Follows the upstream documentation. Includes tunable settings to comply with OSPP. Includes PCI-DSS V3.1 ruleset.
These two blog posts provide a nice intro into the audit system:
None. The required packages are managed by the role. Possible integrations and extensions include:
- From
defaults/main.yml
# Set the package install state for distribution packages
# Options are 'present' and 'latest'
security_package_state: present
# Send audit records to a different system using audisp.
# security_audisp_remote_server: '10.0.21.1' # V-72083
# Encrypt audit records when they are transmitted over the network.
# security_audisp_enable_krb5: 'yes' # V-72085
# Set the auditd failure flag. WARNING: READ DOCUMENTATION BEFORE CHANGING!
security_rhel7_audit_failure_flag: 1 # V-72081
# Set the action to take when the disk is full or network events cannot be sent.
security_rhel7_auditd_disk_full_action: syslog # V-72087
security_rhel7_auditd_network_failure_action: syslog # V-72087
# Size of remaining disk space (in MB) that triggers alerts.
#security_rhel7_auditd_space_left: >
# {%- if 'docker' not in ansible_virtualization_type | default('False') | bool %}
# {{ (ansible_mounts | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}
# {# V-72089 #}
# {%- else %}
# 500
# {%- endif %}
security_rhel7_auditd_space_left: 500
# Action to take when the space_left threshold is reached.
security_rhel7_auditd_space_left_action: email # V-72091
# Send auditd email alerts to this user.
security_rhel7_auditd_action_mail_acct: root # V-72093
# Add dont-audit rules for commands/syscalls.
security_rhel7_audit_dont_audit_cron: 'yes'
security_rhel7_audit_dont_audit_chrony: 'yes'
security_rhel7_audit_dont_audit_crypto_key_user: 'yes'
# Add audit rules for grouped syscalls.
security_rhel7_audit_file_deletion_events_by_user: 'yes'
security_rhel7_audit_unauthorized_creation_attempts_to_files: 'yes'
security_rhel7_audit_unauthorized_modification_attempts_to_files: 'yes'
security_rhel7_audit_unsuccessul_delete_attempts_to_files: 'yes'
security_rhel7_audit_unsuccessul_permission_changes_to_files: 'yes'
security_rhel7_audit_unsuccessul_ownership_changes_to_files: 'yes'
security_rhel7_audit_unauthorized_access_attempts_to_files: 'yes'
# Add audit rules for privileged commands
security_rhel7_audit_privileged_commands: 'yes' # V-72149
security_rhel7_audit_at: 'yes' # FAU_GEN.1.1.c
security_rhel7_audit_chage: 'yes' # V-72155
security_rhel7_audit_chsh: 'yes' # V-72167
security_rhel7_audit_chcon: 'yes' # V-72139
security_rhel7_audit_crontab: 'yes' # V-72183
security_rhel7_audit_delete_module: 'yes' # V-72189
security_rhel7_audit_gpasswd: 'yes' # V-72153
security_rhel7_audit_init_module: 'yes' # V-72187
security_rhel7_audit_mount: 'yes' # V-72171
security_rhel7_audit_newgidmap: 'yes' # FAU_GEN.1.1.c
security_rhel7_audit_newgrp: 'yes' # V-72165
security_rhel7_audit_newuidmap: 'yes' # FAU_GEN.1.1.c
security_rhel7_audit_pam_timestamp_check: 'yes' # V-72185
security_rhel7_audit_passwd: 'yes' # V-72149
security_rhel7_audit_postdrop: 'yes' # V-72175
security_rhel7_audit_postqueue: 'yes' # V-72177
security_rhel7_audit_pt_chown: 'yes' # V-72181
security_rhel7_audit_restorecon: 'yes' # V-72141
security_rhel7_audit_rmdir: 'yes' # V-72203
security_rhel7_audit_semanage: 'yes' # V-72135
security_rhel7_audit_setsebool: 'yes' # V-72137
security_rhel7_audit_seunshare: 'yes' # V-72111
security_rhel7_audit_ssh_keysign: 'yes' # V-72179
security_rhel7_audit_su: 'yes' # V-72159
security_rhel7_audit_sudo: 'yes' # V-72161
security_rhel7_audit_sudoedit: 'yes' # V-72169
security_rhel7_audit_umount: 'yes' # V-72173
security_rhel7_audit_unix_chkpwd: 'yes' # V-72151
security_rhel7_audit_userhelper: 'yes' # V-72157
security_rhel7_audit_usernetctl: 'yes' # FAU_GEN.1.1.c
# Add audit rules for other events.
security_rhel7_audit_account_access: 'yes' # V-72143
security_rhel7_audit_sudo_config_changes: 'yes' # V-72163
security_rhel7_audit_insmod: 'yes' # V-72191
security_rhel7_audit_rmmod: 'yes' # V-72193
security_rhel7_audit_modprobe: 'yes' # V-72195
security_rhel7_audit_account_actions: 'yes' # V-72197
security_rhel7_audit_32bit: 'yes'
security_rhel7_audit_log_access_modifications: 'yes' # FAU_GEN.1.1.c
- From
vars/main.yml
auditd_config
This variable is used in tasks/main.yml to configure auditd and audisp
Each dictionary has this structure:
command: the command/syscall to audit (required)
stig_id: the number/ID from the STIG (required)
arch_specific: 'yes' if the rule depends on the architecture type,
otherwise 'no' (required)
path: the path to the command (optional, default is '/usr/bin')
distro: restrict deployment to a single Linux distribution (optional,
should be equal to 'ansible_os_family | lower', such as 'redhat'
auditd_config:
- parameter: disk_full_action
value: "{{ security_rhel7_auditd_disk_full_action }}"
config: /etc/audisp/audisp-remote.conf
- parameter: network_failure_action
value: "{{ security_rhel7_auditd_network_failure_action }}"
config: /etc/audisp/audisp-remote.conf
- parameter: space_left
value: "{{ security_rhel7_auditd_space_left }}"
config: /etc/audit/auditd.conf
- parameter: space_left_action
value: "{{ security_rhel7_auditd_space_left_action }}"
config: /etc/audit/auditd.conf
- parameter: action_mail_acct
value: "{{ security_rhel7_auditd_action_mail_acct }}"
config: /etc/audit/auditd.conf
audited_commands
This variable is used in tasks/main.yml to deploy auditd rules
for various commands and syscalls.
Each dictionary has this structure:
command: the command/syscall to audit (required)
path: the path to the command (optional, default is '/usr/bin')
auid: value for audit
distro: restrict deployment to a single Linux distribution (optional,
should be equal to 'ansible_os_family | lower', such as 'redhat'
audited_commands:
- command: chsh
None.
Example of how to use this role:
- hosts: servers
roles:
- { role: ansible-os-hardening-audit }
This repository uses
git-flow.
To contribute to the role, create a new feature branch (feature/foo_bar_baz
),
write Molecule tests for
the new functionality
and submit a pull request targeting the develop
branch.
Happy hacking!
Apache 2.0, as this work is derived from OpenStack's ansible-hardening role.