|
 |
76240a |
From 1dcdad51a48c17dd5dbb7eb9bbb8cef23cf00e29 Mon Sep 17 00:00:00 2001
|
|
|
76240a |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
76240a |
Date: Mon, 23 Aug 2021 10:26:39 +0200
|
|
|
76240a |
Subject: [PATCH] Fix remaining audit rule files permissions.
|
|
|
76240a |
|
|
|
76240a |
---
|
|
|
76240a |
.../audit_rules_immutable/ansible/shared.yml | 1 +
|
|
|
76240a |
.../audit_rules_immutable/bash/shared.sh | 1 +
|
|
|
76240a |
shared/templates/audit_file_contents/ansible.template | 5 +++++
|
|
|
76240a |
shared/templates/audit_file_contents/bash.template | 2 ++
|
|
|
76240a |
4 files changed, 9 insertions(+)
|
|
|
76240a |
|
|
|
76240a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
|
|
|
76240a |
index 1cafb744cc3..736d4c333e4 100644
|
|
|
76240a |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
|
|
|
76240a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
|
|
|
76240a |
@@ -22,6 +22,7 @@
|
|
|
76240a |
path: "{{ item }}"
|
|
|
76240a |
create: True
|
|
|
76240a |
line: "-e 2"
|
|
|
76240a |
+ mode: o-rwx
|
|
|
76240a |
loop:
|
|
|
76240a |
- "/etc/audit/audit.rules"
|
|
|
76240a |
- "/etc/audit/rules.d/immutable.rules"
|
|
|
76240a |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh
|
|
|
76240a |
index 29cd4a5de6f..36e0691493f 100644
|
|
|
76240a |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh
|
|
|
76240a |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh
|
|
|
76240a |
@@ -20,4 +20,5 @@ do
|
|
|
76240a |
echo '# Set the audit.rules configuration immutable per security requirements' >> $AUDIT_FILE
|
|
|
76240a |
echo '# Reboot is required to change audit rules once this setting is applied' >> $AUDIT_FILE
|
|
|
76240a |
echo '-e 2' >> $AUDIT_FILE
|
|
|
76240a |
+ chmod o-rwx $AUDIT_FILE
|
|
|
76240a |
done
|
|
|
76240a |
diff --git a/shared/templates/audit_file_contents/ansible.template b/shared/templates/audit_file_contents/ansible.template
|
|
|
76240a |
index c2852745451..a262386cfbf 100644
|
|
|
76240a |
--- a/shared/templates/audit_file_contents/ansible.template
|
|
|
76240a |
+++ b/shared/templates/audit_file_contents/ansible.template
|
|
|
76240a |
@@ -9,3 +9,8 @@
|
|
|
76240a |
contents=CONTENTS,
|
|
|
76240a |
)
|
|
|
76240a |
}}}
|
|
|
76240a |
+
|
|
|
76240a |
+- name: Remove any permissions from other group
|
|
|
76240a |
+ file:
|
|
|
76240a |
+ path: {{{ FILEPATH }}}
|
|
|
76240a |
+ mode: o-rwx
|
|
|
76240a |
diff --git a/shared/templates/audit_file_contents/bash.template b/shared/templates/audit_file_contents/bash.template
|
|
|
76240a |
index f264be6f14d..d6277167892 100644
|
|
|
76240a |
--- a/shared/templates/audit_file_contents/bash.template
|
|
|
76240a |
+++ b/shared/templates/audit_file_contents/bash.template
|
|
|
76240a |
@@ -11,4 +11,6 @@
|
|
|
76240a |
)
|
|
|
76240a |
}}}
|
|
|
76240a |
|
|
|
76240a |
+chmod o-rwx {{{ FILEPATH }}}
|
|
|
76240a |
+
|
|
|
76240a |
augenrules --load
|