From afdc138987db8246be1f3a0948967f10c3011bb8 Mon Sep 17 00:00:00 2001 From: Steven Hardy Date: Wed, 18 Jan 2017 12:25:56 +0000 Subject: Add AuditD composable service This patch allows the management of the AuditD service and its associated files (such as `audit.rules`) This is achieved by means of the `puppet-auditd` puppet module. Also places ssh banner capabilities map on top of patch Change-Id: Ib8bb52dde88304cb58b051bced9779c97a314d0d Depends-On: Ie31c063b674075e35e1bfa28d1fc07f3f897407b --- environments/auditd.yaml | 119 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 119 insertions(+) create mode 100644 environments/auditd.yaml (limited to 'environments') diff --git a/environments/auditd.yaml b/environments/auditd.yaml new file mode 100644 index 00000000..b358c98a --- /dev/null +++ b/environments/auditd.yaml @@ -0,0 +1,119 @@ +resource_registry: + OS::TripleO::Services::AuditD: ../puppet/services/auditd.yaml + +parameter_defaults: + AuditdRules: + 'Record attempts to alter time through adjtimex': + content: '-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules' + order : 1 + 'Record attempts to alter time through settimeofday': + content: '-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules' + order : 2 + 'Record Attempts to Alter Time Through stime': + content: '-a always,exit -F arch=b64 -S stime -k audit_time_rules' + order : 3 + 'Record Attempts to Alter Time Through clock_settime': + content: '-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules' + order : 4 + 'Record Attempts to Alter the localtime File': + content: '-w /etc/localtime -p wa -k audit_time_rules' + order : 5 + 'Record Events that Modify the Systems Discretionary Access Controls - chmod': + content: '-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 5 + 'Record Events that Modify the Systems Discretionary Access Controls - chown': + content: '-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 6 + 'Record Events that Modify the Systems Discretionary Access Controls - fchmod': + content: '-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 7 + 'Record Events that Modify the Systems Discretionary Access Controls - fchmodat': + content: '-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 8 + 'Record Events that Modify the Systems Discretionary Access Controls - fchown': + content: '-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 9 + 'Record Events that Modify the Systems Discretionary Access Controls - fchownat': + content: '-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 10 + 'Record Events that Modify the Systems Discretionary Access Controls - fremovexattr': + content: '-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 11 + 'Record Events that Modify the Systems Discretionary Access Controls - fsetxattr': + content: '-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 12 + 'Record Events that Modify the Systems Discretionary Access Controls - lchown': + content: '-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 13 + 'Record Events that Modify the Systems Discretionary Access Controls - lremovexattr': + content: '-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 14 + 'Record Events that Modify the Systems Discretionary Access Controls - lsetxattr': + content: '-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 15 + 'Record Events that Modify the Systems Discretionary Access Controls - removexattr': + content: '-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 16 + 'Record Events that Modify the Systems Discretionary Access Controls - setxattr': + content: '-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 17 + 'Record Events that Modify User/Group Information - /etc/group': + content: '-w /etc/group -p wa -k audit_rules_usergroup_modification' + order : 18 + 'Record Events that Modify User/Group Information - /etc/passwd': + content: '-w /etc/passwd -p wa -k audit_rules_usergroup_modification' + order : 19 + 'Record Events that Modify User/Group Information - /etc/gshadow': + content: '-w /etc/gshadow -p wa -k audit_rules_usergroup_modification' + order : 20 + 'Record Events that Modify User/Group Information - /etc/shadow': + content: '-w /etc/shadow -p wa -k audit_rules_usergroup_modification' + order : 21 + 'Record Events that Modify User/Group Information - /etc/opasswd': + content: '-w /etc/opasswd -p wa -k audit_rules_usergroup_modification' + order : 22 + 'Record Events that Modify the Systems Network Environment - sethostname / setdomainname': + content: '-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification' + order : 23 + 'Record Events that Modify the Systems Network Environment - /etc/issue': + content: '-w /etc/issue -p wa -k audit_rules_networkconfig_modification' + order : 24 + 'Record Events that Modify the Systems Network Environment - /etc/issue.net': + content: '-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification' + order : 25 + 'Record Events that Modify the Systems Network Environment - /etc/hosts': + content: '-w /etc/hosts -p wa -k audit_rules_networkconfig_modification' + order : 26 + 'Record Events that Modify the Systems Network Environment - /etc/sysconfig/network': + content: '-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification' + order : 27 + 'Record Events that Modify the Systems Mandatory Access Controls': + content: '-w /etc/selinux/ -p wa -k MAC-policy' + order : 28 + 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EACCES)': + content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' + order : 29 + 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EPERM)': + content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' + order : 30 + 'Ensure auditd Collects Information on the Use of Privileged Commands': + content: '-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged' + order : 31 + 'Ensure auditd Collects Information on Exporting to Media (successful)': + content: '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export' + order : 32 + 'Ensure auditd Collects File Deletion Events by User': + content: '-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete' + order : 33 + 'Ensure auditd Collects System Administrator Actions': + content: '-w /etc/sudoers -p wa -k actions' + order : 34 + 'Ensure auditd Collects Information on Kernel Module Loading and Unloading (insmod)': + content: '-w /usr/sbin/insmod -p x -k modules' + order : 35 + 'Ensure auditd Collects Information on Kernel Module Loading and Unloading (rmmod)': + content: '-w /usr/sbin/rmmod -p x -k modules' + order : 36 + 'Ensure auditd Collects Information on Kernel Module Loading and Unloading (modprobe)': + content: '-w /usr/sbin/modprobe -p x -k modules' + order : 37 -- cgit 1.2.3-korg