openstack/ansible-hardening
Code Issues Proposed changes
ansible-hardening/tasks/auditd.yml
Major Hayden a715acf0e9 Fix auditd rpmverify check 
The security role alters some additional configuration files
related to auditd and these need to be skipped when we verify
the package. The verification is only needed on the executables,
not the configuration files.

This only affects CentOS/RHEL 7.

Change-Id: Ia5e936a88f08f4209e37d0fabbb27f14d9eda2ab
Closes-bug: bug/1612688
2016-08-12 15:10:27 +00:00

314 lines
8.0 KiB
YAML
Raw Blame History

---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: V-38631/38632 - The operating system must produce audit records (install auditd with apt)
apt:
name: "{{ auditd_pkg }}"
state: "{{ security_package_state }}"
when: ansible_pkg_mgr == 'apt'
tags:
- auditd
- cat2
- V-38632
- V-38631
- name: V-38631/38632 - The operating system must produce audit records (install auditd with yum)
yum:
name: "{{ auditd_pkg }}"
state: "{{ security_package_state }}"
when: ansible_pkg_mgr == 'yum'
tags:
- auditd
- cat2
- V-38632
- V-38631
- name: V-38631/38632 - The operating system must produce audit records (start auditd)
service:
name: auditd
state: started
enabled: true
when: not check_mode
tags:
- auditd
- cat2
- V-38632
- V-38631
- name: Verify that auditd.conf exists
stat:
path: /etc/audit/auditd.conf
register: auditd_conf
always_run: true
tags:
- auditd
- always
- name: V-38633 - The system must set a maximum audit log file size
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?max_log_file(?!_action)"
line: "max_log_file = {{ security_max_log_file }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38633
- name: V-38634 - The system must rotate audit log files that reach the max file size
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?max_log_file_action ="
line: "max_log_file_action = {{ security_max_log_file_action }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38634
- name: V-38636 - The system must retain enough rotated audit logs to cover the required log retention period.
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?num_logs ="
line: "num_logs = {{ security_num_logs }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38636
- name: Ensure debsums package is installed (for V-38637)
apt:
name: debsums
state: "{{ security_package_state }}"
when: ansible_pkg_mgr == 'apt'
tags:
- auditd
- cat2
- V-38637
# The debsums command returns 0 if the files haven't been altered but it
# returns 2 otherwise. We also will check to see if auditd has been installed
# and fail if it's not installed.
- name: Checking auditd package contents for alterations with debsums (for V-38637)
shell: debsums auditd -c
register: v38637_result
changed_when: False
failed_when: "'not installed' in v38637_result.stdout"
when: ansible_pkg_mgr == 'apt'
tags:
- auditd
- cat2
- V-38637
- name: V-38637 - Contents of auditd package must be verified
fail:
msg: "Could not verify that files from auditd package are unaltered"
when:
- not check_mode
- ansible_pkg_mgr == 'apt'
- v38637_result.rc == 2
tags:
- auditd
- cat2
- V-38637
- name: Check audit package contents for alterations with rpm (for V-38637)
shell: "rpmverify audit audit-libs | grep -v '\\.conf$' | wc -l"
register: v38637_result
changed_when: False
when: ansible_pkg_mgr == 'yum'
tags:
- auditd
- cat2
- V-38637
- name: V-38637 - Contents of auditd package must be verified
fail:
msg: "Could not verify that files from auditd package are unaltered"
when:
- not check_mode
- ansible_pkg_mgr == 'yum'
- v38637_result.stdout != "0"
tags:
- auditd
- cat2
- V-38637
- name: Verify that auditd log directory exists (for V-38445)
stat:
path: /var/log/audit/
register: auditd_log_dir
always_run: True
tags:
- auditd
- always
- name: V-38445 - Audit log files must be group-owned by root
file:
dest: /var/log/audit/
group: root
recurse: true
when: auditd_log_dir.stat.exists | bool
tags:
- auditd
- cat2
- V-38445
- name: V-38464 - The audit system must take action for disk errors
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?disk_error_action"
line: "disk_error_action = {{ security_disk_error_action }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38464
- name: V-38468 - The audit system must take action when the disk is full
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?disk_full_action"
line: "disk_full_action = {{ security_disk_full_action }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38468
- name: V-38678 - Lower limit of available disk space when auditd triggers space_left_action
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?space_left(?!_action)"
line: "space_left = {{ security_space_left }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38678
- name: V-38470 - The audit system must take action when the disk is almost full
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?space_left_action"
line: "space_left_action = {{ security_space_left_action }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38470
- name: V-38680 - Audit system must send email notifications when storage capacity is low
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?action_mail_acct"
line: "action_mail_acct = {{ security_action_mail_acct }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38680
- name: V-38495 - Audit log files must be owned by root
file:
dest: /var/log/audit/
owner: root
recurse: true
when: auditd_log_dir.stat.exists | bool
tags:
- auditd
- cat2
- V-38495
# TODO: Ansible 2.0 offers the find module and that will allow this task to
# avoid using the shell module to get a list of logs. This task should be
# adjusted to use the find module when Ansible 2.0 is fully released.
- name: Get a list of audit logs in the auditd directory (for V-38498)
shell: ls /var/log/audit/
register: v38498_result
changed_when: false
when: auditd_log_dir.stat.exists | bool
tags:
- auditd
- cat2
- V-38498
# On most systems, the active log file is 0600 and the older logs are 0400.
# This task ensures that all logs meet or exceed the STIG requirement.
- name: V-38498 - Audit log files must have mode 0640 or less
file:
dest: "/var/log/audit/{{ item }}"
mode: "u-x,g-wx,o-rwx"
with_items: "{{ v38498_result.stdout_lines | default([]) }}"
when: auditd_log_dir.stat.exists | bool
tags:
- auditd
- cat2
- V-38498
- name: Auditd rules (includes several STIGs)
template:
src: osas-auditd.j2
dest: /etc/audit/rules.d/osas-auditd.rules
notify:
- generate auditd rules
tags:
- auditd
- cat3
- name: V-38471 - Forward auditd records to syslog
lineinfile:
dest: /etc/audisp/plugins.d/syslog.conf
regexp: "^(#)?active"
line: "active = yes"
state: present
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat3
- V-38471
- name: V-54381 - The audit system must switch to single user mode when disk space is low
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?admin_space_left_action"
line: "admin_space_left_action = {{ security_admin_space_left_action }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat2
- V-54381
View Git Blame Copy Permalink