From fad12fcba77650d95510f1dc5c435170c617cb1a Mon Sep 17 00:00:00 2001 From: Louis Abel Date: Mon, 14 Aug 2023 00:07:25 -0700 Subject: [PATCH] modify auditd logging --- tasks/chrony.yml | 16 +------------- .../etc/audit/rules.d/collection.rules.j2 | 19 +++++++++++------ vars/RedHat.yml | 21 +++++++++++++++---- 3 files changed, 31 insertions(+), 25 deletions(-) diff --git a/tasks/chrony.yml b/tasks/chrony.yml index 93d6c93..604db71 100644 --- a/tasks/chrony.yml +++ b/tasks/chrony.yml @@ -1,10 +1,5 @@ --- -- name: Create overrides if we're an IPA Replica - include_vars: "{{ item }}" - with_first_found: - - "chronyserver.yml" - when: "'chronyservers' in group_names" - +# Defaults are fine for chrony - name: Install chrony packages ansible.builtin.dnf: name: "{{ chrony_packages }}" @@ -16,15 +11,6 @@ mode: 0750 state: directory -- name: Deploy configuration - ansible.builtin.template: - src: chrony.conf.j2 - dest: "{{ chrony_config_file }}" - owner: "{{ chrony_owner }}" - group: "{{ chrony_group }}" - mode: "{{ chrony_mode }}" - notify: "chrony service restart" - - name: Manage the state of service ansible.builtin.systemd: name: "{{ chrony_service_name }}" diff --git a/templates/etc/audit/rules.d/collection.rules.j2 b/templates/etc/audit/rules.d/collection.rules.j2 index bfd4119..77d852a 100644 --- a/templates/etc/audit/rules.d/collection.rules.j2 +++ b/templates/etc/audit/rules.d/collection.rules.j2 @@ -65,17 +65,24 @@ ## Collect System Administrator Actions (sudolog) -w /var/log/sudo.log -p wa -k actions ## Collect Kernel Module Loading and Unloading --w /sbin/kmod -p x -k modules --w /sbin/insmod -p x -k modules --w /sbin/rmmod -p x -k modules --w /sbin/modprobe -p x -k modules --a always,exit -F arch=b64 -S init_module,finit_module -S delete_module -k modules --a always,exit -F arch=b32 -S init_module,finit_module -S delete_module -k modules +# These are covered by the following two lines +#-w /sbin/kmod -p x -k modules +#-w /sbin/insmod -p x -k modules +#-w /sbin/rmmod -p x -k modules +#-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -k modules +-a always,exit -F arch=b32 -S init_module,finit_module,delete_module,create_module,query_module -k modules {% for y in audit_suid_list %} -a always,exit -F path={{ y }} -F perm=x -F auid>={{ audit_auid }} -F auid!=4294967295 -k privileged {% endfor %} +# Monitor specific calls +-a always,exit -S all -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng +-a always,exit -S all -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng +-a always,exit -S all -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng +-a always,exit -S all -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=usermod + # Is someone messing with our audit logs? -w /var/log/audit/ -k audit-logs diff --git a/vars/RedHat.yml b/vars/RedHat.yml index c29c7fa..13d0bb3 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -4,6 +4,7 @@ el_distro_name: - CentOS - Rocky + - RedHat bin_su: /usr/bin/su bin_sudo: /usr/bin/sudo @@ -15,15 +16,27 @@ grub_config_path_efi: /etc/grub2-efi.cfg ipatype: client -# Removing TFTP for now because there will likely be tftp/pxe servers remove_packages: + - avahi + - cups + - dhcp-server + - dnsmasq + - dovecot + - ftp + - gdm + - lftp - nc - - wireshark - prelink + - rsh + - samba - talk - talk-server - - rsh - - lftp + - telnet-server + - tftp + - tftp-server + - vsftpd + - wireshark + - xorg-x11-server-common # security limits limits: