openstack/ansible-hardening
Code Issues Proposed changes
ansible-hardening/templates/osas-auditd.j2
Major Hayden c93b1676cc Add network conf auditing on CentOS 
This patch adds in auditing for /etc/sysconfig/network.

Closes-bug: 1622674
Change-Id: I0de15a130161ed1f8a6bdb2a7de33c55b91d6609
2016-09-12 14:51:58 -05:00

330 lines
15 KiB
Django/Jinja
Raw Blame History

# {{ ansible_managed }}
{% if security_audit_clock_settimeofday | bool %}
# RHEL 6 STIG V-38522
# Audits changes to system time via settimeofday
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S settimeofday -k audit_time_rules-V-38522
{% else %}
-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules-V-38522
-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules-V-38522
{% endif %}
{% endif %}
{% if security_audit_clock_stime | bool %}
# RHEL 6 STIG V-38525
# Audits changes to system time via stime
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules-V-38525
{% else %}
-a always,exit -F arch=b32 -S stime -k audit_time_rules-V-38525
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules-V-38525
{% endif %}
{% endif %}
{% if security_audit_clock_settime | bool %}
# RHEL 6 STIG V-38527
# Audits changes to system time via clock_settime
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S clock_settime -k audit_time_rules-V-38527
{% else %}
-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules-V-38527
-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules-V-38527
{% endif %}
{% endif %}
{% if security_audit_change_localtime | bool %}
# RHEL 6 STIG V-38530
# Audits clock changes made via /etc/localtime
-w /etc/localtime -p wa -k audit_time_rules-V-38530
{% endif %}
{% if security_audit_account_modification | bool %}
# RHEL 6 STIG V-38531, V-38534, V-38536, V-38538
# Audits account modifications and terminations
-w /etc/group -p wa -k audit_account_changes-V-38531
-w /etc/passwd -p wa -k audit_account_changes-V-38531
-w /etc/gshadow -p wa -k audit_account_changes-V-38531
-w /etc/shadow -p wa -k audit_account_changes-V-38531
-w /etc/security/opasswd -p wa -k audit_account_changes-V-38531
{% endif %}
{% if security_audit_network_changes | bool %}
# RHEL 6 STIG V-38540
# Audits network configuration changes
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S sethostname -S setdomainname -k audit_network_modifications-V-38540
{% else %}
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications-V-38540
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_network_modifications-V-38540
{% endif %}
-w /etc/issue -p wa -k audit_network_modifications-V-38540
-w /etc/issue.net -p wa -k audit_network_modifications-V-38540
-w /etc/hosts -p wa -k audit_network_modifications-V-38540
{% if ansible_os_family == "RedHat" %}
-w /etc/sysconfig/network -p wa -k audit_network_modifications-V-38540
{% elif ansible_os_family == "Debian" %}
-w /etc/network -p wa -k audit_network_modifications-V-38540
{% endif %}
{% endif %}
{% if linux_security_module == 'apparmor' and security_audit_mac_changes | bool %}
# RHEL 6 STIG V-38541
# Audits changes to AppArmor policies
-w /etc/apparmor/ -p wa -k MAC-policy-V-38541
-w /etc/apparmor.d/ -p wa -k MAC-policy-V-38541
{% endif %}
{% if linux_security_module == 'selinux' and security_audit_mac_changes | bool %}
# RHEL 6 STIG V-38541
# Audits changes to SELinux policies
-w /etc/selinux/ -p wa -k MAC-policy-V-38541
{% endif %}
{% if security_audit_DAC_chmod | bool %}
# RHEL 6 STIG V-38543
# Audits DAC changes via chmod
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38543
-a always,exit -F arch=ppc64 -S removexattr -F auid=0 -k perm_mod-V-38543
{% else %}
-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38543
-a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod-V-38543
-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38543
-a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod-V-38543
{% endif %}
{% endif %}
{% if security_audit_DAC_chown | bool %}
# RHEL 6 STIG V-38545
# Audits DAC changes via chown
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38545
-a always,exit -F arch=ppc64 -S chown -F auid=0 -k perm_mod-V-38545
{% else %}
-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38545
-a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod-V-38545
-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38545
-a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod-V-38545
{% endif %}
{% endif %}
{% if security_audit_DAC_fchmod | bool %}
# RHEL 6 STIG V-38547
# Audits DAC changes via fchmod
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38547
-a always,exit -F arch=ppc64 -S fchmod -F auid=0 -k perm_mod-V-38547
{% else %}
-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38547
-a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod-V-38547
-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38547
-a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod-V-38547
{% endif %}
{% endif %}
{% if security_audit_DAC_fchmodat | bool %}
# RHEL 6 STIG V-38550
# Audits DAC changes via fchmodat
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38550
-a always,exit -F arch=ppc64 -S fchmodat -F auid=0 -k perm_mod-V-38550
{% else %}
-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38550
-a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod-V-38550
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38550
-a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod-V-38550
{% endif %}
{% endif %}
{% if security_audit_DAC_fchown | bool %}
# RHEL 6 STIG V-38552
# Audits DAC changes via fchown
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38552
-a always,exit -F arch=ppc64 -S fchown -F auid=0 -k perm_mod-V-38552
{% else %}
-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38552
-a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod-V-38552
-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38552
-a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod-V-38552
{% endif %}
{% endif %}
{% if security_audit_DAC_fchownat | bool %}
# RHEL 6 STIG V-38554
# Audits DAC changes via fchownat
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38554
-a always,exit -F arch=ppc64 -S fchownat -F auid=0 -k perm_mod-V-38554
{% else %}
-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38554
-a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod-V-38554
-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38554
-a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod-V-38554
{% endif %}
{% endif %}
{% if security_audit_DAC_fremovexattr | bool %}
# RHEL 6 STIG V-38556
# Audits DAC changes via fremovexattr
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38556
-a always,exit -F arch=ppc64 -S fremovexattr -F auid=0 -k perm_mod-V-38556
{% else %}
-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38556
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod-V-38556
-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38556
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod-V-38556
{% endif %}
{% endif %}
{% if security_audit_DAC_fsetxattr | bool %}
# RHEL 6 STIG V-38557
# Audits DAC changes via fsetxattr
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38557
-a always,exit -F arch=ppc64 -S fsetxattr -F auid=0 -k perm_mod-V-38557
{% else %}
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38557
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod-V-38557
-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38557
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod-V-38557
{% endif %}
{% endif %}
{% if security_audit_DAC_lchown | bool %}
# RHEL 6 STIG V-38558
# Audits DAC changes via lchown
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38558
-a always,exit -F arch=ppc64 -S lchown -F auid=0 -k perm_mod-V-38558
{% else %}
-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38558
-a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod-V-38558
-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38558
-a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod-V-38558
{% endif %}
{% endif %}
{% if security_audit_DAC_lremovexattr | bool %}
# RHEL 6 STIG V-38559
# Audits DAC changes via lremovexattr
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38559
-a always,exit -F arch=ppc64 -S lremovexattr -F auid=0 -k perm_mod-V-38559
{% else %}
-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_modV-38559
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod-V-38559
-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38559
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod-V-38559
{% endif %}
{% endif %}
{% if security_audit_DAC_lsetxattr | bool %}
# RHEL 6 STIG V-38561
# Audits DAC changes via lsetxattr
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38561
-a always,exit -F arch=ppc64 -S lsetxattr -F auid=0 -k perm_mod-V-38561
{% else %}
-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38561
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod-V-38561
-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38561
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod-V-38561
{% endif %}
{% endif %}
{% if security_audit_DAC_setxattr | bool %}
# RHEL 6 STIG V-38565
# Audits DAC changes via setxattr
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38565
-a always,exit -F arch=ppc64 -S setxattr -F auid=0 -k perm_mod-V-38565
{% else %}
-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38565
-a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod-V-38565
-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod-V-38565
-a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod-V-38565
{% endif %}
{% endif %}
{% if security_audit_failed_access | bool %}
# RHEL 6 STIG V-38566
# Audits failed attempts to access files and programs
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access-V-38566
-a always,exit -F arch=ppc64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access-V-38566
-a always,exit -F arch=ppc64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid=0 -k access-V-38566
-a always,exit -F arch=ppc64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid=0 -k access-V-38566
{% else %}
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access-V-38566
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access-V-38566
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid=0 -k access-V-38566
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid=0 -k access-V-38566
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access-V-38566
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access-V-38566
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid=0 -k access-V-38566
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid=0 -k access-V-38566
{% endif %}
{% endif %}
{% if security_audit_filesystem_mounts | bool %}
# RHEL 6 STIG V-38568
# Audits filesystem mounts
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S mount -F auid>=500 -F auid!=4294967295 -k filesystem_mount-V-38568
-a always,exit -F arch=ppc64 -S mount -F auid=0 -k filesystem_mount-V-38568
{% else %}
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k filesystem_mount-V-38568
-a always,exit -F arch=b32 -S mount -F auid=0 -k filesystem_mount-V-38568
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k filesystem_mount-V-38568
-a always,exit -F arch=b64 -S mount -F auid=0 -k filesystem_mount-V-38568
{% endif %}
{% endif %}
{% if security_audit_deletions | bool %}
# RHEL 6 STIG V-38575
# Audits deletion of files and programs
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete-V-38575
-a always,exit -F arch=ppc64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete-V-38575
{% else %}
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete-V-38575
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete-V-38575
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete-V-38575
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete-V-38575
{% endif %}
{% endif %}
{% if security_audit_sudoers | bool %}
# RHEL 6 STIG V-38578
# Audits /etc/sudoers changes
-w /etc/sudoers -p wa -k actions-V-38578
{% endif %}
{% if security_audit_kernel_modules | bool %}
# RHEL 6 STIG V-38580
# Audits kernel module loading/unloading
-w /sbin/insmod -p x -k modules-V-38580
-w /sbin/rmmod -p x -k modules-V-38580
-w /sbin/modprobe -p x -k modules-V-38580
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S init_module -S delete_module -k modules-V-38580
{% else %}
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules-V-38580
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules-V-38580
{% endif %}
{% endif %}
{% if security_audit_change_system_time | bool %}
# RHEL 6 STIG V-38635
# Audits system time changes
{% if ansible_architecture == 'ppc64le' %}
-a always,exit -F arch=ppc64 -S adjtimex -k audit_time_rules-V-38635
{% else %}
-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules-V-38635
-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules-V-38635
{% endif %}
{% endif %}
View Git Blame Copy Permalink