make auditd list autogenerate
This commit is contained in:
Louis Abel
parent
6bac02cc45
commit
6d0a216712
GPG Key ID:
3331F061D1D9990E
@ -21,6 +21,14 @@
|
||||
tags:
|
||||
- harden
|
||||
|
||||
- name: Collect specific executables for dynamic list
|
||||
ansible.builtin.command: "find /usr/bin /usr/sbin /usr/lib /usr/libexec -xdev -perm /6000 -type f"
|
||||
register: exec_find_output
|
||||
|
||||
- name: Set variable for above collection
|
||||
ansible.builtin.set_fact:
|
||||
audit_suid_list: "{{ exec_find_output.stdout_lines }}"
|
||||
|
||||
- name: Ensure collection audit rules are available
|
||||
ansible.builtin.template:
|
||||
src: "etc/audit/rules.d/collection.rules.j2"
|
||||
|
||||
@ -1,10 +1,8 @@
|
||||
# Ignore CWD logs
|
||||
-a exclude,always -F msgtype=CWD
|
||||
|
||||
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
|
||||
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
|
||||
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
|
||||
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
|
||||
-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change
|
||||
-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change
|
||||
-w /etc/localtime -p wa -k time-change
|
||||
|
||||
## Records when events occur that modify user and group passwords and ID's
|
||||
@ -13,8 +11,8 @@
|
||||
{% endfor %}
|
||||
|
||||
## Records changes to network environment files or system calls
|
||||
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
|
||||
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
|
||||
-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
|
||||
-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale
|
||||
-w /etc/issue -p wa -k system-locale
|
||||
-w /etc/issue.net -p wa -k system-locale
|
||||
-w /etc/hosts -p wa -k system-locale
|
||||
@ -40,16 +38,16 @@
|
||||
|
||||
## Monitor changes for files for UID's above {{ audit_auid }}
|
||||
# You can take this out if you are on a non-PCI system
|
||||
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
|
||||
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
|
||||
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
|
||||
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
|
||||
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
|
||||
-a always,exit -F arch=b64 -S ,creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
|
||||
-a always,exit -F arch=b32 -S ,creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
|
||||
-a always,exit -F arch=b64 -S ,creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
|
||||
|
||||
## Monitors mounting events for users
|
||||
# You can probably take these out
|
||||
|
||||
@ -122,48 +122,46 @@ audit_identity_list:
|
||||
- /etc/shadow
|
||||
- /etc/security/opasswd
|
||||
audit_logins:
|
||||
- /var/log/faillog
|
||||
- /var/log/faillock
|
||||
- /var/log/lastlog
|
||||
- /var/log/tallylog
|
||||
- /var/log/faillock/
|
||||
- /var/log/wtmp
|
||||
- /var/log/btmp
|
||||
audit_session:
|
||||
- /var/run/utmp
|
||||
audit_suid_list:
|
||||
- /usr/libexec/sssd/proxy_child
|
||||
- /usr/libexec/sssd/ldap_child
|
||||
- /usr/libexec/sssd/krb5_child
|
||||
- /usr/libexec/sssd/selinux_child
|
||||
- /usr/libexec/dbus-1/dbus-daemon-launch-helper
|
||||
- /usr/libexec/utempter/utempter
|
||||
- /usr/libexec/openssh/ssh-keysign
|
||||
- /usr/lib/polkit-1/polkit-agent-helper-1
|
||||
- /usr/sbin/usernetctl
|
||||
- /usr/sbin/postqueue
|
||||
- /usr/sbin/unix_chkpwd
|
||||
- /usr/sbin/postdrop
|
||||
- /usr/sbin/pam_timestamp_check
|
||||
- /usr/sbin/netreport
|
||||
- /usr/sbin/mount.nfs
|
||||
- /usr/bin/su
|
||||
- /usr/bin/ksu
|
||||
- /usr/bin/write
|
||||
- /usr/bin/newgrp
|
||||
- /usr/bin/chage
|
||||
- /usr/bin/mount
|
||||
- /usr/bin/ssh-agent
|
||||
- /usr/bin/sudo
|
||||
- /usr/bin/passwd
|
||||
- /usr/bin/gpasswd
|
||||
- /usr/bin/at
|
||||
- /usr/bin/wall
|
||||
- /usr/bin/chsh
|
||||
- /usr/bin/locate
|
||||
- /usr/bin/chfn
|
||||
- /usr/bin/umount
|
||||
- /usr/bin/crontab
|
||||
- /usr/bin/pkexec
|
||||
# audit_suid_list:
|
||||
# - /usr/libexec/sssd/proxy_child
|
||||
# - /usr/libexec/sssd/ldap_child
|
||||
# - /usr/libexec/sssd/krb5_child
|
||||
# - /usr/libexec/sssd/selinux_child
|
||||
# - /usr/libexec/dbus-1/dbus-daemon-launch-helper
|
||||
# - /usr/libexec/utempter/utempter
|
||||
# - /usr/libexec/openssh/ssh-keysign
|
||||
# - /usr/lib/polkit-1/polkit-agent-helper-1
|
||||
# - /usr/sbin/usernetctl
|
||||
# - /usr/sbin/postqueue
|
||||
# - /usr/sbin/unix_chkpwd
|
||||
# - /usr/sbin/postdrop
|
||||
# - /usr/sbin/pam_timestamp_check
|
||||
# - /usr/sbin/netreport
|
||||
# - /usr/sbin/mount.nfs
|
||||
# - /usr/bin/su
|
||||
# - /usr/bin/ksu
|
||||
# - /usr/bin/write
|
||||
# - /usr/bin/newgrp
|
||||
# - /usr/bin/chage
|
||||
# - /usr/bin/mount
|
||||
# - /usr/bin/ssh-agent
|
||||
# - /usr/bin/sudo
|
||||
# - /usr/bin/passwd
|
||||
# - /usr/bin/gpasswd
|
||||
# - /usr/bin/at
|
||||
# - /usr/bin/wall
|
||||
# - /usr/bin/chsh
|
||||
# - /usr/bin/locate
|
||||
# - /usr/bin/chfn
|
||||
# - /usr/bin/umount
|
||||
# - /usr/bin/crontab
|
||||
# - /usr/bin/pkexec
|
||||
|
||||
disable_svc:
|
||||
- cups
|
||||
|
||||
Loading…
Reference in New Issue
Block a user