From 8dd8ca19bc7608db27ba79ac0df90cbc502dcfa8 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 27 Apr 2020 14:51:22 +0200
Subject: [PATCH 1/7] create macro
---
shared/macros-ansible.jinja | 176 ++++++++++++++++++++++++++++++++++++
1 file changed, 176 insertions(+)
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 884b562ae4..7ccab981d2 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -346,3 +346,179 @@ The macro requires following parameters:
create: yes
when: find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
{{%- endmacro %}}
+
+{{% macro ansible_audit_augenrules_add_syscall_rule(arch="", syscalls=[], key="") -%}}
+#
+# What architecture are we on?
+#
+- name: Set architecture for audit modules tasks
+ set_fact:
+ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
+
+- name: Declare list of syscals
+ set_fact:
+ syscalls: {{{ syscalls }}}
+
+- name: Declare number of syscalls
+ set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}"
+
+- name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/
+ find:
+ paths: "/etc/audit/rules.d"
+ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
+ patterns: "*.rules"
+ register: audit_syscalls_found_32_rules_d
+ loop: "{{ syscalls }}"
+
+- name: Get number of matched 32 bit syscalls in /etc/audit/rules.d/
+ set_fact: audit_syscalls_matched_32_rules_d="{{audit_syscalls_found_32_rules_d.results|sum(attribute='matched')|int }}"
+
+{{% if arch == "64" %}}
+- name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/
+ find:
+ paths: "/etc/audit/rules.d"
+ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
+ patterns: "*.rules"
+ register: audit_syscalls_found_64_rules_d
+ loop: "{{ syscalls }}"
+
+- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/
+ set_fact: audit_syscalls_matched_64_rules_d="{{audit_syscalls_found_64_rules_d.results|sum(attribute='matched')|int }}"
+{{% endif %}}
+
+- name: Search /etc/audit/rules.d for other rules with the key {{{ key }}}
+ find:
+ paths: "/etc/audit/rules.d"
+ recurse: no
+ contains: '(-F key=)|(-k\s+){{{ key }}}$'
+ patterns: "*.rules"
+ register: find_syscalls_files
+
+- name: Use /etc/audit/rules.d/{{{ key }}}.rules as the recipient for the rule
+ set_fact:
+ all_files:
+ - /etc/audit/rules.d/{{{ key }}}.rules
+ when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0
+
+- name: Use matched file as the recipient for the rule
+ set_fact:
+ all_files:
+ - "{{ find_syscalls_files.files | map(attribute='path') | list | first }}"
+ when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0
+
+- name: "Insert the modules rule in {{ all_files[0] }} when on x86"
+ block:
+ - name: "Construct rule: add rule list, action and arch"
+ set_fact: tmpline="-a always,exit -F arch=b32 "
+ - name: "Construct rule: add syscalls"
+ set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}"
+ loop: "{{ audit_syscalls_found_32_rules_d.results }}"
+ when: item.matched is defined and item.matched == 0
+ - name: "Construct rule: add key"
+ set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}"
+ - name: "Insert the line in {{ all_files[0] }}"
+ lineinfile:
+ path: "{{ all_files[0] }}"
+ line: "{{ tmpline }}"
+ create: true
+ state: present
+ when: audit_syscalls_matched_32_rules_d < audit_syscalls_number_of_syscalls
+
+{{% if arch == "64" %}}
+- name: "Insert the modules rule in {{ all_files[0] }} when on x86_64"
+ block:
+ - name: "Construct rule: add rule list, action and arch"
+ set_fact: tmpline="-a always,exit -F arch=b64 "
+ - name: "Construct rule: add syscalls"
+ set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}"
+ loop: "{{ audit_syscalls_found_64_rules_d.results }}"
+ when: item.matched is defined and item.matched == 0
+ - name: "Construct rule: add key"
+ set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}"
+ - name: "Insert the line in {{ all_files[0] }}"
+ lineinfile:
+ path: "{{ all_files[0] }}"
+ line: "{{ tmpline }}"
+ create: true
+ state: present
+ when: audit_syscalls_matched_64_rules_d < audit_syscalls_number_of_syscalls and audit_arch is defined and audit_arch == 'b64'
+{{% endif %}}
+{{%- endmacro %}}
+
+{{% macro ansible_audit_auditctl_add_syscall_rule(arch="", syscalls=[], key="") -%}}
+#
+# What architecture are we on?
+#
+- name: Set architecture for audit modules tasks
+ set_fact:
+ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
+
+- name: Declare list of syscals
+ set_fact:
+ syscalls: {{{ syscalls }}}
+
+- name: Declare number of syscalls
+ set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}"
+
+- name: Check existence of syscalls for 32 bit architecture in /etc/audit/audit.rules
+ find:
+ paths: "/etc/audit"
+ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
+ patterns: "audit.rules"
+ register: audit_syscalls_found_32_audit_rules
+ loop: "{{ syscalls }}"
+
+- name: Get number of matched 32 bit syscalls in /etc/audit/audit.rules
+ set_fact: audit_syscalls_matched_32_audit_rules="{{audit_syscalls_found_32_audit_rules.results|sum(attribute='matched')|int }}"
+
+{{% if arch == "64" %}}
+- name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules
+ find:
+ paths: "/etc/audit"
+ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
+ patterns: "audit.rules"
+ register: audit_syscalls_found_64_audit_rules
+ loop: "{{ syscalls }}"
+
+- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/*
+ set_fact: audit_syscalls_matched_64_audit_rules="{{audit_syscalls_found_64_audit_rules.results|sum(attribute='matched')|int }}"
+{{% endif %}}
+
+- name: Insert the modules rule in /etc/audit/audit.rules when on x86
+ block:
+ - name: "Construct rule: add rule list, action and arch"
+ set_fact: tmpline="-a always,exit -F arch=b32 "
+ - name: "Construct rule: add syscalls"
+ set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}"
+ loop: "{{ audit_syscalls_found_32_audit_rules.results }}"
+ when: item.matched is defined and item.matched == 0
+ - name: "Construct rule: add key"
+ set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}"
+ - name: Insert the line in /etc/audit/audit.rules
+ lineinfile:
+ path: "/etc/audit/audit.rules"
+ line: "{{ tmpline }}"
+ create: true
+ state: present
+ when: audit_syscalls_matched_32_audit_rules < audit_syscalls_number_of_syscalls
+
+{{% if arch == "64" %}}
+- name: Insert the modules rule in /etc/audit/rules.d when on x86_64
+ block:
+ - name: "Construct rule: add rule list, action and arch"
+ set_fact: tmpline="-a always,exit -F arch=b64 "
+ - name: "Construct rule: add syscalls"
+ set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}"
+ loop: "{{ audit_syscalls_found_64_audit_rules.results }}"
+ when: item.matched is defined and item.matched == 0
+ - name: "Construct rule: add key"
+ set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}"
+ - name: Insert the line in /etc/audit/audit.rules
+ lineinfile:
+ path: "/etc/audit/audit.rules"
+ line: "{{ tmpline }}"
+ create: true
+ state: present
+ when: audit_syscalls_matched_64_audit_rules < audit_syscalls_number_of_syscalls and audit_arch is defined and audit_arch == 'b64'
+{{% endif %}}
+{{%- endmacro %}}
From afefec951b00a9b068a3a9c7fe9e22c6b73c79b1 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 27 Apr 2020 14:51:40 +0200
Subject: [PATCH 2/7] use macro in example rule
---
.../ansible/shared.yml | 167 +-----------------
1 file changed, 4 insertions(+), 163 deletions(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
index 9d028a598d..ac448523c6 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
@@ -4,166 +4,7 @@
# complexity = low
# disruption = low
-#
-# What architecture are we on?
-#
-- name: Set architecture for audit modules tasks
- set_fact:
- audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
-
-- name: Declare list of syscals
- set_fact:
- syscalls:
- - "init_module"
- - "delete_module"
- {{% if product != "rhel6" %}}
- - "finit_module"
- {{% endif %}}
-
-- name: Declare number of syscalls
- set_fact: audit_kernel_number_of_syscalls="{{ syscalls|length|int }}"
-
-#
-#rules in /etc/audit/rules.d/*
-#
-
-- name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/
- find:
- paths: "/etc/audit/rules.d"
- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
- patterns: "*.rules"
- register: audit_kernel_found_32_rules_d
- loop: "{{ syscalls }}"
-
-- name: Get number of matched 32 bit syscalls in /etc/audit/rules.d/
- set_fact: audit_kernel_matched_32_rules_d="{{audit_kernel_found_32_rules_d.results|sum(attribute='matched')|int }}"
-
-- name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/
- find:
- paths: "/etc/audit/rules.d"
- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
- patterns: "*.rules"
- register: audit_kernel_found_64_rules_d
- loop: "{{ syscalls }}"
-
-- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/
- set_fact: audit_kernel_matched_64_rules_d="{{audit_kernel_found_64_rules_d.results|sum(attribute='matched')|int }}"
-
-- name: Search /etc/audit/rules.d for other kernel module loading audit rules
- find:
- paths: "/etc/audit/rules.d"
- recurse: no
- contains: "(-F key=modules)|(-k modules)$"
- patterns: "*.rules"
- register: find_modules
-
-- name: Use /etc/audit/rules.d/modules.rules as the recipient for the rule
- set_fact:
- all_files:
- - /etc/audit/rules.d/modules.rules
- when: find_modules.matched is defined and find_modules.matched == 0
-
-- name: Use matched file as the recipient for the rule
- set_fact:
- all_files:
- - "{{ find_modules.files | map(attribute='path') | list | first }}"
- when: find_modules.matched is defined and find_modules.matched > 0
-
-- name: "Insert the modules rule in {{ all_files[0] }} when on x86"
- block:
- - name: "Construct rule: add rule list, action and arch"
- set_fact: tmpline="-a always,exit -F arch=b32 "
- - name: "Construct rule: add syscalls"
- set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}"
- loop: "{{ audit_kernel_found_32_rules_d.results }}"
- when: item.matched is defined and item.matched == 0
- - name: "Construct rule: add key"
- set_fact: tmpline="{{ tmpline + '-k modules' }}"
- - name: "Insert the line in {{ all_files[0] }}"
- lineinfile:
- path: "{{ all_files[0] }}"
- line: "{{ tmpline }}"
- create: true
- state: present
- when: audit_kernel_matched_32_rules_d < audit_kernel_number_of_syscalls
-
-- name: "Insert the modules rule in {{ all_files[0] }} when on x86_64"
- block:
- - name: "Construct rule: add rule list, action and arch"
- set_fact: tmpline="-a always,exit -F arch=b64 "
- - name: "Construct rule: add syscalls"
- set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}"
- loop: "{{ audit_kernel_found_64_rules_d.results }}"
- when: item.matched is defined and item.matched == 0
- - name: "Construct rule: add key"
- set_fact: tmpline="{{ tmpline + '-k modules' }}"
- - name: "Insert the line in {{ all_files[0] }}"
- lineinfile:
- path: "{{ all_files[0] }}"
- line: "{{ tmpline }}"
- create: true
- state: present
- when: audit_kernel_matched_64_rules_d < audit_kernel_number_of_syscalls and audit_arch is defined and audit_arch == 'b64'
-
-
-#
-# rules in /etc/audit/audit.rules
-#
-
-- name: Check existence of syscalls for 32 bit architecture in /etc/audit/audit.rules
- find:
- paths: "/etc/audit"
- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
- patterns: "audit.rules"
- register: audit_kernel_found_32_audit_rules
- loop: "{{ syscalls }}"
-
-- name: Get number of matched 32 bit syscalls in /etc/audit/audit.rules
- set_fact: audit_kernel_matched_32_audit_rules="{{audit_kernel_found_32_audit_rules.results|sum(attribute='matched')|int }}"
-
-- name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules
- find:
- paths: "/etc/audit"
- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
- patterns: "audit.rules"
- register: audit_kernel_found_64_audit_rules
- loop: "{{ syscalls }}"
-
-- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/*
- set_fact: audit_kernel_matched_64_audit_rules="{{audit_kernel_found_64_audit_rules.results|sum(attribute='matched')|int }}"
-
-- name: Insert the modules rule in /etc/audit/audit.rules when on x86
- block:
- - name: "Construct rule: add rule list, action and arch"
- set_fact: tmpline="-a always,exit -F arch=b32 "
- - name: "Construct rule: add syscalls"
- set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}"
- loop: "{{ audit_kernel_found_32_audit_rules.results }}"
- when: item.matched is defined and item.matched == 0
- - name: "Construct rule: add key"
- set_fact: tmpline="{{ tmpline + '-k modules' }}"
- - name: Insert the line in /etc/audit/audit.rules
- lineinfile:
- path: "/etc/audit/audit.rules"
- line: "{{ tmpline }}"
- create: true
- state: present
- when: audit_kernel_matched_32_audit_rules < audit_kernel_number_of_syscalls
-
-- name: Insert the modules rule in /etc/audit/rules.d when on x86_64
- block:
- - name: "Construct rule: add rule list, action and arch"
- set_fact: tmpline="-a always,exit -F arch=b64 "
- - name: "Construct rule: add syscalls"
- set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}"
- loop: "{{ audit_kernel_found_64_audit_rules.results }}"
- when: item.matched is defined and item.matched == 0
- - name: "Construct rule: add key"
- set_fact: tmpline="{{ tmpline + '-k modules' }}"
- - name: Insert the line in /etc/audit/audit.rules
- lineinfile:
- path: "/etc/audit/audit.rules"
- line: "{{ tmpline }}"
- create: true
- state: present
- when: audit_kernel_matched_64_audit_rules < audit_kernel_number_of_syscalls and audit_arch is defined and audit_arch == 'b64'
+{{{ ansible_audit_augenrules_add_syscall_rule(arch="32", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}}
+{{{ ansible_audit_augenrules_add_syscall_rule(arch="64", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}}
+{{{ ansible_audit_auditctl_add_syscall_rule(arch="32", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}}
+{{{ ansible_audit_auditctl_add_syscall_rule(arch="64", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}}
From 08504829c3ef3cda866425986b60df0d457d59cd Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 27 Apr 2020 16:14:56 +0200
Subject: [PATCH 3/7] add documentation, fix task naming
---
shared/macros-ansible.jinja | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 7ccab981d2..a61ca4528d 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -347,6 +347,15 @@ The macro requires following parameters:
when: find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
{{%- endmacro %}}
+{{#
+The following macro remediates Audit syscall rule in /etc/audit/rules.d directory.
+The macro requires following parameters:
+- arch: must be 32 or 64, this distinguishes the architecture (32 bit or 64 bit). Rules for appropriate architecture will be used.
+- syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc.
+- key: a key to use as rule identifier.
+Note that if there already exists a rule wit the same key in the /etc/audit/rules.d directory, the rule will be placed in the same file.
+#}}
+
{{% macro ansible_audit_augenrules_add_syscall_rule(arch="", syscalls=[], key="") -%}}
#
# What architecture are we on?
@@ -406,7 +415,7 @@ The macro requires following parameters:
- "{{ find_syscalls_files.files | map(attribute='path') | list | first }}"
when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0
-- name: "Insert the modules rule in {{ all_files[0] }} when on x86"
+- name: "Insert the syscall rule in {{ all_files[0] }} when on x86"
block:
- name: "Construct rule: add rule list, action and arch"
set_fact: tmpline="-a always,exit -F arch=b32 "
@@ -425,7 +434,7 @@ The macro requires following parameters:
when: audit_syscalls_matched_32_rules_d < audit_syscalls_number_of_syscalls
{{% if arch == "64" %}}
-- name: "Insert the modules rule in {{ all_files[0] }} when on x86_64"
+- name: "Insert the syscall rule in {{ all_files[0] }} when on x86_64"
block:
- name: "Construct rule: add rule list, action and arch"
set_fact: tmpline="-a always,exit -F arch=b64 "
@@ -445,6 +454,13 @@ The macro requires following parameters:
{{% endif %}}
{{%- endmacro %}}
+{{#
+The following macro remediates Audit syscall rule in /etc/audit/audit.rules file.
+The macro requires following parameters:
+- arch: must be 32 or 64, this distinguishes the architecture (32 bit or 64 bit). Rules for appropriate architecture will be used.
+- syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc.
+- key: a key to use as rule identifier.
+#}}
{{% macro ansible_audit_auditctl_add_syscall_rule(arch="", syscalls=[], key="") -%}}
#
# What architecture are we on?
@@ -484,7 +500,7 @@ The macro requires following parameters:
set_fact: audit_syscalls_matched_64_audit_rules="{{audit_syscalls_found_64_audit_rules.results|sum(attribute='matched')|int }}"
{{% endif %}}
-- name: Insert the modules rule in /etc/audit/audit.rules when on x86
+- name: Insert the syscall rule in /etc/audit/audit.rules when on x86
block:
- name: "Construct rule: add rule list, action and arch"
set_fact: tmpline="-a always,exit -F arch=b32 "
@@ -503,7 +519,7 @@ The macro requires following parameters:
when: audit_syscalls_matched_32_audit_rules < audit_syscalls_number_of_syscalls
{{% if arch == "64" %}}
-- name: Insert the modules rule in /etc/audit/rules.d when on x86_64
+- name: Insert the syscall rule in /etc/audit/rules.d when on x86_64
block:
- name: "Construct rule: add rule list, action and arch"
set_fact: tmpline="-a always,exit -F arch=b64 "
From 7b5a2f5efd8c39aee066eb8c59e034612129f00a Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 28 Apr 2020 11:31:40 +0200
Subject: [PATCH 4/7] remove arch argument from macros
modify the example rule
add rhel6 condition to the rule
---
.../ansible/shared.yml | 11 +++++++----
shared/macros-ansible.jinja | 18 ++++++------------
2 files changed, 13 insertions(+), 16 deletions(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
index ac448523c6..3b16dd1989 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
@@ -4,7 +4,10 @@
# complexity = low
# disruption = low
-{{{ ansible_audit_augenrules_add_syscall_rule(arch="32", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}}
-{{{ ansible_audit_augenrules_add_syscall_rule(arch="64", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}}
-{{{ ansible_audit_auditctl_add_syscall_rule(arch="32", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}}
-{{{ ansible_audit_auditctl_add_syscall_rule(arch="64", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}}
+{{% if product == "rhel6" %}}
+{{{ ansible_audit_augenrules_add_syscall_rule(syscalls=["init_module", "delete_module"], key="modules") }}}
+{{{ ansible_audit_auditctl_add_syscall_rule(syscalls=["init_module", "delete_module"], key="modules") }}}
+{{% else %}}
+{{{ ansible_audit_augenrules_add_syscall_rule(syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}}
+{{{ ansible_audit_auditctl_add_syscall_rule(syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}}
+{{% endif %}}
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index a61ca4528d..09b80bf114 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -350,13 +350,14 @@ The macro requires following parameters:
{{#
The following macro remediates Audit syscall rule in /etc/audit/rules.d directory.
The macro requires following parameters:
-- arch: must be 32 or 64, this distinguishes the architecture (32 bit or 64 bit). Rules for appropriate architecture will be used.
- syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc.
- key: a key to use as rule identifier.
Note that if there already exists a rule wit the same key in the /etc/audit/rules.d directory, the rule will be placed in the same file.
+The rule determines the architecture of the system and apply appropriate remediations.
+It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architecture.
#}}
-{{% macro ansible_audit_augenrules_add_syscall_rule(arch="", syscalls=[], key="") -%}}
+{{% macro ansible_audit_augenrules_add_syscall_rule(syscalls=[], key="") -%}}
#
# What architecture are we on?
#
@@ -382,7 +383,6 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul
- name: Get number of matched 32 bit syscalls in /etc/audit/rules.d/
set_fact: audit_syscalls_matched_32_rules_d="{{audit_syscalls_found_32_rules_d.results|sum(attribute='matched')|int }}"
-{{% if arch == "64" %}}
- name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/
find:
paths: "/etc/audit/rules.d"
@@ -393,7 +393,6 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul
- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/
set_fact: audit_syscalls_matched_64_rules_d="{{audit_syscalls_found_64_rules_d.results|sum(attribute='matched')|int }}"
-{{% endif %}}
- name: Search /etc/audit/rules.d for other rules with the key {{{ key }}}
find:
@@ -433,7 +432,6 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul
state: present
when: audit_syscalls_matched_32_rules_d < audit_syscalls_number_of_syscalls
-{{% if arch == "64" %}}
- name: "Insert the syscall rule in {{ all_files[0] }} when on x86_64"
block:
- name: "Construct rule: add rule list, action and arch"
@@ -451,17 +449,17 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul
create: true
state: present
when: audit_syscalls_matched_64_rules_d < audit_syscalls_number_of_syscalls and audit_arch is defined and audit_arch == 'b64'
-{{% endif %}}
{{%- endmacro %}}
{{#
The following macro remediates Audit syscall rule in /etc/audit/audit.rules file.
The macro requires following parameters:
-- arch: must be 32 or 64, this distinguishes the architecture (32 bit or 64 bit). Rules for appropriate architecture will be used.
- syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc.
- key: a key to use as rule identifier.
+The rule determines the architecture of the system and apply appropriate remediations.
+It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architecture.
#}}
-{{% macro ansible_audit_auditctl_add_syscall_rule(arch="", syscalls=[], key="") -%}}
+{{% macro ansible_audit_auditctl_add_syscall_rule(syscalls=[], key="") -%}}
#
# What architecture are we on?
#
@@ -487,7 +485,6 @@ The macro requires following parameters:
- name: Get number of matched 32 bit syscalls in /etc/audit/audit.rules
set_fact: audit_syscalls_matched_32_audit_rules="{{audit_syscalls_found_32_audit_rules.results|sum(attribute='matched')|int }}"
-{{% if arch == "64" %}}
- name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules
find:
paths: "/etc/audit"
@@ -498,7 +495,6 @@ The macro requires following parameters:
- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/*
set_fact: audit_syscalls_matched_64_audit_rules="{{audit_syscalls_found_64_audit_rules.results|sum(attribute='matched')|int }}"
-{{% endif %}}
- name: Insert the syscall rule in /etc/audit/audit.rules when on x86
block:
@@ -518,7 +514,6 @@ The macro requires following parameters:
state: present
when: audit_syscalls_matched_32_audit_rules < audit_syscalls_number_of_syscalls
-{{% if arch == "64" %}}
- name: Insert the syscall rule in /etc/audit/rules.d when on x86_64
block:
- name: "Construct rule: add rule list, action and arch"
@@ -536,5 +531,4 @@ The macro requires following parameters:
create: true
state: present
when: audit_syscalls_matched_64_audit_rules < audit_syscalls_number_of_syscalls and audit_arch is defined and audit_arch == 'b64'
-{{% endif %}}
{{%- endmacro %}}
From 2d2e18a8f21a076ea31dc91463611359cd220ad5 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 28 Apr 2020 17:07:19 +0200
Subject: [PATCH 5/7] add tests for augen-rules
---
...ass.sh => auditctl_syscalls_multiple_per_arg.pass.sh} | 0
...arg.pass.sh => auditctl_syscalls_one_per_arg.pass.sh} | 0
...ne.pass.sh => auditctl_syscalls_one_per_line.pass.sh} | 0
...> auditctl_syscalls_one_per_line_one_missing.fail.sh} | 0
.../tests/augen_syscalls_multiple_per_arg.pass.sh | 9 +++++++++
.../tests/augen_syscalls_one_per_arg.pass.sh | 8 ++++++++
.../tests/augen_syscalls_one_per_line.pass.sh | 7 +++++++
.../augen_syscalls_one_per_line_one_missing.fail.sh | 7 +++++++
8 files changed, 31 insertions(+)
rename linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/{syscalls_multiple_per_arg.pass.sh => auditctl_syscalls_multiple_per_arg.pass.sh} (100%)
rename linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/{syscalls_one_per_arg.pass.sh => auditctl_syscalls_one_per_arg.pass.sh} (100%)
rename linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/{syscalls_one_per_line.pass.sh => auditctl_syscalls_one_per_line.pass.sh} (100%)
rename linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/{syscalls_one_per_line_one_missing.fail.sh => auditctl_syscalls_one_per_line_one_missing.fail.sh} (100%)
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_multiple_per_arg.pass.sh
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_arg.pass.sh
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line.pass.sh
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line_one_missing.fail.sh
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_multiple_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_multiple_per_arg.pass.sh
similarity index 100%
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_multiple_per_arg.pass.sh
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_multiple_per_arg.pass.sh
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_arg.pass.sh
similarity index 100%
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_arg.pass.sh
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_arg.pass.sh
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_line.pass.sh
similarity index 100%
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line.pass.sh
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_line.pass.sh
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_line_one_missing.fail.sh
similarity index 100%
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_line_one_missing.fail.sh
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_multiple_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_multiple_per_arg.pass.sh
new file mode 100644
index 0000000000..c50695a586
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_multiple_per_arg.pass.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S
+
+
+rm -f /etc/audit/rules.d/*
+
+# cut out irrelevant rules for this test
+sed '1,10d' test_audit.rules > /etc/audit/rules.d/test.rules
+sed -i '5,8d' /etc/audit/rules.d/test.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_arg.pass.sh
new file mode 100644
index 0000000000..c086da0b0f
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_arg.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S
+
+
+rm -f /etc/audit/rules.d/*
+
+# cut out irrelevant rules for this test
+sed '1,13d' test_audit.rules > /etc/audit/rules.d/test.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line.pass.sh
new file mode 100644
index 0000000000..76a868ab17
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S
+
+rm -f /etc/audit/rules.d/*
+
+# cut out irrelevant rules for this test
+sed '11,18d' test_audit.rules > /etc/audit/rules.d/test.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line_one_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line_one_missing.fail.sh
new file mode 100644
index 0000000000..43f3d07e8f
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line_one_missing.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S
+
+rm -f /etc/audit/rules.d/*
+
+# cut out irrelevant rules for this test
+sed -e '11,18d' -e '/.*init.*/d' test_audit.rules > /etc/audit/rules.d/test.rules
From 6d4065c9dfbf216343b032fd41c4bca605513521 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 28 Apr 2020 17:07:40 +0200
Subject: [PATCH 6/7] remove recurse from tasks, fix regex
---
shared/macros-ansible.jinja | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 09b80bf114..e24fa5caa7 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -397,8 +397,7 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur
- name: Search /etc/audit/rules.d for other rules with the key {{{ key }}}
find:
paths: "/etc/audit/rules.d"
- recurse: no
- contains: '(-F key=)|(-k\s+){{{ key }}}$'
+ contains: '^.*(?:-F key=|-k\s+){{{ key }}}$'
patterns: "*.rules"
register: find_syscalls_files
From 31db4018d4aab3148f48b7afe1743fe6cf5c011d Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 28 Apr 2020 17:19:52 +0200
Subject: [PATCH 7/7] remove mention of modules from task description
---
shared/macros-ansible.jinja | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index e24fa5caa7..f54f73e866 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -361,7 +361,7 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur
#
# What architecture are we on?
#
-- name: Set architecture for audit modules tasks
+- name: Set architecture for audit tasks
set_fact:
audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
@@ -462,7 +462,7 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur
#
# What architecture are we on?
#
-- name: Set architecture for audit modules tasks
+- name: Set architecture for audit tasks
set_fact:
audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"