Skip to content

Commit

Permalink
split audit.rules into multiple files
Browse files Browse the repository at this point in the history
  • Loading branch information
@frederikbosch
frederikbosch committed Aug 22, 2018
1 parent 5c3ed17 commit 736bfbe
Show file tree
Hide file tree
Showing 7 changed files with 85 additions and 77 deletions.
38 changes: 38 additions & 0 deletions misc/audit-aggressive.rules
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# Monitor changes and executions in /tmp and /var/tmp.
-w /tmp/ -p wxa -k tmp
-w /var/tmp/ -p wxa -k tmp

# Monitor admins accessing user files.
-a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid -k admin_user_home

# File deletions
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F dir=/etc -F auid>=1000 -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F dir=/bin -F auid>=1000 -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F dir=/sbin -F auid>=1000 -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F dir=/usr -F auid>=1000 -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F dir=/var -F auid>=1000 -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F dir=/root -F auid>=1000 -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F dir=/lib -F auid>=1000 -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F dir=/lib64 -F auid>=1000 -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F dir=/etc -F auid>=1000 -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F dir=/bin -F auid>=1000 -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F dir=/sbin -F auid>=1000 -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F dir=/usr -F auid>=1000 -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F dir=/var -F auid>=1000 -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F dir=/root -F auid>=1000 -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F dir=/lib -F auid>=1000 -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F dir=/lib64 -F auid>=1000 -F auid!=4294967295 -F key=delete

# Permissions
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
75 changes: 0 additions & 75 deletions misc/audit.rules → misc/audit-base.rules
View file
Original file line number Diff line number Diff line change
@@ -1,19 +1,3 @@
# https://github.com/konstruktoid/ansible-role-hardening/blob/master/templates/etc/audit/rules.d/hardening.rules.j2
# https://github.com/konstruktoid/Ansible/blob/master/roles/docker/templates/audit.rules.j2
# https://github.com/gds-operations/puppet-auditd/tree/master/templates

# Remove any existing rules
-D

# Buffer Size
-b 8192

# Ignore errors
-i

# Failure Mode
-f 2

# Audit the audit logs
-w /var/log/audit/ -k auditlog

Expand Down Expand Up @@ -141,18 +125,6 @@
-a always,exit -F arch=b32 -S init_module -S delete_module -F key=modules
-a always,exit -F arch=b32 -S init_module -F key=modules

# File deletions
-a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete

# PAM configuration
-w /etc/pam.d/ -p wa -k pam
-w /etc/security/limits.conf -p wa -k pam
Expand Down Expand Up @@ -235,27 +207,6 @@
-w /sbin/reboot -p x -k power
-w /sbin/halt -p x -k power

# Monitor admins accessing user files.
-a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid -k admin_user_home

# Monitor changes and executions in /tmp and /var/tmp.
-w /tmp/ -p wxa -k tmp
-w /var/tmp/ -p wxa -k tmp

# Permissions
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

# Use of privileged commands
-a always,exit -F path=/bin/fusermount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
Expand Down Expand Up @@ -325,29 +276,3 @@
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
-a always,exit -F path=/usr/sbin/usernetct -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

# Docker
-w /etc/default/docker -k docker
-w /etc/docker -k docker
-w /etc/sysconfig/docker -k docker
-w /etc/sysconfig/docker-network -k docker
-w /etc/sysconfig/docker-registry -k docker
-w /etc/sysconfig/docker-storage -k docker
-w /etc/systemd/system/docker-registry.service -k docker
-w /etc/systemd/system/docker.service -k docker
-w /lib/systemd/system/docker-registry.service -k docker
-w /lib/systemd/system/docker.service -k docker
-w /lib/systemd/system/docker.socket -k docker
-w /usr/bin/docker -k docker
-w /usr/bin/docker-containerd -k docker
-w /usr/bin/docker-containerd-ctr -k docker
-w /usr/bin/docker-containerd-shim -k docker
-w /usr/bin/docker-runc -k docker
-w /usr/bin/dockerd -k docker
-w /usr/lib/systemd/system/docker-registry.service -k docker
-w /usr/lib/systemd/system/docker.service -k docker
-w /var/lib/docker -k docker
-w /var/run/docker.sock -k docker

# Make the configuration immutable
-e 2
22 changes: 22 additions & 0 deletions misc/audit-docker.rules
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Docker
-w /etc/default/docker -k docker
-w /etc/docker -k docker
-w /etc/sysconfig/docker -k docker
-w /etc/sysconfig/docker-network -k docker
-w /etc/sysconfig/docker-registry -k docker
-w /etc/sysconfig/docker-storage -k docker
-w /etc/systemd/system/docker-registry.service -k docker
-w /etc/systemd/system/docker.service -k docker
-w /lib/systemd/system/docker-registry.service -k docker
-w /lib/systemd/system/docker.service -k docker
-w /lib/systemd/system/docker.socket -k docker
-w /usr/bin/docker -k docker
-w /usr/bin/docker-containerd -k docker
-w /usr/bin/docker-containerd-ctr -k docker
-w /usr/bin/docker-containerd-shim -k docker
-w /usr/bin/docker-runc -k docker
-w /usr/bin/dockerd -k docker
-w /usr/lib/systemd/system/docker-registry.service -k docker
-w /usr/lib/systemd/system/docker.service -k docker
-w /var/lib/docker -k docker
-w /var/run/docker.sock -k docker
2 changes: 2 additions & 0 deletions misc/audit.footer
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# Make the configuration immutable
-e 2
15 changes: 15 additions & 0 deletions misc/audit.header
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# https://github.com/konstruktoid/ansible-role-hardening/blob/master/templates/etc/audit/rules.d/hardening.rules.j2
# https://github.com/konstruktoid/Ansible/blob/master/roles/docker/templates/audit.rules.j2
# https://github.com/gds-operations/puppet-auditd/tree/master/templates

# Remove any existing rules
-D

# Buffer Size
-b 8192

# Ignore errors
-i

# Failure Mode
-f 2
8 changes: 7 additions & 1 deletion scripts/22_auditd
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,13 @@ function f_auditd {
sed -i 's/^max_log_file_action =.*/max_log_file_action = keep_logs/' "$AUDITDCONF"
sed -i 's/^space_left_action =.*/space_left_action = email/' "$AUDITDCONF"
sed -i 's/^GRUB_CMDLINE_LINUX=.*/GRUB_CMDLINE_LINUX="audit=1"/' "$DEFAULTGRUB"
cp "$AUDITD_RULES" /etc/audit/audit.rules

cp "./misc/audit.header" /etc/audit/audit.rules
for l in $AUDITD_RULES; do
cat "$l" >> /etc/audit/audit.rules
done
cat "./misc/audit.footer" >> /etc/audit/audit.rules

sed -i "s/arch=b64/arch=$(uname -m)/g" /etc/audit/audit.rules
cp /etc/audit/audit.rules "$AUDITRULES"
update-grub 2> /dev/null
Expand Down
2 changes: 1 addition & 1 deletion ubuntu.cfg
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
FW_ADMIN='127.0.0.1'
SSH_GRPS='sudo'
SYSCTL_CONF='./misc/sysctl.conf'
AUDITD_RULES='./misc/audit.rules'
AUDITD_RULES='./misc/audit-base.rules ./misc/audit-aggressive.rules ./misc/audit-docker.rules'
LOGROTATE_CONF='./misc/logrotate.conf'
NTPSERVERPOOL='0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org pool.ntp.org'
TIMEDATECTL=''
Expand Down

0 comments on commit 736bfbe

Please sign in to comment.