Adding audit rule for SELinux policy modifications
This patch fixes the auditd rules template so that AppArmor and SELinux policy modifications are logged, depending on which Linux distribution is in use. The security_audit_apparmor_changes variable has been renamed to security_audit_mac_changes to be more generic. Documentation updates and a release note are included. Closes-bug: 1584187 Change-Id: I0955e2cb8a05af4afd36aaca518322a9df6d1ff7
This commit is contained in:
parent
a73aee2fc9
commit
7b313ee1bc
@ -53,7 +53,6 @@ security_initialize_aide: false
|
|||||||
# automatically with augenrules.
|
# automatically with augenrules.
|
||||||
#
|
#
|
||||||
security_audit_account_modification: yes # V-38531, V-38534, V-38538
|
security_audit_account_modification: yes # V-38531, V-38534, V-38538
|
||||||
security_audit_apparmor_changes: yes # V-38541
|
|
||||||
security_audit_change_localtime: yes # V-38530
|
security_audit_change_localtime: yes # V-38530
|
||||||
security_audit_change_system_time: yes # V-38635
|
security_audit_change_system_time: yes # V-38635
|
||||||
security_audit_clock_settime: yes # V-38527
|
security_audit_clock_settime: yes # V-38527
|
||||||
@ -75,6 +74,7 @@ security_audit_deletions: no # V-38575
|
|||||||
security_audit_failed_access: no # V-38566
|
security_audit_failed_access: no # V-38566
|
||||||
security_audit_filesystem_mounts: yes # V-38568
|
security_audit_filesystem_mounts: yes # V-38568
|
||||||
security_audit_kernel_modules: yes # V-38580
|
security_audit_kernel_modules: yes # V-38580
|
||||||
|
security_audit_mac_changes: yes # V-38541
|
||||||
security_audit_network_changes: yes # V-38540
|
security_audit_network_changes: yes # V-38540
|
||||||
security_audit_sudoers: yes # V-38578
|
security_audit_sudoers: yes # V-38578
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,11 @@
|
|||||||
The RHEL 6 STIG requires that changes to SELinux policies and configuration are
|
For Ubuntu, rules are added to auditd that will log any changes made in the
|
||||||
audited. However, Ubuntu's preference for Mandatory Access Control (MAC) is
|
``/etc/apparmor`` directory.
|
||||||
AppArmor and openstack-ansible configures AppArmor by default.
|
|
||||||
|
|
||||||
This requirement has been modified to fit AppArmor on an Ubuntu system.
|
For CentOS, rules are added to auditd that will log any changes made in the
|
||||||
|
``/etc/selinux`` directory.
|
||||||
|
|
||||||
|
To opt-out of this change, set the following Ansible variable:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
security_audit_mac_changes: no
|
||||||
|
@ -0,0 +1,15 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
The variable ``security_audit_apparmor_changes`` is now renamed to
|
||||||
|
``security_audit_mac_changes`` and is enabled by default. Setting
|
||||||
|
``security_audit_mac_changes`` to ``no`` will disable syscall auditing for
|
||||||
|
any changes to AppArmor policies (in Ubuntu) or SELinux policies (in
|
||||||
|
CentOS).
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
The auditd rules template included a rule that audited changes to the
|
||||||
|
AppArmor policies, but the SELinux policy changes were not being audited.
|
||||||
|
Any changes to SELinux policies in ``/etc/selinux`` are now being logged
|
||||||
|
by auditd.
|
@ -36,6 +36,7 @@
|
|||||||
set_fact:
|
set_fact:
|
||||||
check_mode: "{{ noop_result | skipped }}"
|
check_mode: "{{ noop_result | skipped }}"
|
||||||
systemd_running: "{{ systemd_check | success }}"
|
systemd_running: "{{ systemd_check | success }}"
|
||||||
|
linux_security_module: "{{ (ansible_os_family == 'Debian') | ternary('apparmor','selinux') }}"
|
||||||
|
|
||||||
- include: apt.yml
|
- include: apt.yml
|
||||||
when: ansible_pkg_mgr == 'apt'
|
when: ansible_pkg_mgr == 'apt'
|
||||||
|
@ -48,12 +48,18 @@
|
|||||||
-w /etc/network -p wa -k audit_network_modifications
|
-w /etc/network -p wa -k audit_network_modifications
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{% if security_audit_apparmor_changes | bool %}
|
{% if linux_security_module == 'apparmor' and security_audit_mac_changes | bool %}
|
||||||
# RHEL 6 STIG V-38541
|
# RHEL 6 STIG V-38541
|
||||||
# Audits changes to AppArmor policies
|
# Audits changes to AppArmor policies
|
||||||
-w /etc/apparmor/ -p wa -k MAC-policy
|
-w /etc/apparmor/ -p wa -k MAC-policy
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
{% if linux_security_module == 'selinux' and security_audit_mac_changes | bool %}
|
||||||
|
# RHEL 6 STIG V-38541
|
||||||
|
# Audits changes to SELinux policies
|
||||||
|
-w /etc/selinux/ -p wa -k MAC-policy
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
{% if security_audit_DAC_chmod | bool %}
|
{% if security_audit_DAC_chmod | bool %}
|
||||||
# RHEL 6 STIG V-38543
|
# RHEL 6 STIG V-38543
|
||||||
# Audits DAC changes via chmod
|
# Audits DAC changes via chmod
|
||||||
|
Loading…
x
Reference in New Issue
Block a user