WIP: Use auditd #81
9 changed files with 157 additions and 0 deletions
6
playbooks/auditd.yml
Executable file
6
playbooks/auditd.yml
Executable file
|
@ -0,0 +1,6 @@
|
|||
#!/usr/bin/env ansible-playbook
|
||||
---
|
||||
- hosts: services-*.pve.auro.re
|
||||
roles:
|
||||
- auditd
|
||||
...
|
10
roles/auditd/handlers/main.yml
Normal file
10
roles/auditd/handlers/main.yml
Normal file
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
- name: Restart auditd
|
||||
systemd:
|
||||
name: auditd.service
|
||||
state: restarted
|
||||
|
||||
- name: Reload auditd rules
|
||||
command:
|
||||
cmd: augenrules --load
|
||||
...
|
37
roles/auditd/tasks/main.yml
Normal file
37
roles/auditd/tasks/main.yml
Normal file
|
@ -0,0 +1,37 @@
|
|||
---
|
||||
- name: Install auditd
|
||||
apt:
|
||||
name:
|
||||
- auditd
|
||||
- audispd-plugins
|
||||
|
||||
- name: Configure auditd and auditsp
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "/etc/audit/{{ item }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=r,g=,o=
|
||||
loop:
|
||||
- auditd.conf
|
||||
- plugins.d/syslog.conf
|
||||
- plugins.d/au-remote.conf
|
||||
- plugins.d/af_unix.conf
|
||||
- plugins.d/audispd-zos-remote.conf
|
||||
notify: Restart auditd
|
||||
|
||||
- name: Configure auditd rules
|
||||
template:
|
||||
src: rules.d/audit.rules.j2
|
||||
dest: /etc/audit/rules.d/audit.rules
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=r,g=,o=
|
||||
notify: Reload auditd rules
|
||||
|
||||
- name: Enable auditd
|
||||
systemd:
|
||||
name: auditd.service
|
||||
enabled: true
|
||||
state: started
|
||||
...
|
26
roles/auditd/templates/auditd.conf.j2
Normal file
26
roles/auditd/templates/auditd.conf.j2
Normal file
|
@ -0,0 +1,26 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
local_events = yes
|
||||
write_logs = no
|
||||
log_format = ENRICHED
|
||||
flush = INCREMENTAL_ASYNC
|
||||
freq = 50
|
||||
max_log_file = 8
|
||||
num_logs = 5
|
||||
priority_boost = 4
|
||||
name_format = NONE
|
||||
max_log_file_action = ROTATE
|
||||
space_left = 75
|
||||
space_left_action = SYSLOG
|
||||
verify_email = yes
|
||||
action_mail_acct = root
|
||||
admin_space_left = 50
|
||||
admin_space_left_action = SUSPEND
|
||||
disk_full_action = SUSPEND
|
||||
disk_error_action = SUSPEND
|
||||
use_libwrap = yes
|
||||
distribute_network = no
|
||||
q_depth = 400
|
||||
overflow_action = SYSLOG
|
||||
max_restarts = 10
|
||||
plugin_dir = /etc/audit/plugins.d
|
3
roles/auditd/templates/plugins.d/af_unix.conf.j2
Normal file
3
roles/auditd/templates/plugins.d/af_unix.conf.j2
Normal file
|
@ -0,0 +1,3 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
active = no
|
3
roles/auditd/templates/plugins.d/au-remote.conf.j2
Normal file
3
roles/auditd/templates/plugins.d/au-remote.conf.j2
Normal file
|
@ -0,0 +1,3 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
active = no
|
|
@ -0,0 +1,3 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
active = no
|
8
roles/auditd/templates/plugins.d/syslog.conf.j2
Normal file
8
roles/auditd/templates/plugins.d/syslog.conf.j2
Normal file
|
@ -0,0 +1,8 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
active = yes
|
||||
direction = out
|
||||
path = /sbin/audisp-syslog
|
||||
type = always
|
||||
args = LOG_INFO LOG_LOCAL6
|
||||
format = string
|
61
roles/auditd/templates/rules.d/audit.rules.j2
Normal file
61
roles/auditd/templates/rules.d/audit.rules.j2
Normal file
|
@ -0,0 +1,61 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
-D
|
||||
|
||||
-b 8192
|
||||
--backlog_wait_time 60000
|
||||
-f 1
|
||||
|
||||
# Configuration changes
|
||||
-w /etc/ -p wa -k etc
|
||||
|
||||
# Usage of auditd tools
|
||||
-w /sbin/auditctl -p x -k audit_tools
|
||||
-w /sbin/auditd -p x -k audit_tools
|
||||
-w /usr/sbin/augenrules -p x -k audit_tools
|
||||
|
||||
# Modules changes
|
||||
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod -k modules
|
||||
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k modules
|
||||
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k modules
|
||||
-a always,exit -F arch=b32 -S finit_module,init_module,delete_module -F auid!=-1 -k modules
|
||||
-a always,exit -F arch=b64 -S finit_module,init_module,delete_module -F auid!=-1 -k modules
|
||||
|
||||
# Mount
|
||||
-a always,exit -F arch=b32 -S mount,umount,umount2 -F auid!=-1 -k mount
|
||||
-a always,exit -F arch=b64 -S mount,umount2 -F auid!=-1 -k mount
|
||||
|
||||
# Swap
|
||||
-a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap
|
||||
-a always,exit -F arch=b32 -S swapon -S swapoff -F auid!=-1 -k swap
|
||||
|
||||
# Ptrace
|
||||
-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -k code_injection
|
||||
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k code_injection
|
||||
-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -k data_injection
|
||||
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k data_injection
|
||||
-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -k register_injection
|
||||
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k register_injection
|
||||
-a always,exit -F arch=b32 -S ptrace -k tracing
|
||||
-a always,exit -F arch=b64 -S ptrace -k tracing
|
||||
|
||||
# Unauthorized file accesses
|
||||
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid!=-1 -k file_access
|
||||
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid!=-1 -k file_access
|
||||
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid!=-1 -k file_access
|
||||
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid!=-1 -k file_access
|
||||
|
||||
# Unauthorized file creations
|
||||
-a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation
|
||||
-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation
|
||||
-a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -k file_creation
|
||||
-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -k file_creation
|
||||
|
||||
# Unauthorized file modifications
|
||||
-a always,exit -F arch=b32 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EACCES -k file_modification
|
||||
-a always,exit -F arch=b64 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EACCES -k file_modification
|
||||
-a always,exit -F arch=b32 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EPERM -k file_modification
|
||||
-a always,exit -F arch=b64 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EPERM -k file_modification
|
||||
|
||||
# Usage of 32 bit syscalls
|
||||
-a always,exit -F arch=b32 -S all -k 32bit_api
|
Loading…
Reference in a new issue