From 8dd8ca19bc7608db27ba79ac0df90cbc502dcfa8 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 27 Apr 2020 14:51:22 +0200 Subject: [PATCH 1/7] create macro --- shared/macros-ansible.jinja | 176 ++++++++++++++++++++++++++++++++++++ 1 file changed, 176 insertions(+) diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja index 884b562ae4..7ccab981d2 100644 --- a/shared/macros-ansible.jinja +++ b/shared/macros-ansible.jinja @@ -346,3 +346,179 @@ The macro requires following parameters: create: yes when: find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 {{%- endmacro %}} + +{{% macro ansible_audit_augenrules_add_syscall_rule(arch="", syscalls=[], key="") -%}} +# +# What architecture are we on? +# +- name: Set architecture for audit modules tasks + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + +- name: Declare list of syscals + set_fact: + syscalls: {{{ syscalls }}} + +- name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + +- name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/ + find: + paths: "/etc/audit/rules.d" + contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' + patterns: "*.rules" + register: audit_syscalls_found_32_rules_d + loop: "{{ syscalls }}" + +- name: Get number of matched 32 bit syscalls in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_32_rules_d="{{audit_syscalls_found_32_rules_d.results|sum(attribute='matched')|int }}" + +{{% if arch == "64" %}} +- name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/ + find: + paths: "/etc/audit/rules.d" + contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' + patterns: "*.rules" + register: audit_syscalls_found_64_rules_d + loop: "{{ syscalls }}" + +- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_64_rules_d="{{audit_syscalls_found_64_rules_d.results|sum(attribute='matched')|int }}" +{{% endif %}} + +- name: Search /etc/audit/rules.d for other rules with the key {{{ key }}} + find: + paths: "/etc/audit/rules.d" + recurse: no + contains: '(-F key=)|(-k\s+){{{ key }}}$' + patterns: "*.rules" + register: find_syscalls_files + +- name: Use /etc/audit/rules.d/{{{ key }}}.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/{{{ key }}}.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - "{{ find_syscalls_files.files | map(attribute='path') | list | first }}" + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + +- name: "Insert the modules rule in {{ all_files[0] }} when on x86" + block: + - name: "Construct rule: add rule list, action and arch" + set_fact: tmpline="-a always,exit -F arch=b32 " + - name: "Construct rule: add syscalls" + set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" + loop: "{{ audit_syscalls_found_32_rules_d.results }}" + when: item.matched is defined and item.matched == 0 + - name: "Construct rule: add key" + set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}" + - name: "Insert the line in {{ all_files[0] }}" + lineinfile: + path: "{{ all_files[0] }}" + line: "{{ tmpline }}" + create: true + state: present + when: audit_syscalls_matched_32_rules_d < audit_syscalls_number_of_syscalls + +{{% if arch == "64" %}} +- name: "Insert the modules rule in {{ all_files[0] }} when on x86_64" + block: + - name: "Construct rule: add rule list, action and arch" + set_fact: tmpline="-a always,exit -F arch=b64 " + - name: "Construct rule: add syscalls" + set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" + loop: "{{ audit_syscalls_found_64_rules_d.results }}" + when: item.matched is defined and item.matched == 0 + - name: "Construct rule: add key" + set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}" + - name: "Insert the line in {{ all_files[0] }}" + lineinfile: + path: "{{ all_files[0] }}" + line: "{{ tmpline }}" + create: true + state: present + when: audit_syscalls_matched_64_rules_d < audit_syscalls_number_of_syscalls and audit_arch is defined and audit_arch == 'b64' +{{% endif %}} +{{%- endmacro %}} + +{{% macro ansible_audit_auditctl_add_syscall_rule(arch="", syscalls=[], key="") -%}} +# +# What architecture are we on? +# +- name: Set architecture for audit modules tasks + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + +- name: Declare list of syscals + set_fact: + syscalls: {{{ syscalls }}} + +- name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + +- name: Check existence of syscalls for 32 bit architecture in /etc/audit/audit.rules + find: + paths: "/etc/audit" + contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' + patterns: "audit.rules" + register: audit_syscalls_found_32_audit_rules + loop: "{{ syscalls }}" + +- name: Get number of matched 32 bit syscalls in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_32_audit_rules="{{audit_syscalls_found_32_audit_rules.results|sum(attribute='matched')|int }}" + +{{% if arch == "64" %}} +- name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules + find: + paths: "/etc/audit" + contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' + patterns: "audit.rules" + register: audit_syscalls_found_64_audit_rules + loop: "{{ syscalls }}" + +- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/* + set_fact: audit_syscalls_matched_64_audit_rules="{{audit_syscalls_found_64_audit_rules.results|sum(attribute='matched')|int }}" +{{% endif %}} + +- name: Insert the modules rule in /etc/audit/audit.rules when on x86 + block: + - name: "Construct rule: add rule list, action and arch" + set_fact: tmpline="-a always,exit -F arch=b32 " + - name: "Construct rule: add syscalls" + set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" + loop: "{{ audit_syscalls_found_32_audit_rules.results }}" + when: item.matched is defined and item.matched == 0 + - name: "Construct rule: add key" + set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: "/etc/audit/audit.rules" + line: "{{ tmpline }}" + create: true + state: present + when: audit_syscalls_matched_32_audit_rules < audit_syscalls_number_of_syscalls + +{{% if arch == "64" %}} +- name: Insert the modules rule in /etc/audit/rules.d when on x86_64 + block: + - name: "Construct rule: add rule list, action and arch" + set_fact: tmpline="-a always,exit -F arch=b64 " + - name: "Construct rule: add syscalls" + set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" + loop: "{{ audit_syscalls_found_64_audit_rules.results }}" + when: item.matched is defined and item.matched == 0 + - name: "Construct rule: add key" + set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: "/etc/audit/audit.rules" + line: "{{ tmpline }}" + create: true + state: present + when: audit_syscalls_matched_64_audit_rules < audit_syscalls_number_of_syscalls and audit_arch is defined and audit_arch == 'b64' +{{% endif %}} +{{%- endmacro %}} From afefec951b00a9b068a3a9c7fe9e22c6b73c79b1 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 27 Apr 2020 14:51:40 +0200 Subject: [PATCH 2/7] use macro in example rule --- .../ansible/shared.yml | 167 +----------------- 1 file changed, 4 insertions(+), 163 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml index 9d028a598d..ac448523c6 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml @@ -4,166 +4,7 @@ # complexity = low # disruption = low -# -# What architecture are we on? -# -- name: Set architecture for audit modules tasks - set_fact: - audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" - -- name: Declare list of syscals - set_fact: - syscalls: - - "init_module" - - "delete_module" - {{% if product != "rhel6" %}} - - "finit_module" - {{% endif %}} - -- name: Declare number of syscalls - set_fact: audit_kernel_number_of_syscalls="{{ syscalls|length|int }}" - -# -#rules in /etc/audit/rules.d/* -# - -- name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/ - find: - paths: "/etc/audit/rules.d" - contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' - patterns: "*.rules" - register: audit_kernel_found_32_rules_d - loop: "{{ syscalls }}" - -- name: Get number of matched 32 bit syscalls in /etc/audit/rules.d/ - set_fact: audit_kernel_matched_32_rules_d="{{audit_kernel_found_32_rules_d.results|sum(attribute='matched')|int }}" - -- name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/ - find: - paths: "/etc/audit/rules.d" - contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' - patterns: "*.rules" - register: audit_kernel_found_64_rules_d - loop: "{{ syscalls }}" - -- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/ - set_fact: audit_kernel_matched_64_rules_d="{{audit_kernel_found_64_rules_d.results|sum(attribute='matched')|int }}" - -- name: Search /etc/audit/rules.d for other kernel module loading audit rules - find: - paths: "/etc/audit/rules.d" - recurse: no - contains: "(-F key=modules)|(-k modules)$" - patterns: "*.rules" - register: find_modules - -- name: Use /etc/audit/rules.d/modules.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/modules.rules - when: find_modules.matched is defined and find_modules.matched == 0 - -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - "{{ find_modules.files | map(attribute='path') | list | first }}" - when: find_modules.matched is defined and find_modules.matched > 0 - -- name: "Insert the modules rule in {{ all_files[0] }} when on x86" - block: - - name: "Construct rule: add rule list, action and arch" - set_fact: tmpline="-a always,exit -F arch=b32 " - - name: "Construct rule: add syscalls" - set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" - loop: "{{ audit_kernel_found_32_rules_d.results }}" - when: item.matched is defined and item.matched == 0 - - name: "Construct rule: add key" - set_fact: tmpline="{{ tmpline + '-k modules' }}" - - name: "Insert the line in {{ all_files[0] }}" - lineinfile: - path: "{{ all_files[0] }}" - line: "{{ tmpline }}" - create: true - state: present - when: audit_kernel_matched_32_rules_d < audit_kernel_number_of_syscalls - -- name: "Insert the modules rule in {{ all_files[0] }} when on x86_64" - block: - - name: "Construct rule: add rule list, action and arch" - set_fact: tmpline="-a always,exit -F arch=b64 " - - name: "Construct rule: add syscalls" - set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" - loop: "{{ audit_kernel_found_64_rules_d.results }}" - when: item.matched is defined and item.matched == 0 - - name: "Construct rule: add key" - set_fact: tmpline="{{ tmpline + '-k modules' }}" - - name: "Insert the line in {{ all_files[0] }}" - lineinfile: - path: "{{ all_files[0] }}" - line: "{{ tmpline }}" - create: true - state: present - when: audit_kernel_matched_64_rules_d < audit_kernel_number_of_syscalls and audit_arch is defined and audit_arch == 'b64' - - -# -# rules in /etc/audit/audit.rules -# - -- name: Check existence of syscalls for 32 bit architecture in /etc/audit/audit.rules - find: - paths: "/etc/audit" - contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' - patterns: "audit.rules" - register: audit_kernel_found_32_audit_rules - loop: "{{ syscalls }}" - -- name: Get number of matched 32 bit syscalls in /etc/audit/audit.rules - set_fact: audit_kernel_matched_32_audit_rules="{{audit_kernel_found_32_audit_rules.results|sum(attribute='matched')|int }}" - -- name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules - find: - paths: "/etc/audit" - contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' - patterns: "audit.rules" - register: audit_kernel_found_64_audit_rules - loop: "{{ syscalls }}" - -- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/* - set_fact: audit_kernel_matched_64_audit_rules="{{audit_kernel_found_64_audit_rules.results|sum(attribute='matched')|int }}" - -- name: Insert the modules rule in /etc/audit/audit.rules when on x86 - block: - - name: "Construct rule: add rule list, action and arch" - set_fact: tmpline="-a always,exit -F arch=b32 " - - name: "Construct rule: add syscalls" - set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" - loop: "{{ audit_kernel_found_32_audit_rules.results }}" - when: item.matched is defined and item.matched == 0 - - name: "Construct rule: add key" - set_fact: tmpline="{{ tmpline + '-k modules' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: "/etc/audit/audit.rules" - line: "{{ tmpline }}" - create: true - state: present - when: audit_kernel_matched_32_audit_rules < audit_kernel_number_of_syscalls - -- name: Insert the modules rule in /etc/audit/rules.d when on x86_64 - block: - - name: "Construct rule: add rule list, action and arch" - set_fact: tmpline="-a always,exit -F arch=b64 " - - name: "Construct rule: add syscalls" - set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" - loop: "{{ audit_kernel_found_64_audit_rules.results }}" - when: item.matched is defined and item.matched == 0 - - name: "Construct rule: add key" - set_fact: tmpline="{{ tmpline + '-k modules' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: "/etc/audit/audit.rules" - line: "{{ tmpline }}" - create: true - state: present - when: audit_kernel_matched_64_audit_rules < audit_kernel_number_of_syscalls and audit_arch is defined and audit_arch == 'b64' +{{{ ansible_audit_augenrules_add_syscall_rule(arch="32", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} +{{{ ansible_audit_augenrules_add_syscall_rule(arch="64", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} +{{{ ansible_audit_auditctl_add_syscall_rule(arch="32", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} +{{{ ansible_audit_auditctl_add_syscall_rule(arch="64", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} From 08504829c3ef3cda866425986b60df0d457d59cd Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 27 Apr 2020 16:14:56 +0200 Subject: [PATCH 3/7] add documentation, fix task naming --- shared/macros-ansible.jinja | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja index 7ccab981d2..a61ca4528d 100644 --- a/shared/macros-ansible.jinja +++ b/shared/macros-ansible.jinja @@ -347,6 +347,15 @@ The macro requires following parameters: when: find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 {{%- endmacro %}} +{{# +The following macro remediates Audit syscall rule in /etc/audit/rules.d directory. +The macro requires following parameters: +- arch: must be 32 or 64, this distinguishes the architecture (32 bit or 64 bit). Rules for appropriate architecture will be used. +- syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc. +- key: a key to use as rule identifier. +Note that if there already exists a rule wit the same key in the /etc/audit/rules.d directory, the rule will be placed in the same file. +#}} + {{% macro ansible_audit_augenrules_add_syscall_rule(arch="", syscalls=[], key="") -%}} # # What architecture are we on? @@ -406,7 +415,7 @@ The macro requires following parameters: - "{{ find_syscalls_files.files | map(attribute='path') | list | first }}" when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 -- name: "Insert the modules rule in {{ all_files[0] }} when on x86" +- name: "Insert the syscall rule in {{ all_files[0] }} when on x86" block: - name: "Construct rule: add rule list, action and arch" set_fact: tmpline="-a always,exit -F arch=b32 " @@ -425,7 +434,7 @@ The macro requires following parameters: when: audit_syscalls_matched_32_rules_d < audit_syscalls_number_of_syscalls {{% if arch == "64" %}} -- name: "Insert the modules rule in {{ all_files[0] }} when on x86_64" +- name: "Insert the syscall rule in {{ all_files[0] }} when on x86_64" block: - name: "Construct rule: add rule list, action and arch" set_fact: tmpline="-a always,exit -F arch=b64 " @@ -445,6 +454,13 @@ The macro requires following parameters: {{% endif %}} {{%- endmacro %}} +{{# +The following macro remediates Audit syscall rule in /etc/audit/audit.rules file. +The macro requires following parameters: +- arch: must be 32 or 64, this distinguishes the architecture (32 bit or 64 bit). Rules for appropriate architecture will be used. +- syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc. +- key: a key to use as rule identifier. +#}} {{% macro ansible_audit_auditctl_add_syscall_rule(arch="", syscalls=[], key="") -%}} # # What architecture are we on? @@ -484,7 +500,7 @@ The macro requires following parameters: set_fact: audit_syscalls_matched_64_audit_rules="{{audit_syscalls_found_64_audit_rules.results|sum(attribute='matched')|int }}" {{% endif %}} -- name: Insert the modules rule in /etc/audit/audit.rules when on x86 +- name: Insert the syscall rule in /etc/audit/audit.rules when on x86 block: - name: "Construct rule: add rule list, action and arch" set_fact: tmpline="-a always,exit -F arch=b32 " @@ -503,7 +519,7 @@ The macro requires following parameters: when: audit_syscalls_matched_32_audit_rules < audit_syscalls_number_of_syscalls {{% if arch == "64" %}} -- name: Insert the modules rule in /etc/audit/rules.d when on x86_64 +- name: Insert the syscall rule in /etc/audit/rules.d when on x86_64 block: - name: "Construct rule: add rule list, action and arch" set_fact: tmpline="-a always,exit -F arch=b64 " From 7b5a2f5efd8c39aee066eb8c59e034612129f00a Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 28 Apr 2020 11:31:40 +0200 Subject: [PATCH 4/7] remove arch argument from macros modify the example rule add rhel6 condition to the rule --- .../ansible/shared.yml | 11 +++++++---- shared/macros-ansible.jinja | 18 ++++++------------ 2 files changed, 13 insertions(+), 16 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml index ac448523c6..3b16dd1989 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml @@ -4,7 +4,10 @@ # complexity = low # disruption = low -{{{ ansible_audit_augenrules_add_syscall_rule(arch="32", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} -{{{ ansible_audit_augenrules_add_syscall_rule(arch="64", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} -{{{ ansible_audit_auditctl_add_syscall_rule(arch="32", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} -{{{ ansible_audit_auditctl_add_syscall_rule(arch="64", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} +{{% if product == "rhel6" %}} +{{{ ansible_audit_augenrules_add_syscall_rule(syscalls=["init_module", "delete_module"], key="modules") }}} +{{{ ansible_audit_auditctl_add_syscall_rule(syscalls=["init_module", "delete_module"], key="modules") }}} +{{% else %}} +{{{ ansible_audit_augenrules_add_syscall_rule(syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} +{{{ ansible_audit_auditctl_add_syscall_rule(syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} +{{% endif %}} diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja index a61ca4528d..09b80bf114 100644 --- a/shared/macros-ansible.jinja +++ b/shared/macros-ansible.jinja @@ -350,13 +350,14 @@ The macro requires following parameters: {{# The following macro remediates Audit syscall rule in /etc/audit/rules.d directory. The macro requires following parameters: -- arch: must be 32 or 64, this distinguishes the architecture (32 bit or 64 bit). Rules for appropriate architecture will be used. - syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc. - key: a key to use as rule identifier. Note that if there already exists a rule wit the same key in the /etc/audit/rules.d directory, the rule will be placed in the same file. +The rule determines the architecture of the system and apply appropriate remediations. +It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architecture. #}} -{{% macro ansible_audit_augenrules_add_syscall_rule(arch="", syscalls=[], key="") -%}} +{{% macro ansible_audit_augenrules_add_syscall_rule(syscalls=[], key="") -%}} # # What architecture are we on? # @@ -382,7 +383,6 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul - name: Get number of matched 32 bit syscalls in /etc/audit/rules.d/ set_fact: audit_syscalls_matched_32_rules_d="{{audit_syscalls_found_32_rules_d.results|sum(attribute='matched')|int }}" -{{% if arch == "64" %}} - name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/ find: paths: "/etc/audit/rules.d" @@ -393,7 +393,6 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul - name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/ set_fact: audit_syscalls_matched_64_rules_d="{{audit_syscalls_found_64_rules_d.results|sum(attribute='matched')|int }}" -{{% endif %}} - name: Search /etc/audit/rules.d for other rules with the key {{{ key }}} find: @@ -433,7 +432,6 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul state: present when: audit_syscalls_matched_32_rules_d < audit_syscalls_number_of_syscalls -{{% if arch == "64" %}} - name: "Insert the syscall rule in {{ all_files[0] }} when on x86_64" block: - name: "Construct rule: add rule list, action and arch" @@ -451,17 +449,17 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul create: true state: present when: audit_syscalls_matched_64_rules_d < audit_syscalls_number_of_syscalls and audit_arch is defined and audit_arch == 'b64' -{{% endif %}} {{%- endmacro %}} {{# The following macro remediates Audit syscall rule in /etc/audit/audit.rules file. The macro requires following parameters: -- arch: must be 32 or 64, this distinguishes the architecture (32 bit or 64 bit). Rules for appropriate architecture will be used. - syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc. - key: a key to use as rule identifier. +The rule determines the architecture of the system and apply appropriate remediations. +It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architecture. #}} -{{% macro ansible_audit_auditctl_add_syscall_rule(arch="", syscalls=[], key="") -%}} +{{% macro ansible_audit_auditctl_add_syscall_rule(syscalls=[], key="") -%}} # # What architecture are we on? # @@ -487,7 +485,6 @@ The macro requires following parameters: - name: Get number of matched 32 bit syscalls in /etc/audit/audit.rules set_fact: audit_syscalls_matched_32_audit_rules="{{audit_syscalls_found_32_audit_rules.results|sum(attribute='matched')|int }}" -{{% if arch == "64" %}} - name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules find: paths: "/etc/audit" @@ -498,7 +495,6 @@ The macro requires following parameters: - name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/* set_fact: audit_syscalls_matched_64_audit_rules="{{audit_syscalls_found_64_audit_rules.results|sum(attribute='matched')|int }}" -{{% endif %}} - name: Insert the syscall rule in /etc/audit/audit.rules when on x86 block: @@ -518,7 +514,6 @@ The macro requires following parameters: state: present when: audit_syscalls_matched_32_audit_rules < audit_syscalls_number_of_syscalls -{{% if arch == "64" %}} - name: Insert the syscall rule in /etc/audit/rules.d when on x86_64 block: - name: "Construct rule: add rule list, action and arch" @@ -536,5 +531,4 @@ The macro requires following parameters: create: true state: present when: audit_syscalls_matched_64_audit_rules < audit_syscalls_number_of_syscalls and audit_arch is defined and audit_arch == 'b64' -{{% endif %}} {{%- endmacro %}} From 2d2e18a8f21a076ea31dc91463611359cd220ad5 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 28 Apr 2020 17:07:19 +0200 Subject: [PATCH 5/7] add tests for augen-rules --- ...ass.sh => auditctl_syscalls_multiple_per_arg.pass.sh} | 0 ...arg.pass.sh => auditctl_syscalls_one_per_arg.pass.sh} | 0 ...ne.pass.sh => auditctl_syscalls_one_per_line.pass.sh} | 0 ...> auditctl_syscalls_one_per_line_one_missing.fail.sh} | 0 .../tests/augen_syscalls_multiple_per_arg.pass.sh | 9 +++++++++ .../tests/augen_syscalls_one_per_arg.pass.sh | 8 ++++++++ .../tests/augen_syscalls_one_per_line.pass.sh | 7 +++++++ .../augen_syscalls_one_per_line_one_missing.fail.sh | 7 +++++++ 8 files changed, 31 insertions(+) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/{syscalls_multiple_per_arg.pass.sh => auditctl_syscalls_multiple_per_arg.pass.sh} (100%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/{syscalls_one_per_arg.pass.sh => auditctl_syscalls_one_per_arg.pass.sh} (100%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/{syscalls_one_per_line.pass.sh => auditctl_syscalls_one_per_line.pass.sh} (100%) rename linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/{syscalls_one_per_line_one_missing.fail.sh => auditctl_syscalls_one_per_line_one_missing.fail.sh} (100%) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_multiple_per_arg.pass.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_arg.pass.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line.pass.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line_one_missing.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_multiple_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_multiple_per_arg.pass.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_multiple_per_arg.pass.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_multiple_per_arg.pass.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_arg.pass.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_arg.pass.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_arg.pass.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_line.pass.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line.pass.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_line.pass.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_line_one_missing.fail.sh similarity index 100% rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_line_one_missing.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_multiple_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_multiple_per_arg.pass.sh new file mode 100644 index 0000000000..c50695a586 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_multiple_per_arg.pass.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_C2S + + +rm -f /etc/audit/rules.d/* + +# cut out irrelevant rules for this test +sed '1,10d' test_audit.rules > /etc/audit/rules.d/test.rules +sed -i '5,8d' /etc/audit/rules.d/test.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_arg.pass.sh new file mode 100644 index 0000000000..c086da0b0f --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_arg.pass.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_C2S + + +rm -f /etc/audit/rules.d/* + +# cut out irrelevant rules for this test +sed '1,13d' test_audit.rules > /etc/audit/rules.d/test.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line.pass.sh new file mode 100644 index 0000000000..76a868ab17 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_C2S + +rm -f /etc/audit/rules.d/* + +# cut out irrelevant rules for this test +sed '11,18d' test_audit.rules > /etc/audit/rules.d/test.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line_one_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line_one_missing.fail.sh new file mode 100644 index 0000000000..43f3d07e8f --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line_one_missing.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_C2S + +rm -f /etc/audit/rules.d/* + +# cut out irrelevant rules for this test +sed -e '11,18d' -e '/.*init.*/d' test_audit.rules > /etc/audit/rules.d/test.rules From 6d4065c9dfbf216343b032fd41c4bca605513521 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 28 Apr 2020 17:07:40 +0200 Subject: [PATCH 6/7] remove recurse from tasks, fix regex --- shared/macros-ansible.jinja | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja index 09b80bf114..e24fa5caa7 100644 --- a/shared/macros-ansible.jinja +++ b/shared/macros-ansible.jinja @@ -397,8 +397,7 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur - name: Search /etc/audit/rules.d for other rules with the key {{{ key }}} find: paths: "/etc/audit/rules.d" - recurse: no - contains: '(-F key=)|(-k\s+){{{ key }}}$' + contains: '^.*(?:-F key=|-k\s+){{{ key }}}$' patterns: "*.rules" register: find_syscalls_files From 31db4018d4aab3148f48b7afe1743fe6cf5c011d Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 28 Apr 2020 17:19:52 +0200 Subject: [PATCH 7/7] remove mention of modules from task description --- shared/macros-ansible.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja index e24fa5caa7..f54f73e866 100644 --- a/shared/macros-ansible.jinja +++ b/shared/macros-ansible.jinja @@ -361,7 +361,7 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur # # What architecture are we on? # -- name: Set architecture for audit modules tasks +- name: Set architecture for audit tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" @@ -462,7 +462,7 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur # # What architecture are we on? # -- name: Set architecture for audit modules tasks +- name: Set architecture for audit tasks set_fact: audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"