From e2626acf9fe777544491d7423058ded06147625f Mon Sep 17 00:00:00 2001 From: nazunalika Date: Thu, 10 Dec 2020 16:11:41 -0700 Subject: [PATCH] docs and bugfixes --- ansible/README.md | 43 +++++++- .../{templates => files}/etc/rockybanner | 0 ansible/playbooks/files/none | 1 - .../playbooks/init-rocky-system-config.yml | 4 + ansible/playbooks/role-rocky-ipa-replica.yml | 4 + ansible/playbooks/role-rocky-ipa.yml | 4 + ansible/playbooks/tasks/ssh-config.yml | 4 +- .../etc/audit/rules.d/collection.rules.j2 | 97 +++++++++++++++++++ ansible/playbooks/vars/RedHat.yml | 4 +- 9 files changed, 155 insertions(+), 6 deletions(-) rename ansible/playbooks/{templates => files}/etc/rockybanner (100%) delete mode 100644 ansible/playbooks/files/none create mode 100644 ansible/playbooks/templates/etc/audit/rules.d/collection.rules.j2 diff --git a/ansible/README.md b/ansible/README.md index fef1054..1fb79d0 100644 --- a/ansible/README.md +++ b/ansible/README.md @@ -25,7 +25,7 @@ Loosely copied from the CentOS ansible infrastructure. This structure is represe │ ├── vars │ └── requirements.yml ├── roles -│ ├── +│ └── ├── tasks -> playbooks/tasks ├── templates -> playbooks/templates └── vars -> playbooks/vars @@ -58,3 +58,44 @@ role-* -> These playbooks call roles specifically for infrastructure tasks. adhoc -> These playbooks are one-off playbooks that can be used on the CLI or in AWX ``` + +## Designing Playbooks + +### Pre flight and post flight + +At a minimum, there should be `pre_tasks` and `post_tasks` that can judge whether ansible has been can or has been run on a system. Some playbooks will not necessarily need this (eg if you're running an adhoc playbook to create a user). But operations done on a host should at least have these in the playbook. + +``` + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + assert: + that: + - "not no_ansible.stat.exists" + msg: "/etc/no-ansible exists - skipping run on this node" + + # Import roles/tasks here + + post_tasks: + - name: Touching run file that ansible has ran here + file: + path: /var/log/ansible.run + state: touch +``` + +If you need to use handlers, you will need to include them in the playbook. + +### Roles + +If you are using roles that are not part of this repository in the `roles` directory, you will need to list them in the `requirements.yml`. For example, we use the IPA role. + +``` +--- +- src: freeipa.ansible_freeipa +``` + +Otherwise, custom roles for the infrastructure will sit in `ansible/roles`. diff --git a/ansible/playbooks/templates/etc/rockybanner b/ansible/playbooks/files/etc/rockybanner similarity index 100% rename from ansible/playbooks/templates/etc/rockybanner rename to ansible/playbooks/files/etc/rockybanner diff --git a/ansible/playbooks/files/none b/ansible/playbooks/files/none deleted file mode 100644 index 6fb5ba7..0000000 --- a/ansible/playbooks/files/none +++ /dev/null @@ -1 +0,0 @@ -# no files here yet diff --git a/ansible/playbooks/init-rocky-system-config.yml b/ansible/playbooks/init-rocky-system-config.yml index 598a65a..254a27b 100644 --- a/ansible/playbooks/init-rocky-system-config.yml +++ b/ansible/playbooks/init-rocky-system-config.yml @@ -4,6 +4,10 @@ hosts: all become: true + # This is to try to avoid the handler issue in pre/post tasks + handlers: + - include: handlers/main.yml + pre_tasks: - name: Check if ansible cannot be run here stat: diff --git a/ansible/playbooks/role-rocky-ipa-replica.yml b/ansible/playbooks/role-rocky-ipa-replica.yml index 45f58de..4ca2ca3 100644 --- a/ansible/playbooks/role-rocky-ipa-replica.yml +++ b/ansible/playbooks/role-rocky-ipa-replica.yml @@ -7,6 +7,10 @@ vars_files: - vars/encpass.yml + # This is to try to avoid the handler issue in pre/post tasks + handlers: + - include: handlers/main.yml + pre_tasks: - name: Check if ansible cannot be run here stat: diff --git a/ansible/playbooks/role-rocky-ipa.yml b/ansible/playbooks/role-rocky-ipa.yml index 9511f01..512360b 100644 --- a/ansible/playbooks/role-rocky-ipa.yml +++ b/ansible/playbooks/role-rocky-ipa.yml @@ -7,6 +7,10 @@ vars_files: - vars/encpass.yml + # This is to try to avoid the handler issue in pre/post tasks + handlers: + - include: handlers/main.yml + pre_tasks: - name: Check if ansible cannot be run here stat: diff --git a/ansible/playbooks/tasks/ssh-config.yml b/ansible/playbooks/tasks/ssh-config.yml index 53ae809..a320a19 100644 --- a/ansible/playbooks/tasks/ssh-config.yml +++ b/ansible/playbooks/tasks/ssh-config.yml @@ -19,8 +19,8 @@ - name: ssh banner copy: - src: "etc/banner" - dest: "{{ ssh_banner }}" + src: "etc/rockybanner" + dest: "/etc/rockybanner" owner: root group: root notify: restart_ssh diff --git a/ansible/playbooks/templates/etc/audit/rules.d/collection.rules.j2 b/ansible/playbooks/templates/etc/audit/rules.d/collection.rules.j2 new file mode 100644 index 0000000..bfd4119 --- /dev/null +++ b/ansible/playbooks/templates/etc/audit/rules.d/collection.rules.j2 @@ -0,0 +1,97 @@ +# Ignore CWD logs +-a exclude,always -F msgtype=CWD + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change +-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change +-w /etc/localtime -p wa -k time-change + +## Records when events occur that modify user and group passwords and ID's +{% for y in audit_identity_list %} +-w {{ y }} -p wa -k identity +{% endfor %} + +## Records changes to network environment files or system calls +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/hostname -p wa -k system-locale +-w /etc/sysconfig/network -p wa -k system-locale +-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale + +## Monitors SELinux Mandatory Access Controls +-w /etc/selinux/ -p wa -k MAC-policy +-w /usr/share/selinux/ -p wa -k MAC-policy + +## Monitors login/logout/failed login events +# To be fair, these are normally logged in /var/log/secure +{% for y in audit_logins %} +-w {{ y }} -p wa -k logins +{% endfor %} + +## Monitor session initiation events +## This will track file changes within sessions +{% for y in audit_session %} +-w {{ y }} -p wa -k session +{% endfor %} + +## Monitor changes for files for UID's above {{ audit_auid }} +# You can take this out if you are on a non-PCI system +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>={{ audit_auid }} -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>={{ audit_auid }} -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>={{ audit_auid }} -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>={{ audit_auid }} -F auid!=4294967295 -k access + +## Monitors mounting events for users +# You can probably take these out +-a always,exit -F arch=b64 -S mount -F auid>={{ audit_auid }} -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>={{ audit_auid }} -F auid!=4294967295 -k mounts +## Collect file deletion events by a user +-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>={{ audit_auid }} -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>={{ audit_auid }} -F auid!=4294967295 -k delete +## Collect changes to System Administration Scope +# Note: This only records /etc/sudoers and doesn't watch /etc/sudoers.d +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d -p wa -k scope +## Collect System Administrator Actions (sudolog) +-w /var/log/sudo.log -p wa -k actions +## Collect Kernel Module Loading and Unloading +-w /sbin/kmod -p x -k modules +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module,finit_module -S delete_module -k modules +-a always,exit -F arch=b32 -S init_module,finit_module -S delete_module -k modules + +{% for y in audit_suid_list %} +-a always,exit -F path={{ y }} -F perm=x -F auid>={{ audit_auid }} -F auid!=4294967295 -k privileged +{% endfor %} + +# Is someone messing with our audit logs? +-w /var/log/audit/ -k audit-logs + +-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=4294967295 -F key=audit-logs +-a always,exit -F path=/usr/sbin/ausearch -F perm=x -F key=audit-logs +-a always,exit -F path=/usr/sbin/aureport -F perm=x -F key=audit-logs +-a always,exit -F path=/usr/sbin/aulast -F perm=x -F key=audit-logs +-a always,exit -F path=/usr/sbin/aulastlogin -F perm=x -F key=audit-logs +-a always,exit -F path=/usr/sbin/auvirt -F perm=x -F key=audit-logs + +# Privilege elevation +-a always,exit -F arch=b64 -S setuid -Fa0=0 -F exe={{ bin_su }} -F key=privileged +-a always,exit -F arch=b32 -S setuid -Fa0=0 -F exe={{ bin_su }} -F key=privileged +-a always,exit -F arch=b64 -S setresuid -F a0=0 -F exe={{ bin_sudo }} -F key=privileged +-a always,exit -F arch=b32 -S setresuid -F a0=0 -F exe={{ bin_sudo }} -F key=privileged +-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=privileged +-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=privileged + +-e 2 diff --git a/ansible/playbooks/vars/RedHat.yml b/ansible/playbooks/vars/RedHat.yml index d281606..14d148b 100644 --- a/ansible/playbooks/vars/RedHat.yml +++ b/ansible/playbooks/vars/RedHat.yml @@ -150,5 +150,5 @@ syslog_packages: ntp_packages: - chrony -legacy_ntp_packages: - - ntp +bin_su: /usr/bin/su +bin_sudo: /usr/bin/sudo