## Ansible controlled file # Added as part of ansible-lockdown CIS baseline # provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown YOUR CHANGED WILL BE LOST! # This template will set all of the auditd configurations via a handler in the role in one task instead of individually {% if ubtu24cis_rule_6_2_3_1 %} -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d -p wa -k scope {% endif %} {% if ubtu24cis_rule_6_2_3_2 %} {% set syscalls = ["execve"] %} {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} {{ arch_syscalls.append( syscall) }} {% endif %} {% endfor %} -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation {% endif %} {% if ubtu24cis_rule_6_2_3_3 %} -w {{ ubtu24cis_sudo_logfile }} -p wa -k sudo_log_file {% endif %} {% if ubtu24cis_rule_6_2_3_4 %} {% set syscalls = ["adjtimex","settimeofday","clock_settime"] %} {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} {{ arch_syscalls.append( syscall) }} {% endif %} {% endfor %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k time-change -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k time-change -w /etc/localtime -p wa -k time-change {% endif %} {% if ubtu24cis_rule_6_2_3_5 %} {% set syscalls = ["sethostname","setdomainname"] %} {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} {{ arch_syscalls.append( syscall) }} {% endif %} {% endfor %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/networks -p wa -k system-locale -w /etc/network -p wa -k system-locale -w /etc/netplan -p wa -k system-locale {% endif %} {% if ubtu24cis_rule_6_2_3_6 %} {% if discovered_privilege_processes is defined %} {% for proc in discovered_privilege_processes.stdout_lines -%} -a always,exit -F path={{ proc }} -F perm=x -F auid>=1000 -F auid!=unset -k privileged {% endfor %} {% endif %} {% endif %} {% if ubtu24cis_rule_6_2_3_7 %} {% set syscalls = ["creat","open","openat","truncate","ftruncate"] %} {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} {{ arch_syscalls.append( syscall) }} {% endif %} {% endfor %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access {% endif %} {% if ubtu24cis_rule_6_2_3_8 %} -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity -w /etc/nsswitch.conf -p wa -k identity -w /etc/pam.conf -p wa -k identity -w /etc/pam.d -p wa -k identity {% endif %} {% if ubtu24cis_rule_6_2_3_9 %} {% set syscalls = ["chmod","fchmod","fchmodat"] %} {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} {{ arch_syscalls.append( syscall) }} {% endif %} {% endfor %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod {% set syscalls = ["chown","fchown","lchown","fchownat"] %} {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} {{ arch_syscalls.append( syscall) }} {% endif %} {% endfor %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod {% set syscalls = ["etxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %} {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} {{ arch_syscalls.append( syscall) }} {% endif %} {% endfor %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod {% set syscalls = ["chmod","fchmod","fchmodat"] %} {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} {{ arch_syscalls.append( syscall) }} {% endif %} {% endfor %} -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod {% set syscalls = ["chown","fchown","lchown","fchownat"] %} {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} {{ arch_syscalls.append( syscall) }} {% endif %} {% endfor %} -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod {% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %} {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} {{ arch_syscalls.append( syscall) }} {% endif %} {% endfor %} -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod {% endif %} {% if ubtu24cis_rule_6_2_3_10 %} {% set syscalls = ["mount"] %} {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} {{ arch_syscalls.append( syscall) }} {% endif %} {% endfor %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k mounts -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k mounts {% endif %} {% if ubtu24cis_rule_6_2_3_11 %} -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session {% endif %} {% if ubtu24cis_rule_6_2_3_12 %} -w /var/log/lastlog -p wa -k logins -w /var/run/faillock -p wa -k logins {% endif %} {% if ubtu24cis_rule_6_2_3_13 %} {% set syscalls = ["unlink","unlinkat","rename","renameat"] %} {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} {{ arch_syscalls.append( syscall) }} {% endif %} {% endfor %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k delete -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k delete {% endif %} {% if ubtu24cis_rule_6_2_3_14 %} -w /etc/apparmor/ -p wa -k MAC-policy -w /etc/apparmor.d/ -p wa -k MAC-policy {% endif %} {% if ubtu24cis_rule_6_2_3_15 %} -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng {% endif %} {% if ubtu24cis_rule_6_2_3_16 %} -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng {% endif %} {% if ubtu24cis_rule_6_2_3_17 %} -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng {% endif %} {% if ubtu24cis_rule_6_2_3_18 %} -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=-1 -k usermod {% endif %} {% if ubtu24cis_rule_6_2_3_19 %} -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=-1 -k kernel_modules {% set syscalls = ["init_module","finit_module","delete_module"] %} {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} {{ arch_syscalls.append( syscall) }} {% endif %} {% endfor %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=-1 -k kernel_modules {% endif %} {% if ubtu24cis_rule_6_2_3_20 %} -e 2 {% endif %}