|
 |
dac76a |
From ac5a43653e418d52ecba4f1469388615620cd731 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Wed, 29 Apr 2020 11:54:04 +0200
|
|
|
dac76a |
Subject: [PATCH 1/3] add ansible remediation
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../ansible/shared.yml | 18 ++++++++++++++++++
|
|
|
dac76a |
1 file changed, 18 insertions(+)
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..3708226e66
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml
|
|
|
dac76a |
@@ -0,0 +1,18 @@
|
|
|
dac76a |
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
|
|
dac76a |
+# reboot = true
|
|
|
dac76a |
+# strategy = restrict
|
|
|
dac76a |
+# complexity = low
|
|
|
dac76a |
+# disruption = low
|
|
|
dac76a |
+# remediate syscalls
|
|
|
dac76a |
+{{{ ansible_audit_augenrules_add_syscall_rule(syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification") }}}
|
|
|
dac76a |
+{{{ ansible_audit_auditctl_add_syscall_rule(syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification") }}}
|
|
|
dac76a |
+
|
|
|
dac76a |
+# remediate watches
|
|
|
dac76a |
+{{{ ansible_audit_augenrules_add_watch_rule(path='/etc/issue', permissions='wa', key='audit_rules_networkconfig_modification') }}}
|
|
|
dac76a |
+{{{ ansible_audit_auditctl_add_watch_rule(path='/etc/issue', permissions='wa', key='audit_rules_networkconfig_modification') }}}
|
|
|
dac76a |
+{{{ ansible_audit_augenrules_add_watch_rule(path='/etc/issue.net', permissions='wa', key='audit_rules_networkconfig_modification') }}}
|
|
|
dac76a |
+{{{ ansible_audit_auditctl_add_watch_rule(path='/etc/issue.net', permissions='wa', key='audit_rules_networkconfig_modification') }}}
|
|
|
dac76a |
+{{{ ansible_audit_augenrules_add_watch_rule(path='/etc/hosts', permissions='wa', key='audit_rules_networkconfig_modification') }}}
|
|
|
dac76a |
+{{{ ansible_audit_auditctl_add_watch_rule(path='/etc/hosts', permissions='wa', key='audit_rules_networkconfig_modification') }}}
|
|
|
dac76a |
+{{{ ansible_audit_augenrules_add_watch_rule(path='/etc/sysconfig/network', permissions='wa', key='audit_rules_networkconfig_modification') }}}
|
|
|
dac76a |
+{{{ ansible_audit_auditctl_add_watch_rule(path='/etc/sysconfig/network', permissions='wa', key='audit_rules_networkconfig_modification') }}}
|
|
|
dac76a |
|
|
|
dac76a |
From 8de44a2ec24813affd51377bcaa8472b53b67e86 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Wed, 29 Apr 2020 11:54:23 +0200
|
|
|
dac76a |
Subject: [PATCH 2/3] improve tests
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../tests/auditctl_correct_rules.pass.sh | 17 +++++++++++++++++
|
|
|
dac76a |
...ules.pass.sh => augen_correct_rules.pass.sh} | 0
|
|
|
dac76a |
.../tests/partial_rules.fail.sh | 10 ++++++++++
|
|
|
dac76a |
3 files changed, 27 insertions(+)
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/auditctl_correct_rules.pass.sh
|
|
|
dac76a |
rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/{correct_rules.pass.sh => augen_correct_rules.pass.sh} (100%)
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/partial_rules.fail.sh
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/auditctl_correct_rules.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/auditctl_correct_rules.pass.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..ac5059f31c
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/auditctl_correct_rules.pass.sh
|
|
|
dac76a |
@@ -0,0 +1,17 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+
|
|
|
dac76a |
+# profiles = xccdf_org.ssgproject.content_profile_pci-dss
|
|
|
dac76a |
+
|
|
|
dac76a |
+# use auditctl
|
|
|
dac76a |
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
|
|
|
dac76a |
+
|
|
|
dac76a |
+
|
|
|
dac76a |
+rm -rf /etc/audit/rules.d/*
|
|
|
dac76a |
+rm /etc/audit/audit.rules
|
|
|
dac76a |
+
|
|
|
dac76a |
+echo "-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification" >> /etc/audit/audit.rules
|
|
|
dac76a |
+echo "-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification" >> /etc/audit/audit.rules
|
|
|
dac76a |
+echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" >> /etc/audit/audit.rules
|
|
|
dac76a |
+echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" >> /etc/audit/audit.rules
|
|
|
dac76a |
+echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" >> /etc/audit/audit.rules
|
|
|
dac76a |
+echo "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" >> /etc/audit/audit.rules
|
|
|
dac76a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/augen_correct_rules.pass.sh
|
|
|
dac76a |
similarity index 100%
|
|
|
dac76a |
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/correct_rules.pass.sh
|
|
|
dac76a |
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/augen_correct_rules.pass.sh
|
|
|
dac76a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/partial_rules.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/partial_rules.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..4991b02369
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/partial_rules.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,10 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+
|
|
|
dac76a |
+# profiles = xccdf_org.ssgproject.content_profile_pci-dss
|
|
|
dac76a |
+
|
|
|
dac76a |
+echo "-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification" >> /etc/audit/rules.d/some.rules
|
|
|
dac76a |
+echo "-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification" >> /etc/audit/rules.d/some.rules
|
|
|
dac76a |
+echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" >> /etc/audit/audit.rules
|
|
|
dac76a |
+echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" >> /etc/audit/audit.rules
|
|
|
dac76a |
+echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" >> /etc/audit/audit.rules
|
|
|
dac76a |
+echo "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" >> /etc/audit/audit.rules
|
|
|
dac76a |
|
|
|
dac76a |
From f488ee2cef17f8c5764b53d551beabdb8cbf0e60 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Wed, 29 Apr 2020 17:13:12 +0200
|
|
|
dac76a |
Subject: [PATCH 3/3] fix metadata and rewrite remediation to use newer macro
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../ansible/shared.yml | 21 ++++++++++++++++---
|
|
|
dac76a |
1 file changed, 18 insertions(+), 3 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml
|
|
|
dac76a |
index 3708226e66..fa07d5bf94 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml
|
|
|
dac76a |
@@ -1,11 +1,26 @@
|
|
|
dac76a |
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
|
|
dac76a |
-# reboot = true
|
|
|
dac76a |
+# reboot =false
|
|
|
dac76a |
# strategy = restrict
|
|
|
dac76a |
# complexity = low
|
|
|
dac76a |
# disruption = low
|
|
|
dac76a |
# remediate syscalls
|
|
|
dac76a |
-{{{ ansible_audit_augenrules_add_syscall_rule(syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification") }}}
|
|
|
dac76a |
-{{{ ansible_audit_auditctl_add_syscall_rule(syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification") }}}
|
|
|
dac76a |
+#
|
|
|
dac76a |
+# What architecture are we on?
|
|
|
dac76a |
+#
|
|
|
dac76a |
+- name: Set architecture for audit tasks
|
|
|
dac76a |
+ set_fact:
|
|
|
dac76a |
+ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
|
|
|
dac76a |
+
|
|
|
dac76a |
+- name: Remediate audit rules for network configuration for x86
|
|
|
dac76a |
+ block:
|
|
|
dac76a |
+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification")|indent(4) }}}
|
|
|
dac76a |
+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification")|indent(4) }}}
|
|
|
dac76a |
+
|
|
|
dac76a |
+- name: Remediate audit rules for network configuration for x86_64
|
|
|
dac76a |
+ block:
|
|
|
dac76a |
+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification")|indent(4) }}}
|
|
|
dac76a |
+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification")|indent(4) }}}
|
|
|
dac76a |
+ when: audit_arch == "b64"
|
|
|
dac76a |
|
|
|
dac76a |
# remediate watches
|
|
|
dac76a |
{{{ ansible_audit_augenrules_add_watch_rule(path='/etc/issue', permissions='wa', key='audit_rules_networkconfig_modification') }}}
|