Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add auditd configuration #2024

Merged
merged 14 commits into from
Jul 26, 2024
Merged

Add auditd configuration #2024

merged 14 commits into from
Jul 26, 2024

Conversation

JimMadge
Copy link
Member

@JimMadge JimMadge commented Jul 18, 2024
edited
Loading

✅ Checklist

  • You have given your pull request a meaningful title (e.g. Enable foobar integration rather than 515 foobar).
  • You are targeting the appropriate branch. If you're not certain which one this is, it should be develop.
  • Your branch is up-to-date with the target branch (it probably was when you started, but it may have changed since then).

🚦 Depends on

⤴️ Summary

Add auditd rules as set out by CIS Ubuntu 22.04 LTS benchmark

🌂 Related issues

🔬 Tests

Tested on deployed workspace by syncing desired state container and desired state service.

# /etc/audit/rules.d/audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# Section numbers refer to the CIS Ubuntu 22.04 LTS benchmark

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 8192

# This determines how long to wait in bursts of events
--backlog_wait_time 0

# Set failure mode to syslog
-f 1

# Record all sockets
-a always,exit -F arch=b64 -F a0=2 -S socket -k dsh-socket

# Record all connections
-a always,exit -F arch=b64 -F a0=2 -S connect -k dsh-connect

# 6.3.3.1 Ensure changes to system administration scope (sudoers) is collected
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d -p wa -k scope

# 6.3.3.2 Ensure actions as another user are always logged
-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation
-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation

# 6.3.3.3 Ensure events that modify the sudo log file are collected
-w /var/log/sudo.log -p wa -k sudo_log_file

# 6.3.3.4 Ensure events that modify date and time information are # collected
-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time- change
-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time- change
-w /etc/localtime -p wa -k time-change

# 6.3.3.5 Ensure events that modify the system's network environment are collected
-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/networks -p wa -k system-locale
-w /etc/network/ -p wa -k system-locale
-w /etc/netplan/ -p wa -k system-locale

# 6.3.3.7 Ensure unsuccessful file access attempts are collected
-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=- EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=- EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=- EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=- EPERM -F auid>=1000 -F auid!=unset -k access

# 6.3.3.8 Ensure events that modify user/group information are collected
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-w /etc/nsswitch.conf -p wa -k identity
-w /etc/pam.conf -p wa -k identity
-w /etc/pam.d -p wa -k identity

# 6.3.3.9 Ensure discretionary access control permission modification events are collected
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

# 6.3.3.10 Ensure successful file system mounts are collected
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts

# 6.3.3.11 Ensure session initiation information is collected
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session

# 6.3.3.12 Ensure login and logout events are collected
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock -p wa -k logins

# 6.3.3.13 Ensure file deletion events by users are collected
-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=unset -F key=delete
-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=unset -F key=delete

# 6.3.3.14 Ensure events that modify the system's Mandatory Access Controls are collected
-w /etc/apparmor/ -p wa -k MAC-policy
-w /etc/apparmor.d/ -p wa -k MAC-policy

# 6.3.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng

# 6.3.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng

# 6.3.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorded
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng

# 6.3.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k usermod

# 6.3.3.19 Ensure kernel module loading unloading and modification is collected
-a always,exit -F arch=b64 -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=unset -k kernel_modules
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules

# 6.3.3.20 Ensure the audit configuration is immutable
-e 2

# /etc/audit/rules.d/50-priveleged.rules
-a always,exit -F path=/snap/core18/2829/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core18/2829/bin/ping -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core18/2829/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core18/2829/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core18/2829/sbin/pam_extrausers_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core18/2829/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core18/2829/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core18/2829/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core18/2829/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core18/2829/usr/bin/expiry -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core18/2829/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core18/2829/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core18/2829/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core18/2829/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core18/2829/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core18/2829/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core18/2829/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core18/2829/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core20/2318/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core20/2318/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core20/2318/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core20/2318/usr/bin/expiry -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core20/2318/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core20/2318/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core20/2318/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core20/2318/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core20/2318/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core20/2318/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core20/2318/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core20/2318/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core20/2318/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core20/2318/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core20/2318/usr/sbin/pam_extrausers_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core20/2318/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core22/1380/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core22/1380/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core22/1380/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core22/1380/usr/bin/expiry -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core22/1380/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core22/1380/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core22/1380/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core22/1380/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core22/1380/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core22/1380/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core22/1380/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core22/1380/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core22/1380/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core22/1380/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core22/1380/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core22/1380/usr/libexec/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core22/1380/usr/sbin/pam_extrausers_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/core22/1380/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/snap/snapd/21759/usr/lib/snapd/snap-confine -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/expiry -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/fusermount3 -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/lib/snapd/snap-confine -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/lib/x86_64-linux-gnu/utempter/utempter -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/lib/xorg/Xorg.wrap -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/libexec/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/sbin/mount.cifs -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/sbin/mount.nfs -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/sbin/pam_extrausers_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged

@JimMadge JimMadge requested a review from a team as a code owner July 18, 2024 07:57
@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 18, 2024
edited
Loading

Coverage report

This PR does not seem to contain any modification to coverable code.

@JimMadge JimMadge changed the title ggAdd auditd configuration Add auditd configuration Jul 18, 2024
@jemrobinson jemrobinson force-pushed the workspace_software branch 2 times, most recently from 7154187 to 248be55 Compare July 18, 2024 09:53
@JimMadge JimMadge requested a review from a team as a code owner July 22, 2024 09:34
@JimMadge JimMadge force-pushed the workspace_software branch from 0fd9565 to 30d9243 Compare July 22, 2024 20:31
Base automatically changed from workspace_software to develop July 23, 2024 08:15
@JimMadge JimMadge added this to the Release 5.0.0rc2 milestone Jul 23, 2024
@jemrobinson
Copy link
Member

@JimMadge Can you merge/rebase onto develop? Some of these changes should already be included there.

@JimMadge JimMadge requested review from jemrobinson and craddm July 25, 2024 11:10
jemrobinson
jemrobinson approved these changes Jul 26, 2024
View reviewed changes
Copy link
Member

@jemrobinson jemrobinson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just a couple of questions:

  • why is the suffix on the rules file .j2?
  • in the previous version we combined all rules into one file to minimise the number of uploads - is there any benefit in separating them into multiple files here?

@JimMadge JimMadge merged commit 88e13de into develop Jul 26, 2024
11 checks passed
@JimMadge JimMadge deleted the auditd branch July 26, 2024 08:26
@JimMadge
Copy link
Member Author

.j2 as it is a Jinja2 template file. That is the templating language Ansible uses.

I think multiple files would let you set a rule priority as they are parsed in file name order. However, here it is only because CIS had an example of how to generate the list of executables with suid and sgid which I didn't want to re-implement in Ansible.

If you could run a command to get just all of the paths then you could have a loop in the template file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jemrobinson jemrobinson jemrobinson approved these changes

@craddm craddm Awaiting requested review from craddm

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Release 5.0.0rc2
Development

Successfully merging this pull request may close these issues.
3 participants
@JimMadge @jemrobinson @craddm