Create experimental auditd configuration

playbooks/auditd.yml

@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: services-*.pve.auro.re
+  roles:
+    - auditd
+...
+

roles/auditd/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+- name: Restart auditd
+  systemd:
+    name: auditd.service
+    state: restarted
+
+- name: Reload auditd rules
+  command:
+    cmd: augenrules --load
+...

roles/auditd/tasks/main.yml

@@ -0,0 +1,37 @@
+---
+- name: Install auditd
+  apt:
+    name:
+      - auditd
+      - audispd-plugins
+
+- name: Configure auditd and auditsp
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/audit/{{ item }}"
+    owner: root
+    group: root
+    mode: u=r,g=,o=
+  loop:
+    - auditd.conf
+    - plugins.d/syslog.conf
+    - plugins.d/au-remote.conf
+    - plugins.d/af_unix.conf
+    - plugins.d/audispd-zos-remote.conf
+  notify: Restart auditd
+
+- name: Configure auditd rules
+  template:
+    src: rules.d/audit.rules.j2
+    dest: /etc/audit/rules.d/audit.rules
+    owner: root
+    group: root
+    mode: u=r,g=,o=
+  notify: Reload auditd rules
+
+- name: Enable auditd
+  systemd:
+    name: auditd.service
+    enabled: true
+    state: started
+...

roles/auditd/templates/auditd.conf.j2

@@ -0,0 +1,26 @@
+{{ ansible_managed | comment }}
+
+local_events = yes
+write_logs = no
+log_format = ENRICHED
+flush = INCREMENTAL_ASYNC
+freq = 50
+max_log_file = 8
+num_logs = 5
+priority_boost = 4
+name_format = NONE
+max_log_file_action = ROTATE
+space_left = 75
+space_left_action = SYSLOG
+verify_email = yes
+action_mail_acct = root
+admin_space_left = 50
+admin_space_left_action = SUSPEND
+disk_full_action = SUSPEND
+disk_error_action = SUSPEND
+use_libwrap = yes
+distribute_network = no
+q_depth = 400
+overflow_action = SYSLOG
+max_restarts = 10
+plugin_dir = /etc/audit/plugins.d

roles/auditd/templates/plugins.d/af_unix.conf.j2

@@ -0,0 +1,3 @@
+{{ ansible_managed | comment }}
+
+active = no

roles/auditd/templates/plugins.d/au-remote.conf.j2

@@ -0,0 +1,3 @@
+{{ ansible_managed | comment }}
+
+active = no

roles/auditd/templates/plugins.d/audispd-zos-remote.conf.j2

@@ -0,0 +1,3 @@
+{{ ansible_managed | comment }}
+
+active = no

roles/auditd/templates/plugins.d/syslog.conf.j2

@@ -0,0 +1,8 @@
+{{ ansible_managed | comment }}
+
+active = yes
+direction = out
+path = /sbin/audisp-syslog
+type = always
+args = LOG_INFO LOG_LOCAL6
+format = string

roles/auditd/templates/rules.d/audit.rules.j2

@@ -0,0 +1,61 @@
+{{ ansible_managed | comment }}
+
+-D
+
+-b 8192
+--backlog_wait_time 60000
+-f 1
+
+# Configuration changes
+-w /etc/ -p wa -k etc
+
+# Usage of auditd tools
+-w /sbin/auditctl -p x -k audit_tools
+-w /sbin/auditd -p x -k audit_tools
+-w /usr/sbin/augenrules -p x -k audit_tools
+
+# Modules changes
+-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod -k modules
+-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k modules
+-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k modules
+-a always,exit -F arch=b32 -S finit_module,init_module,delete_module -F auid!=-1 -k modules
+-a always,exit -F arch=b64 -S finit_module,init_module,delete_module -F auid!=-1 -k modules
+
+# Mount
+-a always,exit -F arch=b32 -S mount,umount,umount2 -F auid!=-1 -k mount
+-a always,exit -F arch=b64 -S mount,umount2 -F auid!=-1 -k mount
+
+# Swap
+-a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap
+-a always,exit -F arch=b32 -S swapon -S swapoff -F auid!=-1 -k swap
+
+# Ptrace
+-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -k code_injection
+-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k code_injection
+-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -k data_injection
+-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k data_injection
+-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -k register_injection
+-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k register_injection
+-a always,exit -F arch=b32 -S ptrace -k tracing
+-a always,exit -F arch=b64 -S ptrace -k tracing
+
+# Unauthorized file accesses
+-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid!=-1 -k file_access
+-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid!=-1 -k file_access
+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid!=-1 -k file_access
+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid!=-1 -k file_access
+
+# Unauthorized file creations
+-a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation
+-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation
+-a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -k file_creation
+-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -k file_creation
+
+# Unauthorized file modifications
+-a always,exit -F arch=b32 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EACCES -k file_modification
+-a always,exit -F arch=b64 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EACCES -k file_modification
+-a always,exit -F arch=b32 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EPERM -k file_modification
+-a always,exit -F arch=b64 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EPERM -k file_modification
+
+# Usage of 32 bit syscalls
+-a always,exit -F arch=b32 -S all -k 32bit_api