This repository has been archived by the owner on Feb 29, 2024. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This patch allows the management of the AuditD service and its associated files (such as `audit.rules`) This is achieved by means of the `puppet-auditd` puppet module. Also places ssh banner capabilities map on top of patch Change-Id: Ib8bb52dde88304cb58b051bced9779c97a314d0d Depends-On: Ie31c063b674075e35e1bfa28d1fc07f3f897407b
- Loading branch information
Steven Hardy
authored and
lhinds
committed
Jan 27, 2017
1 parent
c349789
commit afdc138
Showing
6 changed files
with
184 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,119 @@ | ||
resource_registry: | ||
OS::TripleO::Services::AuditD: ../puppet/services/auditd.yaml | ||
|
||
parameter_defaults: | ||
AuditdRules: | ||
'Record attempts to alter time through adjtimex': | ||
content: '-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules' | ||
order : 1 | ||
'Record attempts to alter time through settimeofday': | ||
content: '-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules' | ||
order : 2 | ||
'Record Attempts to Alter Time Through stime': | ||
content: '-a always,exit -F arch=b64 -S stime -k audit_time_rules' | ||
order : 3 | ||
'Record Attempts to Alter Time Through clock_settime': | ||
content: '-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules' | ||
order : 4 | ||
'Record Attempts to Alter the localtime File': | ||
content: '-w /etc/localtime -p wa -k audit_time_rules' | ||
order : 5 | ||
'Record Events that Modify the Systems Discretionary Access Controls - chmod': | ||
content: '-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod' | ||
order : 5 | ||
'Record Events that Modify the Systems Discretionary Access Controls - chown': | ||
content: '-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod' | ||
order : 6 | ||
'Record Events that Modify the Systems Discretionary Access Controls - fchmod': | ||
content: '-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod' | ||
order : 7 | ||
'Record Events that Modify the Systems Discretionary Access Controls - fchmodat': | ||
content: '-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod' | ||
order : 8 | ||
'Record Events that Modify the Systems Discretionary Access Controls - fchown': | ||
content: '-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' | ||
order : 9 | ||
'Record Events that Modify the Systems Discretionary Access Controls - fchownat': | ||
content: '-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod' | ||
order : 10 | ||
'Record Events that Modify the Systems Discretionary Access Controls - fremovexattr': | ||
content: '-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' | ||
order : 11 | ||
'Record Events that Modify the Systems Discretionary Access Controls - fsetxattr': | ||
content: '-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' | ||
order : 12 | ||
'Record Events that Modify the Systems Discretionary Access Controls - lchown': | ||
content: '-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' | ||
order : 13 | ||
'Record Events that Modify the Systems Discretionary Access Controls - lremovexattr': | ||
content: '-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' | ||
order : 14 | ||
'Record Events that Modify the Systems Discretionary Access Controls - lsetxattr': | ||
content: '-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' | ||
order : 15 | ||
'Record Events that Modify the Systems Discretionary Access Controls - removexattr': | ||
content: '-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' | ||
order : 16 | ||
'Record Events that Modify the Systems Discretionary Access Controls - setxattr': | ||
content: '-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' | ||
order : 17 | ||
'Record Events that Modify User/Group Information - /etc/group': | ||
content: '-w /etc/group -p wa -k audit_rules_usergroup_modification' | ||
order : 18 | ||
'Record Events that Modify User/Group Information - /etc/passwd': | ||
content: '-w /etc/passwd -p wa -k audit_rules_usergroup_modification' | ||
order : 19 | ||
'Record Events that Modify User/Group Information - /etc/gshadow': | ||
content: '-w /etc/gshadow -p wa -k audit_rules_usergroup_modification' | ||
order : 20 | ||
'Record Events that Modify User/Group Information - /etc/shadow': | ||
content: '-w /etc/shadow -p wa -k audit_rules_usergroup_modification' | ||
order : 21 | ||
'Record Events that Modify User/Group Information - /etc/opasswd': | ||
content: '-w /etc/opasswd -p wa -k audit_rules_usergroup_modification' | ||
order : 22 | ||
'Record Events that Modify the Systems Network Environment - sethostname / setdomainname': | ||
content: '-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification' | ||
order : 23 | ||
'Record Events that Modify the Systems Network Environment - /etc/issue': | ||
content: '-w /etc/issue -p wa -k audit_rules_networkconfig_modification' | ||
order : 24 | ||
'Record Events that Modify the Systems Network Environment - /etc/issue.net': | ||
content: '-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification' | ||
order : 25 | ||
'Record Events that Modify the Systems Network Environment - /etc/hosts': | ||
content: '-w /etc/hosts -p wa -k audit_rules_networkconfig_modification' | ||
order : 26 | ||
'Record Events that Modify the Systems Network Environment - /etc/sysconfig/network': | ||
content: '-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification' | ||
order : 27 | ||
'Record Events that Modify the Systems Mandatory Access Controls': | ||
content: '-w /etc/selinux/ -p wa -k MAC-policy' | ||
order : 28 | ||
'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EACCES)': | ||
content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' | ||
order : 29 | ||
'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EPERM)': | ||
content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' | ||
order : 30 | ||
'Ensure auditd Collects Information on the Use of Privileged Commands': | ||
content: '-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged' | ||
order : 31 | ||
'Ensure auditd Collects Information on Exporting to Media (successful)': | ||
content: '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export' | ||
order : 32 | ||
'Ensure auditd Collects File Deletion Events by User': | ||
content: '-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete' | ||
order : 33 | ||
'Ensure auditd Collects System Administrator Actions': | ||
content: '-w /etc/sudoers -p wa -k actions' | ||
order : 34 | ||
'Ensure auditd Collects Information on Kernel Module Loading and Unloading (insmod)': | ||
content: '-w /usr/sbin/insmod -p x -k modules' | ||
order : 35 | ||
'Ensure auditd Collects Information on Kernel Module Loading and Unloading (rmmod)': | ||
content: '-w /usr/sbin/rmmod -p x -k modules' | ||
order : 36 | ||
'Ensure auditd Collects Information on Kernel Module Loading and Unloading (modprobe)': | ||
content: '-w /usr/sbin/modprobe -p x -k modules' | ||
order : 37 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
heat_template_version: ocata | ||
|
||
description: > | ||
AuditD configured with Puppet | ||
parameters: | ||
ServiceNetMap: | ||
default: {} | ||
description: Mapping of service_name -> network name. Typically set | ||
via parameter_defaults in the resource registry. This | ||
mapping overrides those in ServiceNetMapDefaults. | ||
type: json | ||
DefaultPasswords: | ||
default: {} | ||
type: json | ||
EndpointMap: | ||
default: {} | ||
description: Mapping of service endpoint -> protocol. Typically set | ||
via parameter_defaults in the resource registry. | ||
type: json | ||
AuditdRules: | ||
description: Mapping of auditd rules | ||
type: json | ||
default: {} | ||
|
||
outputs: | ||
role_data: | ||
description: Role data for the auditd service | ||
value: | ||
service_name: auditd | ||
config_settings: | ||
auditd::rules: {get_param: AuditdRules} | ||
step_config: | | ||
include ::tripleo::profile::base::auditd |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
--- | ||
features: | ||
- | | ||
Adds the ability to manage auditd.service and enter audit.rules via tripleo | ||
heat templates. This in turn enforces an audit log of system events, such | ||
as system time changes, modifications to Discretionary Access Controls, | ||
Failed login attempts. | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters