Adding audit rule for SELinux policy modifications

This patch fixes the auditd rules template so that AppArmor and SELinux policy modifications are logged, depending on which Linux distribution is in use. The security_audit_apparmor_changes variable has been renamed to security_audit_mac_changes to be more generic. Documentation updates and a release note are included. Closes-bug: 1584187 Change-Id: I0955e2cb8a05af4afd36aaca518322a9df6d1ff7
2016-05-25 11:26:56 -05:00 · 2016-05-25 11:26:56 -05:00 · 7b313ee1bc
commit 7b313ee1bc
parent a73aee2fc9
5 changed files with 34 additions and 6 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -53,7 +53,6 @@ security_initialize_aide: false
 # automatically with augenrules.
 #
 security_audit_account_modification: yes          # V-38531, V-38534, V-38538
-security_audit_apparmor_changes: yes              # V-38541
 security_audit_change_localtime: yes              # V-38530
 security_audit_change_system_time: yes            # V-38635
 security_audit_clock_settime: yes                 # V-38527
@ -75,6 +74,7 @@ security_audit_deletions: no                      # V-38575
 security_audit_failed_access: no                  # V-38566
 security_audit_filesystem_mounts: yes             # V-38568
 security_audit_kernel_modules: yes                # V-38580
+security_audit_mac_changes: yes                   # V-38541
 security_audit_network_changes: yes               # V-38540
 security_audit_sudoers: yes                       # V-38578
 #
--- a/doc/source/developer-notes/V-38541.rst
+++ b/doc/source/developer-notes/V-38541.rst
@ -1,5 +1,11 @@
-The RHEL 6 STIG requires that changes to SELinux policies and configuration are
-audited.  However, Ubuntu's preference for Mandatory Access Control (MAC) is
-AppArmor and openstack-ansible configures AppArmor by default.
+For Ubuntu, rules are added to auditd that will log any changes made in the
+``/etc/apparmor`` directory.

-This requirement has been modified to fit AppArmor on an Ubuntu system.
+For CentOS, rules are added to auditd that will log any changes made in the
+``/etc/selinux`` directory.
+
+To opt-out of this change, set the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_audit_mac_changes: no
--- a/releasenotes/notes/auditing-mac-policy-changes-fb83e0260a6431ed.yaml
+++ b/releasenotes/notes/auditing-mac-policy-changes-fb83e0260a6431ed.yaml
@ -0,0 +1,15 @@
+---
+
+upgrade:
+  - |
+    The variable ``security_audit_apparmor_changes`` is now renamed to
+    ``security_audit_mac_changes`` and is enabled by default. Setting
+    ``security_audit_mac_changes`` to ``no`` will disable syscall auditing for
+    any changes to AppArmor policies (in Ubuntu) or SELinux policies (in
+    CentOS).
+features:
+  - |
+    The auditd rules template included a rule that audited changes to the
+    AppArmor policies, but the SELinux policy changes were not being audited.
+    Any changes to SELinux policies in ``/etc/selinux`` are now being logged
+    by auditd.
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -36,6 +36,7 @@
    set_fact:
      check_mode: "{{ noop_result | skipped }}"
      systemd_running: "{{ systemd_check | success }}"
+      linux_security_module: "{{ (ansible_os_family == 'Debian') | ternary('apparmor','selinux') }}"

  - include: apt.yml
    when: ansible_pkg_mgr == 'apt'
--- a/templates/osas-auditd.j2
+++ b/templates/osas-auditd.j2
@ -48,12 +48,18 @@
 -w /etc/network -p wa -k audit_network_modifications
 {% endif %}

-{% if security_audit_apparmor_changes | bool %}
+{% if linux_security_module == 'apparmor' and security_audit_mac_changes | bool %}
 # RHEL 6 STIG V-38541
 # Audits changes to AppArmor policies
 -w /etc/apparmor/ -p wa -k MAC-policy
 {% endif %}

+{% if linux_security_module == 'selinux' and security_audit_mac_changes | bool %}
+# RHEL 6 STIG V-38541
+# Audits changes to SELinux policies
+-w /etc/selinux/ -p wa -k MAC-policy
+{% endif %}
+
 {% if security_audit_DAC_chmod | bool %}
 # RHEL 6 STIG V-38543
 # Audits DAC changes via chmod