modify auditd logging

This commit is contained in:
Louis Abel 2023-08-14 00:07:25 -07:00
parent bc87fdb86c
commit fad12fcba7
Signed by: label
GPG key ID: 3331F061D1D9990E
3 changed files with 31 additions and 25 deletions

View file

@ -1,10 +1,5 @@
---
- name: Create overrides if we're an IPA Replica
include_vars: "{{ item }}"
with_first_found:
- "chronyserver.yml"
when: "'chronyservers' in group_names"
# Defaults are fine for chrony
- name: Install chrony packages
ansible.builtin.dnf:
name: "{{ chrony_packages }}"
@ -16,15 +11,6 @@
mode: 0750
state: directory
- name: Deploy configuration
ansible.builtin.template:
src: chrony.conf.j2
dest: "{{ chrony_config_file }}"
owner: "{{ chrony_owner }}"
group: "{{ chrony_group }}"
mode: "{{ chrony_mode }}"
notify: "chrony service restart"
- name: Manage the state of service
ansible.builtin.systemd:
name: "{{ chrony_service_name }}"

View file

@ -65,17 +65,24 @@
## Collect System Administrator Actions (sudolog)
-w /var/log/sudo.log -p wa -k actions
## Collect Kernel Module Loading and Unloading
-w /sbin/kmod -p x -k modules
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module,finit_module -S delete_module -k modules
-a always,exit -F arch=b32 -S init_module,finit_module -S delete_module -k modules
# These are covered by the following two lines
#-w /sbin/kmod -p x -k modules
#-w /sbin/insmod -p x -k modules
#-w /sbin/rmmod -p x -k modules
#-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -k modules
-a always,exit -F arch=b32 -S init_module,finit_module,delete_module,create_module,query_module -k modules
{% for y in audit_suid_list %}
-a always,exit -F path={{ y }} -F perm=x -F auid>={{ audit_auid }} -F auid!=4294967295 -k privileged
{% endfor %}
# Monitor specific calls
-a always,exit -S all -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng
-a always,exit -S all -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng
-a always,exit -S all -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng
-a always,exit -S all -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=usermod
# Is someone messing with our audit logs?
-w /var/log/audit/ -k audit-logs

View file

@ -4,6 +4,7 @@
el_distro_name:
- CentOS
- Rocky
- RedHat
bin_su: /usr/bin/su
bin_sudo: /usr/bin/sudo
@ -15,15 +16,27 @@ grub_config_path_efi: /etc/grub2-efi.cfg
ipatype: client
# Removing TFTP for now because there will likely be tftp/pxe servers
remove_packages:
- avahi
- cups
- dhcp-server
- dnsmasq
- dovecot
- ftp
- gdm
- lftp
- nc
- wireshark
- prelink
- rsh
- samba
- talk
- talk-server
- rsh
- lftp
- telnet-server
- tftp
- tftp-server
- vsftpd
- wireshark
- xorg-x11-server-common
# security limits
limits: