modify auditd logging
This commit is contained in:
parent
bc87fdb86c
commit
fad12fcba7
3 changed files with 31 additions and 25 deletions
|
@ -1,10 +1,5 @@
|
|||
---
|
||||
- name: Create overrides if we're an IPA Replica
|
||||
include_vars: "{{ item }}"
|
||||
with_first_found:
|
||||
- "chronyserver.yml"
|
||||
when: "'chronyservers' in group_names"
|
||||
|
||||
# Defaults are fine for chrony
|
||||
- name: Install chrony packages
|
||||
ansible.builtin.dnf:
|
||||
name: "{{ chrony_packages }}"
|
||||
|
@ -16,15 +11,6 @@
|
|||
mode: 0750
|
||||
state: directory
|
||||
|
||||
- name: Deploy configuration
|
||||
ansible.builtin.template:
|
||||
src: chrony.conf.j2
|
||||
dest: "{{ chrony_config_file }}"
|
||||
owner: "{{ chrony_owner }}"
|
||||
group: "{{ chrony_group }}"
|
||||
mode: "{{ chrony_mode }}"
|
||||
notify: "chrony service restart"
|
||||
|
||||
- name: Manage the state of service
|
||||
ansible.builtin.systemd:
|
||||
name: "{{ chrony_service_name }}"
|
||||
|
|
|
@ -65,17 +65,24 @@
|
|||
## Collect System Administrator Actions (sudolog)
|
||||
-w /var/log/sudo.log -p wa -k actions
|
||||
## Collect Kernel Module Loading and Unloading
|
||||
-w /sbin/kmod -p x -k modules
|
||||
-w /sbin/insmod -p x -k modules
|
||||
-w /sbin/rmmod -p x -k modules
|
||||
-w /sbin/modprobe -p x -k modules
|
||||
-a always,exit -F arch=b64 -S init_module,finit_module -S delete_module -k modules
|
||||
-a always,exit -F arch=b32 -S init_module,finit_module -S delete_module -k modules
|
||||
# These are covered by the following two lines
|
||||
#-w /sbin/kmod -p x -k modules
|
||||
#-w /sbin/insmod -p x -k modules
|
||||
#-w /sbin/rmmod -p x -k modules
|
||||
#-w /sbin/modprobe -p x -k modules
|
||||
-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -k modules
|
||||
-a always,exit -F arch=b32 -S init_module,finit_module,delete_module,create_module,query_module -k modules
|
||||
|
||||
{% for y in audit_suid_list %}
|
||||
-a always,exit -F path={{ y }} -F perm=x -F auid>={{ audit_auid }} -F auid!=4294967295 -k privileged
|
||||
{% endfor %}
|
||||
|
||||
# Monitor specific calls
|
||||
-a always,exit -S all -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng
|
||||
-a always,exit -S all -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng
|
||||
-a always,exit -S all -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng
|
||||
-a always,exit -S all -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=usermod
|
||||
|
||||
# Is someone messing with our audit logs?
|
||||
-w /var/log/audit/ -k audit-logs
|
||||
|
||||
|
|
|
@ -4,6 +4,7 @@
|
|||
el_distro_name:
|
||||
- CentOS
|
||||
- Rocky
|
||||
- RedHat
|
||||
|
||||
bin_su: /usr/bin/su
|
||||
bin_sudo: /usr/bin/sudo
|
||||
|
@ -15,15 +16,27 @@ grub_config_path_efi: /etc/grub2-efi.cfg
|
|||
|
||||
ipatype: client
|
||||
|
||||
# Removing TFTP for now because there will likely be tftp/pxe servers
|
||||
remove_packages:
|
||||
- avahi
|
||||
- cups
|
||||
- dhcp-server
|
||||
- dnsmasq
|
||||
- dovecot
|
||||
- ftp
|
||||
- gdm
|
||||
- lftp
|
||||
- nc
|
||||
- wireshark
|
||||
- prelink
|
||||
- rsh
|
||||
- samba
|
||||
- talk
|
||||
- talk-server
|
||||
- rsh
|
||||
- lftp
|
||||
- telnet-server
|
||||
- tftp
|
||||
- tftp-server
|
||||
- vsftpd
|
||||
- wireshark
|
||||
- xorg-x11-server-common
|
||||
|
||||
# security limits
|
||||
limits:
|
||||
|
|
Loading…
Reference in a new issue