diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 52fc8bd..099ed41 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -8,7 +8,7 @@ audit_pkg_arch_name: AMD64 - name: Pre Audit Setup | Set audit package name | ARM64 - when: ansible_facts.machine == "arm64" + when: (ansible_facts.machine == "arm64" or ansible_facts.machine == "aarch64") ansible.builtin.set_fact: audit_pkg_arch_name: ARM64 diff --git a/tasks/auditd.yml b/tasks/auditd.yml index c998195..947a141 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -1,7 +1,18 @@ --- +# Since auditd rules are dependent on syscalls and syscall tables are architecture specific, +# we need to update the auditd rules depending on the architecture of the system. +# This task passed the syscalls table to the auditd template and updates the auditd rules +- name: "POST | AUDITD | Set supported_syscalls variable" + ansible.builtin.shell: ausyscall --dump | awk '{print $2}' + changed_when: false + failed_when: discovered_auditd_syscalls.rc not in [ 0, 1 ] + register: discovered_auditd_syscalls + - name: "POST | AUDITD | Apply auditd template for section 6.2.4.x" when: update_audit_template + vars: + supported_syscalls: "{{ discovered_auditd_syscalls.stdout_lines }}" ansible.builtin.template: src: audit/99_auditd.rules.j2 dest: /etc/audit/rules.d/99_auditd.rules diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index bde7b88..4c888da 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -10,22 +10,41 @@ -w /etc/sudoers.d -p wa -k scope {% endif %} {% if ubtu24cis_rule_6_2_3_2 %} --a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation --a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation +{% set syscalls = ["execve"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation +-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation {% endif %} {% if ubtu24cis_rule_6_2_3_3 %} -w {{ ubtu24cis_sudo_logfile }} -p wa -k sudo_log_file {% endif %} {% if ubtu24cis_rule_6_2_3_4 %} --a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change --a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -k time-change --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -k time-change +{% set syscalls = ["adjtimex","settimeofday","clock_settime"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k time-change +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k time-change -w /etc/localtime -p wa -k time-change {% endif %} {% if ubtu24cis_rule_6_2_3_5 %} --a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale --a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale +{% set syscalls = ["sethostname","setdomainname"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale @@ -41,10 +60,17 @@ {% endif %} {% endif %} {% if ubtu24cis_rule_6_2_3_7 %} --a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +{% set syscalls = ["creat","open","openat","truncate","ftruncate"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access {% endif %} {% if ubtu24cis_rule_6_2_3_8 %} -w /etc/group -p wa -k identity @@ -57,16 +83,65 @@ -w /etc/pam.d -p wa -k identity {% endif %} {% if ubtu24cis_rule_6_2_3_9 %} --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b32 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod +{% set syscalls = ["chmod","fchmod","fchmodat"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod +{% set syscalls = ["chown","fchown","lchown","fchownat"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod +{% set syscalls = ["etxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod +{% set syscalls = ["chmod","fchmod","fchmodat"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod +{% set syscalls = ["chown","fchown","lchown","fchownat"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod +{% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod {% endif %} {% if ubtu24cis_rule_6_2_3_10 %} --a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts --a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts +{% set syscalls = ["mount"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k mounts +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k mounts {% endif %} {% if ubtu24cis_rule_6_2_3_11 %} -w /var/run/utmp -p wa -k session @@ -78,8 +153,15 @@ -w /var/run/faillock -p wa -k logins {% endif %} {% if ubtu24cis_rule_6_2_3_13 %} --a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete +{% set syscalls = ["unlink","unlinkat","rename","renameat"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k delete +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k delete {% endif %} {% if ubtu24cis_rule_6_2_3_14 %} -w /etc/apparmor/ -p wa -k MAC-policy @@ -99,7 +181,14 @@ {% endif %} {% if ubtu24cis_rule_6_2_3_19 %} -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=-1 -k kernel_modules --a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=-1 -k kernel_modules +{% set syscalls = ["init_module","finit_module","delete_module"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=-1 -k kernel_modules {% endif %} {% if ubtu24cis_rule_6_2_3_20 %} -e 2