From 2f6ceca58e64ab6c362afef629ac6ac235b0abe9 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 15 May 2020 11:52:35 +0200 Subject: [PATCH 1/4] audit_rules_system_shutdown: Don't remove unrelated line Very likey a copy-pasta error from bash remediation for audit_rules_immutable --- .../audit_rules_system_shutdown/bash/shared.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh index 1c9748ce9b..b56513cdcd 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh @@ -8,7 +8,7 @@ # files to check if '-f .*' setting is present in that '*.rules' file already. # If found, delete such occurrence since auditctl(8) manual page instructs the # '-f 2' rule should be placed as the last rule in the configuration -find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' +find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';' # Append '-f 2' requirement at the end of both: # * /etc/audit/audit.rules file (for auditctl case) From 189aed2c79620940438fc025a3cb9919cd8ee80a Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 15 May 2020 12:12:21 +0200 Subject: [PATCH 2/4] Add Ansible for audit_rules_system_shutdown Along with very basic test scenarios --- .../ansible/shared.yml | 28 +++++++++++++++++++ .../tests/augen_correct.pass.sh | 4 +++ .../tests/augen_e_2_immutable.fail.sh | 3 ++ 3 files changed, 35 insertions(+) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml new file mode 100644 index 0000000000..b9e8fa87fa --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml @@ -0,0 +1,28 @@ +# platform = multi_platform_all +# reboot = true +# strategy = restrict +# complexity = low +# disruption = low + +- name: Collect all files from /etc/audit/rules.d with .rules extension + find: + paths: "/etc/audit/rules.d/" + patterns: "*.rules" + register: find_rules_d + +- name: Remove the -f option from all Audit config files + lineinfile: + path: "{{ item }}" + regexp: '^\s*(?:-f)\s+.*$' + state: absent + loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}" + +- name: Add Audit -f option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules + lineinfile: + path: "{{ item }}" + create: True + line: "-f 2" + loop: + - "/etc/audit/audit.rules" + - "/etc/audit/rules.d/immutable.rules" + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh new file mode 100644 index 0000000000..0587b937e0 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +echo "-e 2" > /etc/audit/rules.d/immutable.rules +echo "-f 2" >> /etc/audit/rules.d/immutable.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh new file mode 100644 index 0000000000..fa5b7231df --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +echo "-e 2" > /etc/audit/rules.d/immutable.rules From d693af1e00521d85b5745001aa13860bdac16632 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 15 May 2020 14:06:08 +0200 Subject: [PATCH 3/4] Clarify audit_rules_immutable Ansible task name --- .../audit_rules_immutable/ansible/shared.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml index 5ac7b3dabb..1cafb744cc 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml @@ -17,7 +17,7 @@ state: absent loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}" -- name: Insert configuration into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules +- name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules lineinfile: path: "{{ item }}" create: True From 92d38c1968059e53e3ab20f46f5ce0885a989aee Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 19 May 2020 11:02:56 +0200 Subject: [PATCH 4/4] Remove misleading comments in system shutdown fix --- .../audit_rules_system_shutdown/bash/shared.sh | 8 -------- 1 file changed, 8 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh index b56513cdcd..a349bb1ca1 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh @@ -4,16 +4,8 @@ # # /etc/audit/audit.rules, (for auditctl case) # /etc/audit/rules.d/*.rules (for augenrules case) -# -# files to check if '-f .*' setting is present in that '*.rules' file already. -# If found, delete such occurrence since auditctl(8) manual page instructs the -# '-f 2' rule should be placed as the last rule in the configuration find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';' -# Append '-f 2' requirement at the end of both: -# * /etc/audit/audit.rules file (for auditctl case) -# * /etc/audit/rules.d/immutable.rules (for augenrules case) - for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules" do echo '' >> $AUDIT_FILE