WIP: Use auditd #81
9 changed files with 158 additions and 0 deletions
7
playbooks/auditd.yml
Executable file
7
playbooks/auditd.yml
Executable file
|
@ -0,0 +1,7 @@
|
||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
---
|
||||||
|
- hosts: services-*.pve.auro.re
|
||||||
|
roles:
|
||||||
|
- auditd
|
||||||
|
...
|
||||||
|
|
10
roles/auditd/handlers/main.yml
Normal file
10
roles/auditd/handlers/main.yml
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
---
|
||||||
|
- name: Restart auditd
|
||||||
|
systemd:
|
||||||
|
name: auditd.service
|
||||||
|
state: restarted
|
||||||
|
|
||||||
|
- name: Reload auditd rules
|
||||||
|
command:
|
||||||
|
cmd: augenrules --load
|
||||||
|
...
|
37
roles/auditd/tasks/main.yml
Normal file
37
roles/auditd/tasks/main.yml
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
---
|
||||||
|
- name: Install auditd
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- auditd
|
||||||
|
- audispd-plugins
|
||||||
|
|
||||||
|
- name: Configure auditd and auditsp
|
||||||
|
template:
|
||||||
|
src: "{{ item }}.j2"
|
||||||
|
dest: "/etc/audit/{{ item }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: u=r,g=,o=
|
||||||
|
loop:
|
||||||
|
- auditd.conf
|
||||||
|
- plugins.d/syslog.conf
|
||||||
|
- plugins.d/au-remote.conf
|
||||||
|
- plugins.d/af_unix.conf
|
||||||
|
- plugins.d/audispd-zos-remote.conf
|
||||||
|
notify: Restart auditd
|
||||||
|
|
||||||
|
- name: Configure auditd rules
|
||||||
|
template:
|
||||||
|
src: rules.d/audit.rules.j2
|
||||||
|
dest: /etc/audit/rules.d/audit.rules
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: u=r,g=,o=
|
||||||
|
notify: Reload auditd rules
|
||||||
|
|
||||||
|
- name: Enable auditd
|
||||||
|
systemd:
|
||||||
|
name: auditd.service
|
||||||
|
enabled: true
|
||||||
|
state: started
|
||||||
|
...
|
26
roles/auditd/templates/auditd.conf.j2
Normal file
26
roles/auditd/templates/auditd.conf.j2
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
local_events = yes
|
||||||
|
write_logs = no
|
||||||
|
log_format = ENRICHED
|
||||||
|
flush = INCREMENTAL_ASYNC
|
||||||
|
freq = 50
|
||||||
|
max_log_file = 8
|
||||||
|
num_logs = 5
|
||||||
|
priority_boost = 4
|
||||||
|
name_format = NONE
|
||||||
|
max_log_file_action = ROTATE
|
||||||
|
space_left = 75
|
||||||
|
space_left_action = SYSLOG
|
||||||
|
verify_email = yes
|
||||||
|
action_mail_acct = root
|
||||||
|
admin_space_left = 50
|
||||||
|
admin_space_left_action = SUSPEND
|
||||||
|
disk_full_action = SUSPEND
|
||||||
|
disk_error_action = SUSPEND
|
||||||
|
use_libwrap = yes
|
||||||
|
distribute_network = no
|
||||||
|
q_depth = 400
|
||||||
|
overflow_action = SYSLOG
|
||||||
|
max_restarts = 10
|
||||||
|
plugin_dir = /etc/audit/plugins.d
|
3
roles/auditd/templates/plugins.d/af_unix.conf.j2
Normal file
3
roles/auditd/templates/plugins.d/af_unix.conf.j2
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
active = no
|
3
roles/auditd/templates/plugins.d/au-remote.conf.j2
Normal file
3
roles/auditd/templates/plugins.d/au-remote.conf.j2
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
active = no
|
|
@ -0,0 +1,3 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
active = no
|
8
roles/auditd/templates/plugins.d/syslog.conf.j2
Normal file
8
roles/auditd/templates/plugins.d/syslog.conf.j2
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
active = yes
|
||||||
|
direction = out
|
||||||
|
path = /sbin/audisp-syslog
|
||||||
|
type = always
|
||||||
|
args = LOG_INFO LOG_LOCAL6
|
||||||
|
format = string
|
61
roles/auditd/templates/rules.d/audit.rules.j2
Normal file
61
roles/auditd/templates/rules.d/audit.rules.j2
Normal file
|
@ -0,0 +1,61 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
-D
|
||||||
|
|
||||||
|
-b 8192
|
||||||
|
--backlog_wait_time 60000
|
||||||
|
-f 1
|
||||||
|
|
||||||
|
# Configuration changes
|
||||||
|
-w /etc/ -p wa -k etc
|
||||||
|
|
||||||
|
# Usage of auditd tools
|
||||||
|
-w /sbin/auditctl -p x -k audit_tools
|
||||||
|
-w /sbin/auditd -p x -k audit_tools
|
||||||
|
-w /usr/sbin/augenrules -p x -k audit_tools
|
||||||
|
|
||||||
|
# Modules changes
|
||||||
|
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod -k modules
|
||||||
|
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k modules
|
||||||
|
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k modules
|
||||||
|
-a always,exit -F arch=b32 -S finit_module,init_module,delete_module -F auid!=-1 -k modules
|
||||||
|
-a always,exit -F arch=b64 -S finit_module,init_module,delete_module -F auid!=-1 -k modules
|
||||||
|
|
||||||
|
# Mount
|
||||||
|
-a always,exit -F arch=b32 -S mount,umount,umount2 -F auid!=-1 -k mount
|
||||||
|
-a always,exit -F arch=b64 -S mount,umount2 -F auid!=-1 -k mount
|
||||||
|
|
||||||
|
# Swap
|
||||||
|
-a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap
|
||||||
|
-a always,exit -F arch=b32 -S swapon -S swapoff -F auid!=-1 -k swap
|
||||||
|
|
||||||
|
# Ptrace
|
||||||
|
-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -k code_injection
|
||||||
|
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k code_injection
|
||||||
|
-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -k data_injection
|
||||||
|
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k data_injection
|
||||||
|
-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -k register_injection
|
||||||
|
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k register_injection
|
||||||
|
-a always,exit -F arch=b32 -S ptrace -k tracing
|
||||||
|
-a always,exit -F arch=b64 -S ptrace -k tracing
|
||||||
|
|
||||||
|
# Unauthorized file accesses
|
||||||
|
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid!=-1 -k file_access
|
||||||
|
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid!=-1 -k file_access
|
||||||
|
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid!=-1 -k file_access
|
||||||
|
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid!=-1 -k file_access
|
||||||
|
|
||||||
|
# Unauthorized file creations
|
||||||
|
-a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation
|
||||||
|
-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation
|
||||||
|
-a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -k file_creation
|
||||||
|
-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -k file_creation
|
||||||
|
|
||||||
|
# Unauthorized file modifications
|
||||||
|
-a always,exit -F arch=b32 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EACCES -k file_modification
|
||||||
|
-a always,exit -F arch=b64 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EACCES -k file_modification
|
||||||
|
-a always,exit -F arch=b32 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EPERM -k file_modification
|
||||||
|
-a always,exit -F arch=b64 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EPERM -k file_modification
|
||||||
|
|
||||||
|
# Usage of 32 bit syscalls
|
||||||
|
-a always,exit -F arch=b32 -S all -k 32bit_api
|
Loading…
Reference in a new issue