make auditd list autogenerate

This commit is contained in:
Louis Abel 2023-08-14 00:34:58 -07:00
parent 6bac02cc45
commit 6d0a216712
Signed by: label
GPG Key ID: 3331F061D1D9990E
3 changed files with 57 additions and 53 deletions

View File

@ -21,6 +21,14 @@
tags: tags:
- harden - harden
- name: Collect specific executables for dynamic list
ansible.builtin.command: "find /usr/bin /usr/sbin /usr/lib /usr/libexec -xdev -perm /6000 -type f"
register: exec_find_output
- name: Set variable for above collection
ansible.builtin.set_fact:
audit_suid_list: "{{ exec_find_output.stdout_lines }}"
- name: Ensure collection audit rules are available - name: Ensure collection audit rules are available
ansible.builtin.template: ansible.builtin.template:
src: "etc/audit/rules.d/collection.rules.j2" src: "etc/audit/rules.d/collection.rules.j2"

View File

@ -1,10 +1,8 @@
# Ignore CWD logs # Ignore CWD logs
-a exclude,always -F msgtype=CWD -a exclude,always -F msgtype=CWD
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
-w /etc/localtime -p wa -k time-change -w /etc/localtime -p wa -k time-change
## Records when events occur that modify user and group passwords and ID's ## Records when events occur that modify user and group passwords and ID's
@ -13,8 +11,8 @@
{% endfor %} {% endfor %}
## Records changes to network environment files or system calls ## Records changes to network environment files or system calls
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale -a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale -a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale -w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale -w /etc/hosts -p wa -k system-locale
@ -40,16 +38,16 @@
## Monitor changes for files for UID's above {{ audit_auid }} ## Monitor changes for files for UID's above {{ audit_auid }}
# You can take this out if you are on a non-PCI system # You can take this out if you are on a non-PCI system
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>={{ audit_auid }} -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>={{ audit_auid }} -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S ,creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>={{ audit_auid }} -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S ,creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>={{ audit_auid }} -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S ,creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
## Monitors mounting events for users ## Monitors mounting events for users
# You can probably take these out # You can probably take these out

View File

@ -122,48 +122,46 @@ audit_identity_list:
- /etc/shadow - /etc/shadow
- /etc/security/opasswd - /etc/security/opasswd
audit_logins: audit_logins:
- /var/log/faillog - /var/log/faillock
- /var/log/lastlog - /var/log/lastlog
- /var/log/tallylog
- /var/log/faillock/
- /var/log/wtmp - /var/log/wtmp
- /var/log/btmp - /var/log/btmp
audit_session: audit_session:
- /var/run/utmp - /var/run/utmp
audit_suid_list: # audit_suid_list:
- /usr/libexec/sssd/proxy_child # - /usr/libexec/sssd/proxy_child
- /usr/libexec/sssd/ldap_child # - /usr/libexec/sssd/ldap_child
- /usr/libexec/sssd/krb5_child # - /usr/libexec/sssd/krb5_child
- /usr/libexec/sssd/selinux_child # - /usr/libexec/sssd/selinux_child
- /usr/libexec/dbus-1/dbus-daemon-launch-helper # - /usr/libexec/dbus-1/dbus-daemon-launch-helper
- /usr/libexec/utempter/utempter # - /usr/libexec/utempter/utempter
- /usr/libexec/openssh/ssh-keysign # - /usr/libexec/openssh/ssh-keysign
- /usr/lib/polkit-1/polkit-agent-helper-1 # - /usr/lib/polkit-1/polkit-agent-helper-1
- /usr/sbin/usernetctl # - /usr/sbin/usernetctl
- /usr/sbin/postqueue # - /usr/sbin/postqueue
- /usr/sbin/unix_chkpwd # - /usr/sbin/unix_chkpwd
- /usr/sbin/postdrop # - /usr/sbin/postdrop
- /usr/sbin/pam_timestamp_check # - /usr/sbin/pam_timestamp_check
- /usr/sbin/netreport # - /usr/sbin/netreport
- /usr/sbin/mount.nfs # - /usr/sbin/mount.nfs
- /usr/bin/su # - /usr/bin/su
- /usr/bin/ksu # - /usr/bin/ksu
- /usr/bin/write # - /usr/bin/write
- /usr/bin/newgrp # - /usr/bin/newgrp
- /usr/bin/chage # - /usr/bin/chage
- /usr/bin/mount # - /usr/bin/mount
- /usr/bin/ssh-agent # - /usr/bin/ssh-agent
- /usr/bin/sudo # - /usr/bin/sudo
- /usr/bin/passwd # - /usr/bin/passwd
- /usr/bin/gpasswd # - /usr/bin/gpasswd
- /usr/bin/at # - /usr/bin/at
- /usr/bin/wall # - /usr/bin/wall
- /usr/bin/chsh # - /usr/bin/chsh
- /usr/bin/locate # - /usr/bin/locate
- /usr/bin/chfn # - /usr/bin/chfn
- /usr/bin/umount # - /usr/bin/umount
- /usr/bin/crontab # - /usr/bin/crontab
- /usr/bin/pkexec # - /usr/bin/pkexec
disable_svc: disable_svc:
- cups - cups