|
 |
dac76a |
From 361033952354561b569d0429d0671b30154cbfbd Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Wed, 29 Apr 2020 17:01:28 +0200
|
|
|
dac76a |
Subject: [PATCH 1/4] rewrite macro
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
shared/macros-ansible.jinja | 119 +++++++-----------------------------
|
|
|
dac76a |
1 file changed, 22 insertions(+), 97 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
|
|
|
dac76a |
index 8f94f1803a..f9a5b53302 100644
|
|
|
dac76a |
--- a/shared/macros-ansible.jinja
|
|
|
dac76a |
+++ b/shared/macros-ansible.jinja
|
|
|
dac76a |
@@ -349,21 +349,12 @@ The macro requires following parameters:
|
|
|
dac76a |
{{#
|
|
|
dac76a |
The following macro remediates Audit syscall rule in /etc/audit/rules.d directory.
|
|
|
dac76a |
The macro requires following parameters:
|
|
|
dac76a |
+- arch: an architecture to be used in the Audit rule (b32, b64)
|
|
|
dac76a |
- syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc.
|
|
|
dac76a |
- key: a key to use as rule identifier.
|
|
|
dac76a |
Note that if there already exists a rule wit the same key in the /etc/audit/rules.d directory, the rule will be placed in the same file.
|
|
|
dac76a |
-The rule determines the architecture of the system and apply appropriate remediations.
|
|
|
dac76a |
-It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architecture.
|
|
|
dac76a |
#}}
|
|
|
dac76a |
-
|
|
|
dac76a |
-{{% macro ansible_audit_augenrules_add_syscall_rule(syscalls=[], key="") -%}}
|
|
|
dac76a |
-#
|
|
|
dac76a |
-# What architecture are we on?
|
|
|
dac76a |
-#
|
|
|
dac76a |
-- name: Set architecture for audit tasks
|
|
|
dac76a |
- set_fact:
|
|
|
dac76a |
- audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
|
|
|
dac76a |
-
|
|
|
dac76a |
+{{% macro ansible_audit_augenrules_add_syscall_rule(arch="", syscalls=[], key="") -%}}
|
|
|
dac76a |
- name: Declare list of syscals
|
|
|
dac76a |
set_fact:
|
|
|
dac76a |
syscalls: {{{ syscalls }}}
|
|
|
dac76a |
@@ -371,27 +362,16 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur
|
|
|
dac76a |
- name: Declare number of syscalls
|
|
|
dac76a |
set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}"
|
|
|
dac76a |
|
|
|
dac76a |
-- name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/
|
|
|
dac76a |
- find:
|
|
|
dac76a |
- paths: "/etc/audit/rules.d"
|
|
|
dac76a |
- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
|
|
|
dac76a |
- patterns: "*.rules"
|
|
|
dac76a |
- register: audit_syscalls_found_32_rules_d
|
|
|
dac76a |
- loop: "{{ syscalls }}"
|
|
|
dac76a |
-
|
|
|
dac76a |
-- name: Get number of matched 32 bit syscalls in /etc/audit/rules.d/
|
|
|
dac76a |
- set_fact: audit_syscalls_matched_32_rules_d="{{audit_syscalls_found_32_rules_d.results|sum(attribute='matched')|int }}"
|
|
|
dac76a |
-
|
|
|
dac76a |
-- name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/
|
|
|
dac76a |
+- name: Check existence of syscalls for architecture {{{ arch }}} in /etc/audit/rules.d/
|
|
|
dac76a |
find:
|
|
|
dac76a |
paths: "/etc/audit/rules.d"
|
|
|
dac76a |
- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
|
|
|
dac76a |
+ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch={{{ arch }}}[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
|
|
|
dac76a |
patterns: "*.rules"
|
|
|
dac76a |
- register: audit_syscalls_found_64_rules_d
|
|
|
dac76a |
+ register: audit_syscalls_found_{{{ arch }}}_rules_d
|
|
|
dac76a |
loop: "{{ syscalls }}"
|
|
|
dac76a |
|
|
|
dac76a |
-- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/
|
|
|
dac76a |
- set_fact: audit_syscalls_matched_64_rules_d="{{audit_syscalls_found_64_rules_d.results|sum(attribute='matched')|int }}"
|
|
|
dac76a |
+- name: Get number of matched syscalls for architecture {{{ arch }}}in /etc/audit/rules.d/
|
|
|
dac76a |
+ set_fact: audit_syscalls_matched_{{{ arch }}}_rules_d="{{audit_syscalls_found_{{{ arch }}}_rules_d.results|sum(attribute='matched')|int }}"
|
|
|
dac76a |
|
|
|
dac76a |
- name: Search /etc/audit/rules.d for other rules with the key {{{ key }}}
|
|
|
dac76a |
find:
|
|
|
dac76a |
@@ -412,31 +392,13 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur
|
|
|
dac76a |
- "{{ find_syscalls_files.files | map(attribute='path') | list | first }}"
|
|
|
dac76a |
when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0
|
|
|
dac76a |
|
|
|
dac76a |
-- name: "Insert the syscall rule in {{ all_files[0] }} when on x86"
|
|
|
dac76a |
- block:
|
|
|
dac76a |
- - name: "Construct rule: add rule list, action and arch"
|
|
|
dac76a |
- set_fact: tmpline="-a always,exit -F arch=b32 "
|
|
|
dac76a |
- - name: "Construct rule: add syscalls"
|
|
|
dac76a |
- set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}"
|
|
|
dac76a |
- loop: "{{ audit_syscalls_found_32_rules_d.results }}"
|
|
|
dac76a |
- when: item.matched is defined and item.matched == 0
|
|
|
dac76a |
- - name: "Construct rule: add key"
|
|
|
dac76a |
- set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}"
|
|
|
dac76a |
- - name: "Insert the line in {{ all_files[0] }}"
|
|
|
dac76a |
- lineinfile:
|
|
|
dac76a |
- path: "{{ all_files[0] }}"
|
|
|
dac76a |
- line: "{{ tmpline }}"
|
|
|
dac76a |
- create: true
|
|
|
dac76a |
- state: present
|
|
|
dac76a |
- when: audit_syscalls_matched_32_rules_d < audit_syscalls_number_of_syscalls
|
|
|
dac76a |
-
|
|
|
dac76a |
-- name: "Insert the syscall rule in {{ all_files[0] }} when on x86_64"
|
|
|
dac76a |
+- name: "Insert the syscall rule in {{ all_files[0] }}"
|
|
|
dac76a |
block:
|
|
|
dac76a |
- name: "Construct rule: add rule list, action and arch"
|
|
|
dac76a |
- set_fact: tmpline="-a always,exit -F arch=b64 "
|
|
|
dac76a |
+ set_fact: tmpline="-a always,exit -F arch={{{ arch }}} "
|
|
|
dac76a |
- name: "Construct rule: add syscalls"
|
|
|
dac76a |
set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}"
|
|
|
dac76a |
- loop: "{{ audit_syscalls_found_64_rules_d.results }}"
|
|
|
dac76a |
+ loop: "{{ audit_syscalls_found_{{{ arch }}}_rules_d.results }}"
|
|
|
dac76a |
when: item.matched is defined and item.matched == 0
|
|
|
dac76a |
- name: "Construct rule: add key"
|
|
|
dac76a |
set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}"
|
|
|
dac76a |
@@ -446,25 +408,17 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur
|
|
|
dac76a |
line: "{{ tmpline }}"
|
|
|
dac76a |
create: true
|
|
|
dac76a |
state: present
|
|
|
dac76a |
- when: audit_syscalls_matched_64_rules_d < audit_syscalls_number_of_syscalls and audit_arch is defined and audit_arch == 'b64'
|
|
|
dac76a |
+ when: audit_syscalls_matched_{{{ arch }}}_rules_d < audit_syscalls_number_of_syscalls
|
|
|
dac76a |
{{%- endmacro %}}
|
|
|
dac76a |
|
|
|
dac76a |
{{#
|
|
|
dac76a |
The following macro remediates Audit syscall rule in /etc/audit/audit.rules file.
|
|
|
dac76a |
The macro requires following parameters:
|
|
|
dac76a |
+- arch: an architecture to be used in the Audit rule (b32, b64)
|
|
|
dac76a |
- syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc.
|
|
|
dac76a |
- key: a key to use as rule identifier.
|
|
|
dac76a |
-The rule determines the architecture of the system and apply appropriate remediations.
|
|
|
dac76a |
-It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architecture.
|
|
|
dac76a |
#}}
|
|
|
dac76a |
-{{% macro ansible_audit_auditctl_add_syscall_rule(syscalls=[], key="") -%}}
|
|
|
dac76a |
-#
|
|
|
dac76a |
-# What architecture are we on?
|
|
|
dac76a |
-#
|
|
|
dac76a |
-- name: Set architecture for audit tasks
|
|
|
dac76a |
- set_fact:
|
|
|
dac76a |
- audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
|
|
|
dac76a |
-
|
|
|
dac76a |
+{{% macro ansible_audit_auditctl_add_syscall_rule(arch="", syscalls=[], key="") -%}}
|
|
|
dac76a |
- name: Declare list of syscals
|
|
|
dac76a |
set_fact:
|
|
|
dac76a |
syscalls: {{{ syscalls }}}
|
|
|
dac76a |
@@ -472,53 +426,24 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur
|
|
|
dac76a |
- name: Declare number of syscalls
|
|
|
dac76a |
set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}"
|
|
|
dac76a |
|
|
|
dac76a |
-- name: Check existence of syscalls for 32 bit architecture in /etc/audit/audit.rules
|
|
|
dac76a |
+- name: Check existence of syscalls for architecture {{{ arch }}} in /etc/audit/audit.rules
|
|
|
dac76a |
find:
|
|
|
dac76a |
paths: "/etc/audit"
|
|
|
dac76a |
- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
|
|
|
dac76a |
+ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch={{{ arch }}}[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
|
|
|
dac76a |
patterns: "audit.rules"
|
|
|
dac76a |
- register: audit_syscalls_found_32_audit_rules
|
|
|
dac76a |
+ register: audit_syscalls_found_{{{ arch }}}_audit_rules
|
|
|
dac76a |
loop: "{{ syscalls }}"
|
|
|
dac76a |
|
|
|
dac76a |
-- name: Get number of matched 32 bit syscalls in /etc/audit/audit.rules
|
|
|
dac76a |
- set_fact: audit_syscalls_matched_32_audit_rules="{{audit_syscalls_found_32_audit_rules.results|sum(attribute='matched')|int }}"
|
|
|
dac76a |
-
|
|
|
dac76a |
-- name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules
|
|
|
dac76a |
- find:
|
|
|
dac76a |
- paths: "/etc/audit"
|
|
|
dac76a |
- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
|
|
|
dac76a |
- patterns: "audit.rules"
|
|
|
dac76a |
- register: audit_syscalls_found_64_audit_rules
|
|
|
dac76a |
- loop: "{{ syscalls }}"
|
|
|
dac76a |
-
|
|
|
dac76a |
-- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/*
|
|
|
dac76a |
- set_fact: audit_syscalls_matched_64_audit_rules="{{audit_syscalls_found_64_audit_rules.results|sum(attribute='matched')|int }}"
|
|
|
dac76a |
-
|
|
|
dac76a |
-- name: Insert the syscall rule in /etc/audit/audit.rules when on x86
|
|
|
dac76a |
- block:
|
|
|
dac76a |
- - name: "Construct rule: add rule list, action and arch"
|
|
|
dac76a |
- set_fact: tmpline="-a always,exit -F arch=b32 "
|
|
|
dac76a |
- - name: "Construct rule: add syscalls"
|
|
|
dac76a |
- set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}"
|
|
|
dac76a |
- loop: "{{ audit_syscalls_found_32_audit_rules.results }}"
|
|
|
dac76a |
- when: item.matched is defined and item.matched == 0
|
|
|
dac76a |
- - name: "Construct rule: add key"
|
|
|
dac76a |
- set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}"
|
|
|
dac76a |
- - name: Insert the line in /etc/audit/audit.rules
|
|
|
dac76a |
- lineinfile:
|
|
|
dac76a |
- path: "/etc/audit/audit.rules"
|
|
|
dac76a |
- line: "{{ tmpline }}"
|
|
|
dac76a |
- create: true
|
|
|
dac76a |
- state: present
|
|
|
dac76a |
- when: audit_syscalls_matched_32_audit_rules < audit_syscalls_number_of_syscalls
|
|
|
dac76a |
+- name: Get number of matched syscalls for architecture {{{ arch }}} in /etc/audit/audit.rules
|
|
|
dac76a |
+ set_fact: audit_syscalls_matched_{{{ arch }}}_audit_rules="{{audit_syscalls_found_{{{ arch }}}_audit_rules.results|sum(attribute='matched')|int }}"
|
|
|
dac76a |
|
|
|
dac76a |
-- name: Insert the syscall rule in /etc/audit/rules.d when on x86_64
|
|
|
dac76a |
+- name: Insert the syscall rule in /etc/audit/audit.rules
|
|
|
dac76a |
block:
|
|
|
dac76a |
- name: "Construct rule: add rule list, action and arch"
|
|
|
dac76a |
- set_fact: tmpline="-a always,exit -F arch=b64 "
|
|
|
dac76a |
+ set_fact: tmpline="-a always,exit -F arch={{{ arch }}} "
|
|
|
dac76a |
- name: "Construct rule: add syscalls"
|
|
|
dac76a |
set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}"
|
|
|
dac76a |
- loop: "{{ audit_syscalls_found_64_audit_rules.results }}"
|
|
|
dac76a |
+ loop: "{{ audit_syscalls_found_{{{ arch }}}_audit_rules.results }}"
|
|
|
dac76a |
when: item.matched is defined and item.matched == 0
|
|
|
dac76a |
- name: "Construct rule: add key"
|
|
|
dac76a |
set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}"
|
|
|
dac76a |
@@ -528,5 +453,5 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur
|
|
|
dac76a |
line: "{{ tmpline }}"
|
|
|
dac76a |
create: true
|
|
|
dac76a |
state: present
|
|
|
dac76a |
- when: audit_syscalls_matched_64_audit_rules < audit_syscalls_number_of_syscalls and audit_arch is defined and audit_arch == 'b64'
|
|
|
dac76a |
+ when: audit_syscalls_matched_{{{ arch }}}_audit_rules < audit_syscalls_number_of_syscalls
|
|
|
dac76a |
{{%- endmacro %}}
|
|
|
dac76a |
|
|
|
dac76a |
From c1b10847d740f289f6be58a1409df6433f1b84d5 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Wed, 29 Apr 2020 17:01:43 +0200
|
|
|
dac76a |
Subject: [PATCH 2/4] rewrite rule
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../ansible/shared.yml | 34 +++++++++++++++----
|
|
|
dac76a |
1 file changed, 27 insertions(+), 7 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
|
|
|
dac76a |
index 3b16dd1989..d2dcc8c1fe 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
|
|
|
dac76a |
@@ -3,11 +3,31 @@
|
|
|
dac76a |
# strategy = restrict
|
|
|
dac76a |
# complexity = low
|
|
|
dac76a |
# disruption = low
|
|
|
dac76a |
+#
|
|
|
dac76a |
+# What architecture are we on?
|
|
|
dac76a |
+#
|
|
|
dac76a |
+- name: Set architecture for audit tasks
|
|
|
dac76a |
+ set_fact:
|
|
|
dac76a |
+ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
|
|
|
dac76a |
|
|
|
dac76a |
-{{% if product == "rhel6" %}}
|
|
|
dac76a |
-{{{ ansible_audit_augenrules_add_syscall_rule(syscalls=["init_module", "delete_module"], key="modules") }}}
|
|
|
dac76a |
-{{{ ansible_audit_auditctl_add_syscall_rule(syscalls=["init_module", "delete_module"], key="modules") }}}
|
|
|
dac76a |
-{{% else %}}
|
|
|
dac76a |
-{{{ ansible_audit_augenrules_add_syscall_rule(syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}}
|
|
|
dac76a |
-{{{ ansible_audit_auditctl_add_syscall_rule(syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}}
|
|
|
dac76a |
-{{% endif %}}
|
|
|
dac76a |
+
|
|
|
dac76a |
+- name: perform remediation of Audit rules for kernel module loading for x86 platform
|
|
|
dac76a |
+ block:
|
|
|
dac76a |
+ {{% if product == "rhel6" %}}
|
|
|
dac76a |
+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}}
|
|
|
dac76a |
+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}}
|
|
|
dac76a |
+ {{% else %}}
|
|
|
dac76a |
+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}}
|
|
|
dac76a |
+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}}
|
|
|
dac76a |
+ {{% endif %}}
|
|
|
dac76a |
+
|
|
|
dac76a |
+- name: perform remediation of Audit rules for kernel module loading for x86_64 platform
|
|
|
dac76a |
+ block:
|
|
|
dac76a |
+ {{% if product == "rhel6" %}}
|
|
|
dac76a |
+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}}
|
|
|
dac76a |
+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}}
|
|
|
dac76a |
+ {{% else %}}
|
|
|
dac76a |
+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}}
|
|
|
dac76a |
+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}}
|
|
|
dac76a |
+ {{% endif %}}
|
|
|
dac76a |
+ when: audit_arch == "b64"
|
|
|
dac76a |
|
|
|
dac76a |
From 1505ef7f1632eeb76743410a88b9e50a8f9c44c4 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Wed, 29 Apr 2020 17:15:37 +0200
|
|
|
dac76a |
Subject: [PATCH 3/4] fix task names
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../audit_rules_kernel_module_loading/ansible/shared.yml | 4 ++--
|
|
|
dac76a |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
|
|
|
dac76a |
index d2dcc8c1fe..c80f836b6c 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
|
|
|
dac76a |
@@ -11,7 +11,7 @@
|
|
|
dac76a |
audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
|
|
|
dac76a |
|
|
|
dac76a |
|
|
|
dac76a |
-- name: perform remediation of Audit rules for kernel module loading for x86 platform
|
|
|
dac76a |
+- name: Perform remediation of Audit rules for kernel module loading for x86 platform
|
|
|
dac76a |
block:
|
|
|
dac76a |
{{% if product == "rhel6" %}}
|
|
|
dac76a |
{{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}}
|
|
|
dac76a |
@@ -21,7 +21,7 @@
|
|
|
dac76a |
{{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}}
|
|
|
dac76a |
{{% endif %}}
|
|
|
dac76a |
|
|
|
dac76a |
-- name: perform remediation of Audit rules for kernel module loading for x86_64 platform
|
|
|
dac76a |
+- name: Perform remediation of Audit rules for kernel module loading for x86_64 platform
|
|
|
dac76a |
block:
|
|
|
dac76a |
{{% if product == "rhel6" %}}
|
|
|
dac76a |
{{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}}
|
|
|
dac76a |
|
|
|
dac76a |
From 7474ee0d7eb901f417336d7b75a4cfa61dfab7ca Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Thu, 30 Apr 2020 09:27:28 +0200
|
|
|
dac76a |
Subject: [PATCH 4/4] use variable, remove duplicate code
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../ansible/shared.yml | 24 ++++++++-----------
|
|
|
dac76a |
shared/macros-ansible.jinja | 2 +-
|
|
|
dac76a |
2 files changed, 11 insertions(+), 15 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
|
|
|
dac76a |
index c80f836b6c..c1ba35bf25 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
|
|
|
dac76a |
@@ -10,24 +10,20 @@
|
|
|
dac76a |
set_fact:
|
|
|
dac76a |
audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
|
|
|
dac76a |
|
|
|
dac76a |
+# set list of syscalls based on rhel version
|
|
|
dac76a |
+{{% if product == "rhel6" %}}
|
|
|
dac76a |
+{{% set audit_syscalls = ["init_module", "delete_module"] %}}
|
|
|
dac76a |
+{{% else %}}
|
|
|
dac76a |
+{{% set audit_syscalls = ["init_module", "delete_module", "finit_module"] %}}
|
|
|
dac76a |
+{{% endif %}}
|
|
|
dac76a |
|
|
|
dac76a |
- name: Perform remediation of Audit rules for kernel module loading for x86 platform
|
|
|
dac76a |
block:
|
|
|
dac76a |
- {{% if product == "rhel6" %}}
|
|
|
dac76a |
- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}}
|
|
|
dac76a |
- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}}
|
|
|
dac76a |
- {{% else %}}
|
|
|
dac76a |
- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}}
|
|
|
dac76a |
- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}}
|
|
|
dac76a |
- {{% endif %}}
|
|
|
dac76a |
+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=audit_syscalls, key="modules")|indent(4) }}}
|
|
|
dac76a |
+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=audit_syscalls, key="modules")|indent(4) }}}
|
|
|
dac76a |
|
|
|
dac76a |
- name: Perform remediation of Audit rules for kernel module loading for x86_64 platform
|
|
|
dac76a |
block:
|
|
|
dac76a |
- {{% if product == "rhel6" %}}
|
|
|
dac76a |
- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}}
|
|
|
dac76a |
- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}}
|
|
|
dac76a |
- {{% else %}}
|
|
|
dac76a |
- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}}
|
|
|
dac76a |
- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}}
|
|
|
dac76a |
- {{% endif %}}
|
|
|
dac76a |
+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=audit_syscalls, key="modules")|indent(4) }}}
|
|
|
dac76a |
+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=audit_syscalls, key="modules")|indent(4) }}}
|
|
|
dac76a |
when: audit_arch == "b64"
|
|
|
dac76a |
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
|
|
|
dac76a |
index f9a5b53302..03e4306051 100644
|
|
|
dac76a |
--- a/shared/macros-ansible.jinja
|
|
|
dac76a |
+++ b/shared/macros-ansible.jinja
|
|
|
dac76a |
@@ -370,7 +370,7 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul
|
|
|
dac76a |
register: audit_syscalls_found_{{{ arch }}}_rules_d
|
|
|
dac76a |
loop: "{{ syscalls }}"
|
|
|
dac76a |
|
|
|
dac76a |
-- name: Get number of matched syscalls for architecture {{{ arch }}}in /etc/audit/rules.d/
|
|
|
dac76a |
+- name: Get number of matched syscalls for architecture {{{ arch }}} in /etc/audit/rules.d/
|
|
|
dac76a |
set_fact: audit_syscalls_matched_{{{ arch }}}_rules_d="{{audit_syscalls_found_{{{ arch }}}_rules_d.results|sum(attribute='matched')|int }}"
|
|
|
dac76a |
|
|
|
dac76a |
- name: Search /etc/audit/rules.d for other rules with the key {{{ key }}}
|