modify auditd logging

2023-08-14 00:07:25 -07:00 · 2023-08-14 00:07:25 -07:00 · fad12fcba7
commit fad12fcba7
parent bc87fdb86c
3 changed files with 31 additions and 25 deletions
--- a/tasks/chrony.yml
+++ b/tasks/chrony.yml
@ -1,10 +1,5 @@
 ---
- name: Create overrides if we're an IPA Replica
-  include_vars: "{{ item }}"
-  with_first_found:
-    - "chronyserver.yml"
-  when: "'chronyservers' in group_names"
-
+# Defaults are fine for chrony
 - name: Install chrony packages
  ansible.builtin.dnf:
    name: "{{ chrony_packages }}"
@ -16,15 +11,6 @@
    mode: 0750
    state: directory

- name: Deploy configuration
-  ansible.builtin.template:
-    src: chrony.conf.j2
-    dest: "{{ chrony_config_file }}"
-    owner: "{{ chrony_owner }}"
-    group: "{{ chrony_group }}"
-    mode: "{{ chrony_mode }}"
-  notify: "chrony service restart"
-
 - name: Manage the state of service
  ansible.builtin.systemd:
    name: "{{ chrony_service_name }}"
--- a/templates/etc/audit/rules.d/collection.rules.j2
+++ b/templates/etc/audit/rules.d/collection.rules.j2
@ -65,17 +65,24 @@
 ## Collect System Administrator Actions (sudolog)
 -w /var/log/sudo.log -p wa -k actions
 ## Collect Kernel Module Loading and Unloading
-w /sbin/kmod -p x -k modules
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module,finit_module -S delete_module -k modules
-a always,exit -F arch=b32 -S init_module,finit_module -S delete_module -k modules
+# These are covered by the following two lines
+#-w /sbin/kmod -p x -k modules
+#-w /sbin/insmod -p x -k modules
+#-w /sbin/rmmod -p x -k modules
+#-w /sbin/modprobe -p x -k modules
+-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -k modules
+-a always,exit -F arch=b32 -S init_module,finit_module,delete_module,create_module,query_module -k modules

 {% for y in audit_suid_list %}
 -a always,exit -F path={{ y }} -F perm=x -F auid>={{ audit_auid }} -F auid!=4294967295 -k privileged
 {% endfor %}

+# Monitor specific calls
+-a always,exit -S all -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng
+-a always,exit -S all -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng
+-a always,exit -S all -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng
+-a always,exit -S all -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=usermod
+
 # Is someone messing with our audit logs?
 -w /var/log/audit/ -k audit-logs

--- a/vars/RedHat.yml
+++ b/vars/RedHat.yml
@ -4,6 +4,7 @@
 el_distro_name:
  - CentOS
  - Rocky
+  - RedHat

 bin_su: /usr/bin/su
 bin_sudo: /usr/bin/sudo
@ -15,15 +16,27 @@ grub_config_path_efi: /etc/grub2-efi.cfg

 ipatype: client

-# Removing TFTP for now because there will likely be tftp/pxe servers
 remove_packages:
+  - avahi
+  - cups
+  - dhcp-server
+  - dnsmasq
+  - dovecot
+  - ftp
+  - gdm
+  - lftp
  - nc
-  - wireshark
  - prelink
+  - rsh
+  - samba
  - talk
  - talk-server
-  - rsh
-  - lftp
+  - telnet-server
+  - tftp
+  - tftp-server
+  - vsftpd
+  - wireshark
+  - xorg-x11-server-common

 # security limits
 limits: