-
Notifications
You must be signed in to change notification settings - Fork 684
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #10326 from marcusburghardt/cis_audit
Refactor audit_rules_privileged_commands to include in CIS
- Loading branch information
Showing
24 changed files
with
296 additions
and
208 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
97 changes: 51 additions & 46 deletions
97
...figure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,58 +1,63 @@ | ||
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle | ||
# reboot = false | ||
# strategy = restrict | ||
# strategy = configure | ||
# complexity = low | ||
# disruption = low | ||
|
||
- name: Search for privileged commands | ||
shell: | | ||
set -o pipefail | ||
find / -not \( -fstype afs -o -fstype ceph -o -fstype cifs -o -fstype smb3 -o -fstype smbfs -o -fstype sshfs -o -fstype ncpfs -o -fstype ncp -o -fstype nfs -o -fstype nfs4 -o -fstype gfs -o -fstype gfs2 -o -fstype glusterfs -o -fstype gpfs -o -fstype pvfs2 -o -fstype ocfs2 -o -fstype lustre -o -fstype davfs -o -fstype fuse.sshfs \) -type f \( -perm -4000 -o -perm -2000 \) 2> /dev/null | ||
args: | ||
executable: /bin/bash | ||
check_mode: no | ||
register: find_result | ||
- name: {{{ rule_title }}} - Set List of Mount Points Which Permits Execution of Privileged Commands | ||
ansible.builtin.set_fact: | ||
privileged_mount_points: "{{(ansible_facts.mounts | rejectattr('options', 'search', 'noexec|nosuid') | map(attribute='mount') | list ) }}" | ||
|
||
- name: {{{ rule_title }}} - Search for Privileged Commands in Eligible Mount Points | ||
ansible.builtin.shell: | ||
cmd: find {{ item }} -xdev -perm /6000 -type f 2>/dev/null | ||
register: result_privileged_commands_search | ||
changed_when: false | ||
failed_when: false | ||
with_items: "{{ privileged_mount_points }}" | ||
|
||
# Inserts/replaces the rule in /etc/audit/rules.d | ||
|
||
- name: Search /etc/audit/rules.d for audit rule entries | ||
find: | ||
paths: "/etc/audit/rules.d" | ||
recurse: no | ||
contains: "^.*path={{ item }} .*$" | ||
patterns: "*.rules" | ||
with_items: | ||
- "{{ find_result.stdout_lines }}" | ||
register: files_result | ||
- name: {{{ rule_title }}} - Set List of Privileged Commands Found in Eligible Mount Points | ||
ansible.builtin.set_fact: | ||
privileged_commands: "{{( result_privileged_commands_search.results | map(attribute='stdout_lines') | select() | list )[-1] }}" | ||
|
||
- name: Overwrites the rule in rules.d | ||
lineinfile: | ||
path: "{{ item.1.path }}" | ||
line: '-a always,exit -F path={{ item.0.item }} -F auid>={{{ auid }}} -F auid!=unset -F key=privileged' | ||
create: no | ||
regexp: "^.*path={{ item.0.item }} .*$" | ||
with_subelements: | ||
- "{{ files_result.results }}" | ||
- files | ||
- name: {{{ rule_title }}} - Privileged Commands are Present in the System | ||
block: | ||
- name: {{{ rule_title }}} - Ensure Rules for All Privileged Commands in augenrules Format | ||
ansible.builtin.lineinfile: | ||
path: /etc/audit/rules.d/privileged.rules | ||
line: '-a always,exit -F path={{ item }} -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged' | ||
regexp: "^.*path={{ item | regex_escape() }} .*$" | ||
create: yes | ||
with_items: | ||
- "{{ privileged_commands }}" | ||
|
||
- name: Adds the rule in rules.d | ||
lineinfile: | ||
path: /etc/audit/rules.d/privileged.rules | ||
line: '-a always,exit -F path={{ item.item }} -F auid>={{{ auid }}} -F auid!=unset -F key=privileged' | ||
create: yes | ||
with_items: | ||
- "{{ files_result.results }}" | ||
when: files_result.results is defined and item.matched == 0 | ||
- name: {{{ rule_title }}} - Ensure Rules for All Privileged Commands in auditctl Format | ||
ansible.builtin.lineinfile: | ||
path: /etc/audit/audit.rules | ||
line: '-a always,exit -F path={{ item }} -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged' | ||
regexp: "^.*path={{ item | regex_escape() }} .*$" | ||
create: yes | ||
with_items: | ||
- "{{ privileged_commands }}" | ||
|
||
# Adds/overwrites the rule in /etc/audit/audit.rules | ||
- name: {{{ rule_title }}} - Search for Duplicated Rules in Other Files | ||
ansible.builtin.find: | ||
paths: "/etc/audit/rules.d" | ||
recurse: no | ||
contains: "^-a always,exit -F path={{ item }} .*$" | ||
patterns: "*.rules" | ||
with_items: | ||
- "{{ privileged_commands }}" | ||
register: result_augenrules_files | ||
|
||
- name: Inserts/replaces the rule in audit.rules | ||
lineinfile: | ||
path: /etc/audit/audit.rules | ||
line: '-a always,exit -F path={{ item.item }} -F auid>={{{ auid }}} -F auid!=unset -F key=privileged' | ||
create: yes | ||
regexp: "^.*path={{ item.item }} .*$" | ||
with_items: | ||
- "{{ files_result.results }}" | ||
- name: {{{ rule_title }}} - Ensure Rules for Privileged Commands are Defined Only in One File | ||
ansible.builtin.lineinfile: | ||
path: "{{ item.1.path }}" | ||
regexp: "^-a always,exit -F path={{ item.0.item }} .*$" | ||
state: absent | ||
with_subelements: | ||
- "{{ result_augenrules_files.results }}" | ||
- files | ||
when: | ||
- item.1.path != '/etc/audit/rules.d/privileged.rules' | ||
when: privileged_commands is defined |
26 changes: 22 additions & 4 deletions
26
..._configure_rules/audit_privileged_commands/audit_rules_privileged_commands/bash/shared.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,23 @@ | ||
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle | ||
# platform = multi_platform_all | ||
# reboot = false | ||
# strategy = configure | ||
# complexity = low | ||
# disruption = low | ||
|
||
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' | ||
{{{ bash_perform_audit_rules_privileged_commands_remediation("auditctl", auid) }}} | ||
{{{ bash_perform_audit_rules_privileged_commands_remediation("augenrules", auid) }}} | ||
ACTION_ARCH_FILTERS="-a always,exit" | ||
AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" | ||
SYSCALL="" | ||
KEY="privileged" | ||
SYSCALL_GROUPING="" | ||
|
||
FILTER_NODEV=$(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | ||
PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | grep -Pv "noexec|nosuid" | awk '{ print $1 }') | ||
for PARTITION in $PARTITIONS; do | ||
PRIV_CMDS=$(find "${PARTITION}" -xdev -perm /6000 -type f 2>/dev/null) | ||
for PRIV_CMD in $PRIV_CMDS; do | ||
OTHER_FILTERS="-F path=$PRIV_CMD -F perm=x" | ||
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' | ||
{{{ bash_fix_audit_syscall_rule("augenrules", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") | indent(4) }}} | ||
{{{ bash_fix_audit_syscall_rule("auditctl", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") | indent(4) }}} | ||
done | ||
done |
Oops, something went wrong.