Permalink
Browse files

Add AuditD composable service

This patch allows the management of the AuditD service and its associated
files (such as `audit.rules`)

This is achieved by means of the `puppet-auditd` puppet module.

Also places ssh banner capabilities map on top of patch

Change-Id: Ib8bb52dde88304cb58b051bced9779c97a314d0d
Depends-On: Ie31c063b674075e35e1bfa28d1fc07f3f897407b
  • Loading branch information...
hardys authored and lukehinds committed Jan 18, 2017
1 parent c349789 commit afdc138987db8246be1f3a0948967f10c3011bb8
View
@@ -541,6 +541,14 @@ topics:
- title: Security Options
description: Security Hardening Options
environment_groups:
- title: SSH Banner Text
description: Enables population of SSH Banner Text
environments:
- file: environments/sshd-banner.yaml
title: SSH Banner Text
description:
requires:
- overcloud-resource-registry-puppet.yaml
- title: Horizon Password Validation
description: Enable Horizon Password validation
environments:
@@ -549,3 +557,11 @@ topics:
description:
requires:
- overcloud-resource-registry-puppet.yaml
- title: AuditD Rules
description: Management of AuditD rules
environments:
- file: environments/auditd.yaml
title: AuditD Rule Management
description:
requires:
- overcloud-resource-registry-puppet.yaml
View
@@ -0,0 +1,119 @@
resource_registry:
OS::TripleO::Services::AuditD: ../puppet/services/auditd.yaml
parameter_defaults:
AuditdRules:
'Record attempts to alter time through adjtimex':
content: '-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules'
order : 1
'Record attempts to alter time through settimeofday':
content: '-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules'
order : 2
'Record Attempts to Alter Time Through stime':
content: '-a always,exit -F arch=b64 -S stime -k audit_time_rules'
order : 3
'Record Attempts to Alter Time Through clock_settime':
content: '-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules'
order : 4
'Record Attempts to Alter the localtime File':
content: '-w /etc/localtime -p wa -k audit_time_rules'
order : 5
'Record Events that Modify the Systems Discretionary Access Controls - chmod':
content: '-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 5
'Record Events that Modify the Systems Discretionary Access Controls - chown':
content: '-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 6
'Record Events that Modify the Systems Discretionary Access Controls - fchmod':
content: '-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 7
'Record Events that Modify the Systems Discretionary Access Controls - fchmodat':
content: '-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 8
'Record Events that Modify the Systems Discretionary Access Controls - fchown':
content: '-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 9
'Record Events that Modify the Systems Discretionary Access Controls - fchownat':
content: '-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 10
'Record Events that Modify the Systems Discretionary Access Controls - fremovexattr':
content: '-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 11
'Record Events that Modify the Systems Discretionary Access Controls - fsetxattr':
content: '-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 12
'Record Events that Modify the Systems Discretionary Access Controls - lchown':
content: '-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 13
'Record Events that Modify the Systems Discretionary Access Controls - lremovexattr':
content: '-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 14
'Record Events that Modify the Systems Discretionary Access Controls - lsetxattr':
content: '-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 15
'Record Events that Modify the Systems Discretionary Access Controls - removexattr':
content: '-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 16
'Record Events that Modify the Systems Discretionary Access Controls - setxattr':
content: '-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 17
'Record Events that Modify User/Group Information - /etc/group':
content: '-w /etc/group -p wa -k audit_rules_usergroup_modification'
order : 18
'Record Events that Modify User/Group Information - /etc/passwd':
content: '-w /etc/passwd -p wa -k audit_rules_usergroup_modification'
order : 19
'Record Events that Modify User/Group Information - /etc/gshadow':
content: '-w /etc/gshadow -p wa -k audit_rules_usergroup_modification'
order : 20
'Record Events that Modify User/Group Information - /etc/shadow':
content: '-w /etc/shadow -p wa -k audit_rules_usergroup_modification'
order : 21
'Record Events that Modify User/Group Information - /etc/opasswd':
content: '-w /etc/opasswd -p wa -k audit_rules_usergroup_modification'
order : 22
'Record Events that Modify the Systems Network Environment - sethostname / setdomainname':
content: '-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification'
order : 23
'Record Events that Modify the Systems Network Environment - /etc/issue':
content: '-w /etc/issue -p wa -k audit_rules_networkconfig_modification'
order : 24
'Record Events that Modify the Systems Network Environment - /etc/issue.net':
content: '-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification'
order : 25
'Record Events that Modify the Systems Network Environment - /etc/hosts':
content: '-w /etc/hosts -p wa -k audit_rules_networkconfig_modification'
order : 26
'Record Events that Modify the Systems Network Environment - /etc/sysconfig/network':
content: '-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification'
order : 27
'Record Events that Modify the Systems Mandatory Access Controls':
content: '-w /etc/selinux/ -p wa -k MAC-policy'
order : 28
'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EACCES)':
content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
order : 29
'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EPERM)':
content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
order : 30
'Ensure auditd Collects Information on the Use of Privileged Commands':
content: '-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged'
order : 31
'Ensure auditd Collects Information on Exporting to Media (successful)':
content: '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export'
order : 32
'Ensure auditd Collects File Deletion Events by User':
content: '-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
order : 33
'Ensure auditd Collects System Administrator Actions':
content: '-w /etc/sudoers -p wa -k actions'
order : 34
'Ensure auditd Collects Information on Kernel Module Loading and Unloading (insmod)':
content: '-w /usr/sbin/insmod -p x -k modules'
order : 35
'Ensure auditd Collects Information on Kernel Module Loading and Unloading (rmmod)':
content: '-w /usr/sbin/rmmod -p x -k modules'
order : 36
'Ensure auditd Collects Information on Kernel Module Loading and Unloading (modprobe)':
content: '-w /usr/sbin/modprobe -p x -k modules'
order : 37
@@ -240,6 +240,7 @@ resource_registry:
OS::TripleO::Services::CinderHPELeftHandISCSI: OS::Heat::None
OS::TripleO::Services::Etcd: OS::Heat::None
OS::TripleO::Services::Ec2Api: OS::Heat::None
OS::TripleO::Services::AuditD: OS::Heat::None
parameter_defaults:
EnablePackageInstall: false
@@ -0,0 +1,34 @@
heat_template_version: ocata
description: >
AuditD configured with Puppet
parameters:
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
AuditdRules:
description: Mapping of auditd rules
type: json
default: {}
outputs:
role_data:
description: Role data for the auditd service
value:
service_name: auditd
config_settings:
auditd::rules: {get_param: AuditdRules}
step_config: |
include ::tripleo::profile::base::auditd
@@ -0,0 +1,9 @@
---
features:
- |
Adds the ability to manage auditd.service and enter audit.rules via tripleo
heat templates. This in turn enforces an audit log of system events, such
as system time changes, modifications to Discretionary Access Controls,
Failed login attempts.
View
@@ -112,6 +112,7 @@
- OS::TripleO::Services::NeutronML2FujitsuFossw
- OS::TripleO::Services::CinderHPELeftHandISCSI
- OS::TripleO::Services::Etcd
- OS::TripleO::Services::AuditD
- name: Compute
CountDefault: 1
@@ -139,6 +140,7 @@
- OS::TripleO::Services::OpenDaylightOvs
- OS::TripleO::Services::SensuClient
- OS::TripleO::Services::FluentdClient
- OS::TripleO::Services::AuditD
- name: BlockStorage
ServicesDefault:
@@ -153,6 +155,7 @@
- OS::TripleO::Services::TripleoFirewall
- OS::TripleO::Services::SensuClient
- OS::TripleO::Services::FluentdClient
- OS::TripleO::Services::AuditD
- name: ObjectStorage
disable_upgrade_deployment: True
@@ -169,6 +172,7 @@
- OS::TripleO::Services::TripleoFirewall
- OS::TripleO::Services::SensuClient
- OS::TripleO::Services::FluentdClient
- OS::TripleO::Services::AuditD
- name: CephStorage
disable_upgrade_deployment: True
@@ -184,3 +188,4 @@
- OS::TripleO::Services::TripleoFirewall
- OS::TripleO::Services::SensuClient
- OS::TripleO::Services::FluentdClient
- OS::TripleO::Services::AuditD

0 comments on commit afdc138

Please sign in to comment.