Skip to content

Commit

Permalink
Ensure audit rules.d are set 0600
Browse files Browse the repository at this point in the history
  • Loading branch information
@Mab879
Mab879 committed Dec 19, 2024
1 parent a06c809 commit bada4a9
Show file tree
Hide file tree
Showing 8 changed files with 15 additions and 10 deletions.
2 changes: 1 addition & 1 deletion linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
path: "{{ item }}"
create: True
line: "-e 2"
mode: o-rwx
mode: g-rwx,o-rwx
loop:
- "/etc/audit/audit.rules"
- "/etc/audit/rules.d/immutable.rules"
1 change: 1 addition & 0 deletions linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,4 +21,5 @@ do
echo '# Reboot is required to change audit rules once this setting is applied' >> $AUDIT_FILE
echo '-e 2' >> $AUDIT_FILE
chmod o-rwx $AUDIT_FILE
chmod g-rwx $AUDIT_FILE
done
2 changes: 2 additions & 0 deletions ...guide/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/ansible/shared.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
path: '/etc/audit/audit.rules'
line: '--loginuid-immutable'
regexp: '^\s*--loginuid-immutable\s*$'
mode: '0600'
create: true
when: auditctl_used is defined and auditctl_used.matched >= 1

Expand All @@ -33,6 +34,7 @@
path: '/etc/audit/rules.d/immutable.rules'
line: '--loginuid-immutable'
regexp: '^\s*--loginuid-immutable\s*$'
mode: '0600'
create: true
when: immutable_found_in_rules_d is defined and immutable_found_in_rules_d.matched == 0
when: auditctl_used is defined and auditctl_used.matched == 0
5 changes: 3 additions & 2 deletions ...de/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,9 +43,10 @@
path: /etc/audit/rules.d/privileged.rules
line: "{{ item.rule }}"
regexp: "{{ item.regex }}"
mode: "0600"
create: yes
when:
- ('"auditd.service" in ansible_facts.services' or
- ('"auditd.service" in ansible_facts.services' or
'"augenrules.service" in ansible_facts.services')
register: augenrules_audit_rules_privilege_function_update_result
with_items: "{{ suid_audit_rules }}"
Expand All @@ -57,7 +58,7 @@
regexp: "{{ item.regex }}"
create: yes
when:
- ('"auditd.service" in ansible_facts.services' or
- ('"auditd.service" in ansible_facts.services' or
'"augenrules.service" in ansible_facts.services')
register: auditctl_audit_rules_privilege_function_update_result
with_items: "{{ suid_audit_rules }}"
Expand Down
1 change: 1 addition & 0 deletions ...x_os/guide/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
lineinfile:
path: "{{ item }}"
create: True
mode: "0600"
line: "-f {{ var_audit_failure_mode }}"
loop:
- "/etc/audit/audit.rules"
Expand Down
4 changes: 2 additions & 2 deletions shared/macros/10-ansible.jinja
View file
Original file line number Diff line number Diff line change
Expand Up @@ -577,7 +577,7 @@ The macro requires following parameters:
path: '{{ audit_file }}'
line: "{{{ action_arch_filters }}}{{{ syscall_flag }}}{{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}"
create: true
mode: o-rwx
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
{{%- endmacro %}}
Expand Down Expand Up @@ -654,7 +654,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
path: '{{ audit_file }}'
line: "{{{ action_arch_filters }}}{{{ syscall_flag }}}{{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}"
create: true
mode: o-rwx
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
{{%- endmacro %}}
Expand Down
4 changes: 2 additions & 2 deletions shared/macros/10-bash.jinja
View file
Original file line number Diff line number Diff line change
Expand Up @@ -390,7 +390,7 @@ then
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
chmod 0640 "$key_rule_file"
chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
Expand Down Expand Up @@ -1748,7 +1748,7 @@ then
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
chmod 0640 "$file_to_inspect"
chmod 0600 "$file_to_inspect"
fi
fi
{{%- endif %}}
Expand Down
6 changes: 3 additions & 3 deletions shared/templates/audit_file_contents/ansible.template
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
)
}}}

- name: Remove any permissions from other group
file:
- name: {{{ rule_title }}} - Remove any permissions from group and other
ansible.builtin.file:
path: {{{ FILEPATH }}}
mode: o-rwx
mode: g-rwx,o-rwx

0 comments on commit bada4a9

Please sign in to comment.