colin
/
UBUNTU24-CIS
mirror of https://github.com/ansible-lockdown/UBUNTU24-CIS.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added auditd arm compatibility thanks to @arousseau-coveo for the excellent work 

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2025-01-28 10:53:33 +00:00
parent b3ed09583c
commit 043fb4451b
No known key found for this signature in database
GPG Key ID: 997FF7FE93AEB5B9
3 changed files with 124 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
tasks/LE_audit_setup.yml
View File

@ -8,7 +8,7 @@
audit_pkg_arch_name: AMD64 audit_pkg_arch_name: AMD64
- name: Pre Audit Setup | Set audit package name | ARM64 - name: Pre Audit Setup | Set audit package name | ARM64
when: ansible_facts.machine == "arm64" when: (ansible_facts.machine == "arm64" or ansible_facts.machine == "aarch64")
ansible.builtin.set_fact: ansible.builtin.set_fact:
audit_pkg_arch_name: ARM64 audit_pkg_arch_name: ARM64

11
tasks/auditd.yml
View File

@ -1,7 +1,18 @@
--- ---
# Since auditd rules are dependent on syscalls and syscall tables are architecture specific,
# we need to update the auditd rules depending on the architecture of the system.
# This task passed the syscalls table to the auditd template and updates the auditd rules
- name: "POST | AUDITD | Set supported_syscalls variable"
ansible.builtin.shell: ausyscall --dump | awk '{print $2}'
changed_when: false
failed_when: discovered_auditd_syscalls.rc not in [ 0, 1 ]
register: discovered_auditd_syscalls
- name: "POST | AUDITD | Apply auditd template for section 6.2.4.x" - name: "POST | AUDITD | Apply auditd template for section 6.2.4.x"
when: update_audit_template when: update_audit_template
vars:
supported_syscalls: "{{ discovered_auditd_syscalls.stdout_lines }}"
ansible.builtin.template: ansible.builtin.template:
src: audit/99_auditd.rules.j2 src: audit/99_auditd.rules.j2
dest: /etc/audit/rules.d/99_auditd.rules dest: /etc/audit/rules.d/99_auditd.rules

135
templates/audit/99_auditd.rules.j2
View File

@ -10,22 +10,41 @@
-w /etc/sudoers.d -p wa -k scope -w /etc/sudoers.d -p wa -k scope
{% endif %} {% endif %}
{% if ubtu24cis_rule_6_2_3_2 %} {% if ubtu24cis_rule_6_2_3_2 %}
-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation {% set syscalls = ["execve"] %}
-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation {% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append( syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation
-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation
{% endif %} {% endif %}
{% if ubtu24cis_rule_6_2_3_3 %} {% if ubtu24cis_rule_6_2_3_3 %}
-w {{ ubtu24cis_sudo_logfile }} -p wa -k sudo_log_file -w {{ ubtu24cis_sudo_logfile }} -p wa -k sudo_log_file
{% endif %} {% endif %}
{% if ubtu24cis_rule_6_2_3_4 %} {% if ubtu24cis_rule_6_2_3_4 %}
-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change {% set syscalls = ["adjtimex","settimeofday","clock_settime"] %}
-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change {% set arch_syscalls = [] %}
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -k time-change {% for syscall in syscalls %}
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -k time-change {% if syscall in supported_syscalls %}
{{ arch_syscalls.append( syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k time-change
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k time-change
-w /etc/localtime -p wa -k time-change -w /etc/localtime -p wa -k time-change
{% endif %} {% endif %}
{% if ubtu24cis_rule_6_2_3_5 %} {% if ubtu24cis_rule_6_2_3_5 %}
-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale {% set syscalls = ["sethostname","setdomainname"] %}
-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale {% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append( syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k system-locale
-w /etc/issue -p wa -k system-locale -w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale -w /etc/hosts -p wa -k system-locale
@ -41,10 +60,17 @@
{% endif %} {% endif %}
{% endif %} {% endif %}
{% if ubtu24cis_rule_6_2_3_7 %} {% if ubtu24cis_rule_6_2_3_7 %}
-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access {% set syscalls = ["creat","open","openat","truncate","ftruncate"] %}
-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access {% set arch_syscalls = [] %}
-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access {% for syscall in syscalls %}
-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access {% if syscall in supported_syscalls %}
{{ arch_syscalls.append( syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
{% endif %} {% endif %}
{% if ubtu24cis_rule_6_2_3_8 %} {% if ubtu24cis_rule_6_2_3_8 %}
-w /etc/group -p wa -k identity -w /etc/group -p wa -k identity
@ -57,16 +83,65 @@
-w /etc/pam.d -p wa -k identity -w /etc/pam.d -p wa -k identity
{% endif %} {% endif %}
{% if ubtu24cis_rule_6_2_3_9 %} {% if ubtu24cis_rule_6_2_3_9 %}
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod {% set syscalls = ["chmod","fchmod","fchmodat"] %}
-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -k perm_mod {% set arch_syscalls = [] %}
-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod {% for syscall in syscalls %}
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod {% if syscall in supported_syscalls %}
-a always,exit -F arch=b32 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -k perm_mod {{ arch_syscalls.append( syscall) }}
-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod {% endif %}
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod
{% set syscalls = ["chown","fchown","lchown","fchownat"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append( syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod
{% set syscalls = ["etxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append( syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod
{% set syscalls = ["chmod","fchmod","fchmodat"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append( syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod
{% set syscalls = ["chown","fchown","lchown","fchownat"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append( syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod
{% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append( syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod
{% endif %} {% endif %}
{% if ubtu24cis_rule_6_2_3_10 %} {% if ubtu24cis_rule_6_2_3_10 %}
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts {% set syscalls = ["mount"] %}
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts {% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append( syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k mounts
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k mounts
{% endif %} {% endif %}
{% if ubtu24cis_rule_6_2_3_11 %} {% if ubtu24cis_rule_6_2_3_11 %}
-w /var/run/utmp -p wa -k session -w /var/run/utmp -p wa -k session
@ -78,8 +153,15 @@
-w /var/run/faillock -p wa -k logins -w /var/run/faillock -p wa -k logins
{% endif %} {% endif %}
{% if ubtu24cis_rule_6_2_3_13 %} {% if ubtu24cis_rule_6_2_3_13 %}
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete {% set syscalls = ["unlink","unlinkat","rename","renameat"] %}
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete {% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append( syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k delete
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k delete
{% endif %} {% endif %}
{% if ubtu24cis_rule_6_2_3_14 %} {% if ubtu24cis_rule_6_2_3_14 %}
-w /etc/apparmor/ -p wa -k MAC-policy -w /etc/apparmor/ -p wa -k MAC-policy
@ -99,7 +181,14 @@
{% endif %} {% endif %}
{% if ubtu24cis_rule_6_2_3_19 %} {% if ubtu24cis_rule_6_2_3_19 %}
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=-1 -k kernel_modules -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=-1 -k kernel_modules
-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=-1 -k kernel_modules {% set syscalls = ["init_module","finit_module","delete_module"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append( syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=-1 -k kernel_modules
{% endif %} {% endif %}
{% if ubtu24cis_rule_6_2_3_20 %} {% if ubtu24cis_rule_6_2_3_20 %}
-e 2 -e 2