From 8ff6c9e6a0c06319f5d3d75fb5d466e29359d09c Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sun, 12 Dec 2021 08:38:07 +0100 Subject: [PATCH] Create experimental auditd configuration --- playbooks/auditd.yml | 7 +++ roles/auditd/handlers/main.yml | 10 +++ roles/auditd/tasks/main.yml | 37 +++++++++++ roles/auditd/templates/auditd.conf.j2 | 26 ++++++++ .../templates/plugins.d/af_unix.conf.j2 | 3 + .../templates/plugins.d/au-remote.conf.j2 | 3 + .../plugins.d/audispd-zos-remote.conf.j2 | 3 + .../auditd/templates/plugins.d/syslog.conf.j2 | 8 +++ roles/auditd/templates/rules.d/audit.rules.j2 | 61 +++++++++++++++++++ 9 files changed, 158 insertions(+) create mode 100755 playbooks/auditd.yml create mode 100644 roles/auditd/handlers/main.yml create mode 100644 roles/auditd/tasks/main.yml create mode 100644 roles/auditd/templates/auditd.conf.j2 create mode 100644 roles/auditd/templates/plugins.d/af_unix.conf.j2 create mode 100644 roles/auditd/templates/plugins.d/au-remote.conf.j2 create mode 100644 roles/auditd/templates/plugins.d/audispd-zos-remote.conf.j2 create mode 100644 roles/auditd/templates/plugins.d/syslog.conf.j2 create mode 100644 roles/auditd/templates/rules.d/audit.rules.j2 diff --git a/playbooks/auditd.yml b/playbooks/auditd.yml new file mode 100755 index 0000000..dd6012e --- /dev/null +++ b/playbooks/auditd.yml @@ -0,0 +1,7 @@ +#!/usr/bin/env ansible-playbook +--- +- hosts: services-*.pve.auro.re + roles: + - auditd +... + diff --git a/roles/auditd/handlers/main.yml b/roles/auditd/handlers/main.yml new file mode 100644 index 0000000..ad7e63a --- /dev/null +++ b/roles/auditd/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: Restart auditd + systemd: + name: auditd.service + state: restarted + +- name: Reload auditd rules + command: + cmd: augenrules --load +... diff --git a/roles/auditd/tasks/main.yml b/roles/auditd/tasks/main.yml new file mode 100644 index 0000000..43ca4e5 --- /dev/null +++ b/roles/auditd/tasks/main.yml @@ -0,0 +1,37 @@ +--- +- name: Install auditd + apt: + name: + - auditd + - audispd-plugins + +- name: Configure auditd and auditsp + template: + src: "{{ item }}.j2" + dest: "/etc/audit/{{ item }}" + owner: root + group: root + mode: u=r,g=,o= + loop: + - auditd.conf + - plugins.d/syslog.conf + - plugins.d/au-remote.conf + - plugins.d/af_unix.conf + - plugins.d/audispd-zos-remote.conf + notify: Restart auditd + +- name: Configure auditd rules + template: + src: rules.d/audit.rules.j2 + dest: /etc/audit/rules.d/audit.rules + owner: root + group: root + mode: u=r,g=,o= + notify: Reload auditd rules + +- name: Enable auditd + systemd: + name: auditd.service + enabled: true + state: started +... diff --git a/roles/auditd/templates/auditd.conf.j2 b/roles/auditd/templates/auditd.conf.j2 new file mode 100644 index 0000000..a75c1bb --- /dev/null +++ b/roles/auditd/templates/auditd.conf.j2 @@ -0,0 +1,26 @@ +{{ ansible_managed | comment }} + +local_events = yes +write_logs = no +log_format = ENRICHED +flush = INCREMENTAL_ASYNC +freq = 50 +max_log_file = 8 +num_logs = 5 +priority_boost = 4 +name_format = NONE +max_log_file_action = ROTATE +space_left = 75 +space_left_action = SYSLOG +verify_email = yes +action_mail_acct = root +admin_space_left = 50 +admin_space_left_action = SUSPEND +disk_full_action = SUSPEND +disk_error_action = SUSPEND +use_libwrap = yes +distribute_network = no +q_depth = 400 +overflow_action = SYSLOG +max_restarts = 10 +plugin_dir = /etc/audit/plugins.d diff --git a/roles/auditd/templates/plugins.d/af_unix.conf.j2 b/roles/auditd/templates/plugins.d/af_unix.conf.j2 new file mode 100644 index 0000000..6299f0d --- /dev/null +++ b/roles/auditd/templates/plugins.d/af_unix.conf.j2 @@ -0,0 +1,3 @@ +{{ ansible_managed | comment }} + +active = no diff --git a/roles/auditd/templates/plugins.d/au-remote.conf.j2 b/roles/auditd/templates/plugins.d/au-remote.conf.j2 new file mode 100644 index 0000000..6299f0d --- /dev/null +++ b/roles/auditd/templates/plugins.d/au-remote.conf.j2 @@ -0,0 +1,3 @@ +{{ ansible_managed | comment }} + +active = no diff --git a/roles/auditd/templates/plugins.d/audispd-zos-remote.conf.j2 b/roles/auditd/templates/plugins.d/audispd-zos-remote.conf.j2 new file mode 100644 index 0000000..6299f0d --- /dev/null +++ b/roles/auditd/templates/plugins.d/audispd-zos-remote.conf.j2 @@ -0,0 +1,3 @@ +{{ ansible_managed | comment }} + +active = no diff --git a/roles/auditd/templates/plugins.d/syslog.conf.j2 b/roles/auditd/templates/plugins.d/syslog.conf.j2 new file mode 100644 index 0000000..6d2f534 --- /dev/null +++ b/roles/auditd/templates/plugins.d/syslog.conf.j2 @@ -0,0 +1,8 @@ +{{ ansible_managed | comment }} + +active = yes +direction = out +path = /sbin/audisp-syslog +type = always +args = LOG_INFO LOG_LOCAL6 +format = string diff --git a/roles/auditd/templates/rules.d/audit.rules.j2 b/roles/auditd/templates/rules.d/audit.rules.j2 new file mode 100644 index 0000000..b4aadf9 --- /dev/null +++ b/roles/auditd/templates/rules.d/audit.rules.j2 @@ -0,0 +1,61 @@ +{{ ansible_managed | comment }} + +-D + +-b 8192 +--backlog_wait_time 60000 +-f 1 + +# Configuration changes +-w /etc/ -p wa -k etc + +# Usage of auditd tools +-w /sbin/auditctl -p x -k audit_tools +-w /sbin/auditd -p x -k audit_tools +-w /usr/sbin/augenrules -p x -k audit_tools + +# Modules changes +-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod -k modules +-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k modules +-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k modules +-a always,exit -F arch=b32 -S finit_module,init_module,delete_module -F auid!=-1 -k modules +-a always,exit -F arch=b64 -S finit_module,init_module,delete_module -F auid!=-1 -k modules + +# Mount +-a always,exit -F arch=b32 -S mount,umount,umount2 -F auid!=-1 -k mount +-a always,exit -F arch=b64 -S mount,umount2 -F auid!=-1 -k mount + +# Swap +-a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap +-a always,exit -F arch=b32 -S swapon -S swapoff -F auid!=-1 -k swap + +# Ptrace +-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -k code_injection +-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k code_injection +-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -k data_injection +-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k data_injection +-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -k register_injection +-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k register_injection +-a always,exit -F arch=b32 -S ptrace -k tracing +-a always,exit -F arch=b64 -S ptrace -k tracing + +# Unauthorized file accesses +-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid!=-1 -k file_access +-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid!=-1 -k file_access +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid!=-1 -k file_access +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid!=-1 -k file_access + +# Unauthorized file creations +-a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation +-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation +-a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -k file_creation +-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -k file_creation + +# Unauthorized file modifications +-a always,exit -F arch=b32 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EACCES -k file_modification +-a always,exit -F arch=b64 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EACCES -k file_modification +-a always,exit -F arch=b32 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EPERM -k file_modification +-a always,exit -F arch=b64 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EPERM -k file_modification + +# Usage of 32 bit syscalls +-a always,exit -F arch=b32 -S all -k 32bit_api