the auditd template and updates the auditd rules
- name: "POST | AUDITD | Set supported_syscalls variable"
ansible.builtin.shell: ausyscall --dump | awk '{print $2}'
changed_when: false
failed_when: discovered_auditd_syscalls.rc not in [ 0, 1 ]
register: discovered_auditd_syscalls
- name: POST | AUDITD | Apply auditd template will for section 6.3.3 - only required rules will be added | stat file
ansible.builtin.stat: ansible.builtin.stat:
path: /etc/audit/rules.d/99_auditd.rules path: /etc/audit/rules.d/99_auditd.rules
register: discovered_auditd_rules_file register: discovered_auditd_rules_file
- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | setup file - name: POST | Apply auditd template for section 6.3.3.x
when: update_audit_template
vars:
supported_syscalls: "{{ discovered_auditd_syscalls.stdout_lines }}"
ansible.builtin.template: ansible.builtin.template:
src: audit/99_auditd.rules.j2 src: audit/99_auditd.rules.j2
dest: /etc/audit/rules.d/99_auditd.rules dest: /etc/audit/rules.d/99_auditd.rules
owner: root owner: root
group: root group: root
mode: '0640' mode: 'u-x,go-wx'
diff: "{{ discovered_auditd_rules_file.stat.exists }}" # Only run diff if not a new file diff: "{{ discovered_auditd_rules_file.stat.exists }}" # Only run diff if not a new file
register: discovered_auditd_rules_template_updated register: discovered_auditd_rules_template_updated
notify: notify:

135
templates/audit/99_auditd.rules.j2
View file

@ -9,20 +9,40 @@
-w /etc/sudoers.d -p wa -k scope -w /etc/sudoers.d -p wa -k scope
{% endif %} {% endif %}
{% if rhel9cis_rule_6_3_3_2 %} {% if rhel9cis_rule_6_3_3_2 %}
-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation {% set syscalls = ["execve"] %}
-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation {% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append( syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation
-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation
{% endif %} {% endif %}
{% if rhel9cis_rule_6_3_3_3 %} {% if rhel9cis_rule_6_3_3_3 %}
-w {{ rhel9cis_sudolog_location }} -p wa -k sudo_log_file -w {{ rhel9cis_sudolog_location }} -p wa -k sudo_log_file
{% endif %} {% endif %}
{% if rhel9cis_rule_6_3_3_4 %} {% if rhel9cis_rule_6_3_3_4 %}
-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change {% set arch_syscalls = [] %}
-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change {% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append( syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k time-change
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k time-change
-w /etc/localtime -p wa -k time-change -w /etc/localtime -p wa -k time-change
{% endif %} {% endif %}
{% if rhel9cis_rule_6_3_3_5 %} {% if rhel9cis_rule_6_3_3_5 %}
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale {% set syscalls = ["sethostname","setdomainname"] %}
-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale {% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append( syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k system-locale
-w /etc/issue -p wa -k system-locale -w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale -w /etc/hosts -p wa -k system-locale
@ -35,10 +55,17 @@
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if rhel9cis_rule_6_3_3_7 %} {% if rhel9cis_rule_6_3_3_7 %}
-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access {% set syscalls = ["creat","open","openat","truncate","ftruncate"] %}
-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access {% set arch_syscalls = [] %}
-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access {% for syscall in syscalls %}
-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access {% if syscall in supported_syscalls %}
{{ arch_syscalls.append( syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k access
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k access
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k access
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k access
{% endif %} {% endif %}
{% if rhel9cis_rule_6_3_3_8 %} {% if rhel9cis_rule_6_3_3_8 %}
-w /etc/group -p wa -k identity -w /etc/group -p wa -k identity
@ -51,16 +78,66 @@
-w /etc/pam.d -p wa -k identity -w /etc/pam.d -p wa -k identity
{% endif %} {% endif %}
{% if rhel9cis_rule_6_3_3_9 %} {% if rhel9cis_rule_6_3_3_9 %}
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod {% set syscalls = ["chmod","fchmod","fchmodat"] %}
-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod {% set arch_syscalls = [] %}
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod {% for syscall in syscalls %}
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod {% if syscall in supported_syscalls %}
-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod {{ arch_syscalls.append( syscall) }}
-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod {% endif %}
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
{% set syscalls = ["chown","fchown","lchown","fchownat"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append( syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
{% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append( syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
{% set syscalls = ["chmod","fchmod","fchmodat"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append( syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
{% set syscalls = ["chown","fchown","lchown","fchownat"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append( syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
{% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append( syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
{% endif %} {% endif %}
{% if rhel9cis_rule_6_3_3_10 %} {% if rhel9cis_rule_6_3_3_10 %}
-a always,exit -F arch=b32 -S mount -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts {% set syscalls = ["mount"] %}
-a always,exit -F arch=b64 -S mount -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts {% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append( syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k mounts
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k mounts
{% endif %}
{% endif %} {% endif %}
{% if rhel9cis_rule_6_3_3_11 %} {% if rhel9cis_rule_6_3_3_11 %}
-w /var/run/utmp -p wa -k session -w /var/run/utmp -p wa -k session
@ -72,8 +149,15 @@
-w /var/run/faillock -p wa -k logins -w /var/run/faillock -p wa -k logins
{% endif %} {% endif %}
{% if rhel9cis_rule_6_3_3_13 %} {% if rhel9cis_rule_6_3_3_13 %}
-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=delete {% set syscalls = ["unlink","unlinkat","rename","renameat"] %}
-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=delete {% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append( syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k delete
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k delete
{% endif %} {% endif %}
{% if rhel9cis_rule_6_3_3_14 %} {% if rhel9cis_rule_6_3_3_14 %}
-w /etc/selinux -p wa -k MAC-policy -w /etc/selinux -p wa -k MAC-policy
@ -92,8 +176,15 @@
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k usermod -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k usermod
{% endif %} {% endif %}
{% if rhel9cis_rule_6_3_3_19 %} {% if rhel9cis_rule_6_3_3_19 %}
-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k kernel_modules -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid=>{{ prelim_min_int_uid }} -F auid!=-1 -k kernel_modules
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k kernel_modules {% set syscalls = ["init_module","finit_module","delete_module","create_module","query_module"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append( syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=-1 -k kernel_modules
{% endif %} {% endif %}
{% if rhel9cis_rule_6_3_3_20 %} {% if rhel9cis_rule_6_3_3_20 %}
-e 2 -e 2