WIP: Use auditd #81

Draft
jeltz wants to merge 3 commits from auditd into master
9 changed files with 158 additions and 0 deletions
Showing only changes of commit 8ff6c9e6a0 - Show all commits

7
playbooks/auditd.yml Executable file
View file

@ -0,0 +1,7 @@
#!/usr/bin/env ansible-playbook
---
- hosts: services-*.pve.auro.re
roles:
- auditd
...

View file

@ -0,0 +1,10 @@
---
- name: Restart auditd
systemd:
name: auditd.service
state: restarted
- name: Reload auditd rules
command:
cmd: augenrules --load
...

View file

@ -0,0 +1,37 @@
---
- name: Install auditd
apt:
name:
- auditd
- audispd-plugins
- name: Configure auditd and auditsp
template:
src: "{{ item }}.j2"
dest: "/etc/audit/{{ item }}"
owner: root
group: root
mode: u=r,g=,o=
loop:
- auditd.conf
- plugins.d/syslog.conf
- plugins.d/au-remote.conf
- plugins.d/af_unix.conf
- plugins.d/audispd-zos-remote.conf
notify: Restart auditd
- name: Configure auditd rules
template:
src: rules.d/audit.rules.j2
dest: /etc/audit/rules.d/audit.rules
owner: root
group: root
mode: u=r,g=,o=
notify: Reload auditd rules
- name: Enable auditd
systemd:
name: auditd.service
enabled: true
state: started
...

View file

@ -0,0 +1,26 @@
{{ ansible_managed | comment }}
local_events = yes
write_logs = no
log_format = ENRICHED
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
num_logs = 5
priority_boost = 4
name_format = NONE
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
distribute_network = no
q_depth = 400
overflow_action = SYSLOG
max_restarts = 10
plugin_dir = /etc/audit/plugins.d

View file

@ -0,0 +1,3 @@
{{ ansible_managed | comment }}
active = no

View file

@ -0,0 +1,3 @@
{{ ansible_managed | comment }}
active = no

View file

@ -0,0 +1,3 @@
{{ ansible_managed | comment }}
active = no

View file

@ -0,0 +1,8 @@
{{ ansible_managed | comment }}
active = yes
direction = out
path = /sbin/audisp-syslog
type = always
args = LOG_INFO LOG_LOCAL6
format = string

View file

@ -0,0 +1,61 @@
{{ ansible_managed | comment }}
-D
-b 8192
--backlog_wait_time 60000
-f 1
# Configuration changes
-w /etc/ -p wa -k etc
# Usage of auditd tools
-w /sbin/auditctl -p x -k audit_tools
-w /sbin/auditd -p x -k audit_tools
-w /usr/sbin/augenrules -p x -k audit_tools
# Modules changes
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod -k modules
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k modules
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k modules
-a always,exit -F arch=b32 -S finit_module,init_module,delete_module -F auid!=-1 -k modules
-a always,exit -F arch=b64 -S finit_module,init_module,delete_module -F auid!=-1 -k modules
# Mount
-a always,exit -F arch=b32 -S mount,umount,umount2 -F auid!=-1 -k mount
-a always,exit -F arch=b64 -S mount,umount2 -F auid!=-1 -k mount
# Swap
-a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap
-a always,exit -F arch=b32 -S swapon -S swapoff -F auid!=-1 -k swap
# Ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -k code_injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k code_injection
-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -k data_injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k data_injection
-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -k register_injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k register_injection
-a always,exit -F arch=b32 -S ptrace -k tracing
-a always,exit -F arch=b64 -S ptrace -k tracing
# Unauthorized file accesses
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid!=-1 -k file_access
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid!=-1 -k file_access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid!=-1 -k file_access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid!=-1 -k file_access
# Unauthorized file creations
-a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation
-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation
-a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -k file_creation
-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -k file_creation
# Unauthorized file modifications
-a always,exit -F arch=b32 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EACCES -k file_modification
-a always,exit -F arch=b64 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EACCES -k file_modification
-a always,exit -F arch=b32 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EPERM -k file_modification
-a always,exit -F arch=b64 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EPERM -k file_modification
# Usage of 32 bit syscalls
-a always,exit -F arch=b32 -S all -k 32bit_api