From 6d0a2167127a2991b3f64e3b3f49e01b4f6890e7 Mon Sep 17 00:00:00 2001
From: Louis Abel <tucklesepk@gmail.com>
Date: Mon, 14 Aug 2023 00:34:58 -0700
Subject: [PATCH] make auditd list autogenerate

---
 tasks/auditd.yml                              |  8 +++
 .../etc/audit/rules.d/collection.rules.j2     | 30 ++++----
 vars/RedHat.yml                               | 72 +++++++++----------
 3 files changed, 57 insertions(+), 53 deletions(-)

diff --git a/tasks/auditd.yml b/tasks/auditd.yml
index 3ee45d2..91dbfd7 100644
--- a/tasks/auditd.yml
+++ b/tasks/auditd.yml
@@ -21,6 +21,14 @@
   tags:
     - harden
 
+- name: Collect specific executables for dynamic list
+  ansible.builtin.command: "find /usr/bin /usr/sbin /usr/lib /usr/libexec -xdev -perm /6000 -type f"
+  register: exec_find_output
+
+- name: Set variable for above collection
+  ansible.builtin.set_fact:
+    audit_suid_list: "{{ exec_find_output.stdout_lines }}"
+
 - name: Ensure collection audit rules are available
   ansible.builtin.template:
     src: "etc/audit/rules.d/collection.rules.j2"
diff --git a/templates/etc/audit/rules.d/collection.rules.j2 b/templates/etc/audit/rules.d/collection.rules.j2
index 77d852a..0b69004 100644
--- a/templates/etc/audit/rules.d/collection.rules.j2
+++ b/templates/etc/audit/rules.d/collection.rules.j2
@@ -1,10 +1,8 @@
 # Ignore CWD logs
 -a exclude,always -F msgtype=CWD
 
--a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
--a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
--a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
--a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
+-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change
+-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change
 -w /etc/localtime -p wa -k time-change
 
 ## Records when events occur that modify user and group passwords and ID's
@@ -13,8 +11,8 @@
 {% endfor %}
 
 ## Records changes to network environment files or system calls
--a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
--a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
+-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
+-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale
 -w /etc/issue -p wa -k system-locale
 -w /etc/issue.net -p wa -k system-locale
 -w /etc/hosts -p wa -k system-locale
@@ -40,16 +38,16 @@
 
 ## Monitor changes for files for UID's above {{ audit_auid }}
 # You can take this out if you are on a non-PCI system
--a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
--a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
--a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
--a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
--a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
--a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
--a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
--a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
--a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
--a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
+-a always,exit -F arch=b64 -S ,creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
+-a always,exit -F arch=b32 -S ,creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
+-a always,exit -F arch=b64 -S ,creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
 
 ## Monitors mounting events for users
 # You can probably take these out
diff --git a/vars/RedHat.yml b/vars/RedHat.yml
index 13d0bb3..13aa810 100644
--- a/vars/RedHat.yml
+++ b/vars/RedHat.yml
@@ -122,48 +122,46 @@ audit_identity_list:
   - /etc/shadow
   - /etc/security/opasswd
 audit_logins:
-  - /var/log/faillog
+  - /var/log/faillock
   - /var/log/lastlog
-  - /var/log/tallylog
-  - /var/log/faillock/
   - /var/log/wtmp
   - /var/log/btmp
 audit_session:
   - /var/run/utmp
-audit_suid_list:
-  - /usr/libexec/sssd/proxy_child
-  - /usr/libexec/sssd/ldap_child
-  - /usr/libexec/sssd/krb5_child
-  - /usr/libexec/sssd/selinux_child
-  - /usr/libexec/dbus-1/dbus-daemon-launch-helper
-  - /usr/libexec/utempter/utempter
-  - /usr/libexec/openssh/ssh-keysign
-  - /usr/lib/polkit-1/polkit-agent-helper-1
-  - /usr/sbin/usernetctl
-  - /usr/sbin/postqueue
-  - /usr/sbin/unix_chkpwd
-  - /usr/sbin/postdrop
-  - /usr/sbin/pam_timestamp_check
-  - /usr/sbin/netreport
-  - /usr/sbin/mount.nfs
-  - /usr/bin/su
-  - /usr/bin/ksu
-  - /usr/bin/write
-  - /usr/bin/newgrp
-  - /usr/bin/chage
-  - /usr/bin/mount
-  - /usr/bin/ssh-agent
-  - /usr/bin/sudo
-  - /usr/bin/passwd
-  - /usr/bin/gpasswd
-  - /usr/bin/at
-  - /usr/bin/wall
-  - /usr/bin/chsh
-  - /usr/bin/locate
-  - /usr/bin/chfn
-  - /usr/bin/umount
-  - /usr/bin/crontab
-  - /usr/bin/pkexec
+# audit_suid_list:
+#   - /usr/libexec/sssd/proxy_child
+#   - /usr/libexec/sssd/ldap_child
+#   - /usr/libexec/sssd/krb5_child
+#   - /usr/libexec/sssd/selinux_child
+#   - /usr/libexec/dbus-1/dbus-daemon-launch-helper
+#   - /usr/libexec/utempter/utempter
+#   - /usr/libexec/openssh/ssh-keysign
+#   - /usr/lib/polkit-1/polkit-agent-helper-1
+#   - /usr/sbin/usernetctl
+#   - /usr/sbin/postqueue
+#   - /usr/sbin/unix_chkpwd
+#   - /usr/sbin/postdrop
+#   - /usr/sbin/pam_timestamp_check
+#   - /usr/sbin/netreport
+#   - /usr/sbin/mount.nfs
+#   - /usr/bin/su
+#   - /usr/bin/ksu
+#   - /usr/bin/write
+#   - /usr/bin/newgrp
+#   - /usr/bin/chage
+#   - /usr/bin/mount
+#   - /usr/bin/ssh-agent
+#   - /usr/bin/sudo
+#   - /usr/bin/passwd
+#   - /usr/bin/gpasswd
+#   - /usr/bin/at
+#   - /usr/bin/wall
+#   - /usr/bin/chsh
+#   - /usr/bin/locate
+#   - /usr/bin/chfn
+#   - /usr/bin/umount
+#   - /usr/bin/crontab
+#   - /usr/bin/pkexec
 
 disable_svc:
   - cups