Adding audit rule for SELinux policy modifications

This patch fixes the auditd rules template so that AppArmor and SELinux
policy modifications are logged, depending on which Linux distribution
is in use. The security_audit_apparmor_changes variable has been renamed
to security_audit_mac_changes to be more generic.

Documentation updates and a release note are included.

Closes-bug: 1584187

Change-Id: I0955e2cb8a05af4afd36aaca518322a9df6d1ff7
This commit is contained in:
Major Hayden 2016-05-25 11:26:56 -05:00
parent a73aee2fc9
commit 7b313ee1bc
5 changed files with 34 additions and 6 deletions

View File

@ -53,7 +53,6 @@ security_initialize_aide: false
# automatically with augenrules. # automatically with augenrules.
# #
security_audit_account_modification: yes # V-38531, V-38534, V-38538 security_audit_account_modification: yes # V-38531, V-38534, V-38538
security_audit_apparmor_changes: yes # V-38541
security_audit_change_localtime: yes # V-38530 security_audit_change_localtime: yes # V-38530
security_audit_change_system_time: yes # V-38635 security_audit_change_system_time: yes # V-38635
security_audit_clock_settime: yes # V-38527 security_audit_clock_settime: yes # V-38527
@ -75,6 +74,7 @@ security_audit_deletions: no # V-38575
security_audit_failed_access: no # V-38566 security_audit_failed_access: no # V-38566
security_audit_filesystem_mounts: yes # V-38568 security_audit_filesystem_mounts: yes # V-38568
security_audit_kernel_modules: yes # V-38580 security_audit_kernel_modules: yes # V-38580
security_audit_mac_changes: yes # V-38541
security_audit_network_changes: yes # V-38540 security_audit_network_changes: yes # V-38540
security_audit_sudoers: yes # V-38578 security_audit_sudoers: yes # V-38578
# #

View File

@ -1,5 +1,11 @@
The RHEL 6 STIG requires that changes to SELinux policies and configuration are For Ubuntu, rules are added to auditd that will log any changes made in the
audited. However, Ubuntu's preference for Mandatory Access Control (MAC) is ``/etc/apparmor`` directory.
AppArmor and openstack-ansible configures AppArmor by default.
This requirement has been modified to fit AppArmor on an Ubuntu system. For CentOS, rules are added to auditd that will log any changes made in the
``/etc/selinux`` directory.
To opt-out of this change, set the following Ansible variable:
.. code-block:: yaml
security_audit_mac_changes: no

View File

@ -0,0 +1,15 @@
---
upgrade:
- |
The variable ``security_audit_apparmor_changes`` is now renamed to
``security_audit_mac_changes`` and is enabled by default. Setting
``security_audit_mac_changes`` to ``no`` will disable syscall auditing for
any changes to AppArmor policies (in Ubuntu) or SELinux policies (in
CentOS).
features:
- |
The auditd rules template included a rule that audited changes to the
AppArmor policies, but the SELinux policy changes were not being audited.
Any changes to SELinux policies in ``/etc/selinux`` are now being logged
by auditd.

View File

@ -36,6 +36,7 @@
set_fact: set_fact:
check_mode: "{{ noop_result | skipped }}" check_mode: "{{ noop_result | skipped }}"
systemd_running: "{{ systemd_check | success }}" systemd_running: "{{ systemd_check | success }}"
linux_security_module: "{{ (ansible_os_family == 'Debian') | ternary('apparmor','selinux') }}"
- include: apt.yml - include: apt.yml
when: ansible_pkg_mgr == 'apt' when: ansible_pkg_mgr == 'apt'

View File

@ -48,12 +48,18 @@
-w /etc/network -p wa -k audit_network_modifications -w /etc/network -p wa -k audit_network_modifications
{% endif %} {% endif %}
{% if security_audit_apparmor_changes | bool %} {% if linux_security_module == 'apparmor' and security_audit_mac_changes | bool %}
# RHEL 6 STIG V-38541 # RHEL 6 STIG V-38541
# Audits changes to AppArmor policies # Audits changes to AppArmor policies
-w /etc/apparmor/ -p wa -k MAC-policy -w /etc/apparmor/ -p wa -k MAC-policy
{% endif %} {% endif %}
{% if linux_security_module == 'selinux' and security_audit_mac_changes | bool %}
# RHEL 6 STIG V-38541
# Audits changes to SELinux policies
-w /etc/selinux/ -p wa -k MAC-policy
{% endif %}
{% if security_audit_DAC_chmod | bool %} {% if security_audit_DAC_chmod | bool %}
# RHEL 6 STIG V-38543 # RHEL 6 STIG V-38543
# Audits DAC changes via chmod # Audits DAC changes via chmod