Merge pull request dev-sec#144 from dev-sec/auditd

install and configure auditd - fix inspec package-08
divialth · Jun 29, 2018 · 310a108 · 310a108
2 parents df25471 + 8459d82
commit 310a108
Show file tree

Hide file tree

Showing 25 changed files with 74 additions and 17 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -59,10 +59,10 @@ script:
   - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-os-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
 
    # Test role.
-  - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-os-hardening/default.yml --skip-tags "sysctl"'
+  - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-os-hardening/default.yml --diff --skip-tags "sysctl"'
 
    # Verify role
-  - 'inspec exec https://github.com/dev-sec/linux-baseline/ -t docker://$(cat ${container_id}) --controls=os-01 os-02 os-03 os-04 os-05 os-06 os-07 os-09 os-10 package-01 package-02 package-03 package-04 package-05 package-06 package-09'
+  - 'inspec exec https://github.com/dev-sec/linux-baseline/ -t docker://$(cat ${container_id}) --controls=os-01 os-02 os-03 os-04 os-05 os-06 os-07 os-09 package-01 package-02 package-03 package-04 package-05 package-06 package-09'
 
 notifications:
   webhooks: https://galaxy.ansible.com/api/v1/notifications/
diff --git a/tasks/auditd.yml b/tasks/auditd.yml
@@ -0,0 +1,14 @@
+---
+
+- name: install auditd package | package-08
+  package:
+    name: '{{ auditd_package }}'
+    state: 'present'
+
+- name: configure auditd | package-08
+  template:
+    src: 'etc/audit/auditd.conf.j2'
+    dest: '/etc/audit/auditd.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0640'
diff --git a/tasks/limits.yml b/tasks/limits.yml
@@ -8,7 +8,7 @@
       group: 'root'
       mode: '0755'
       state: 'directory'
-      
+
   - name: create aditional limits config file -> 10.hardcore.conf | sysctl-31a, sysctl-31b
     pam_limits:
       dest: '/etc/security/limits.d/10.hardcore.conf'
@@ -17,19 +17,26 @@
       limit_item: core
       value: 0
       comment: Prevent core dumps for all users. These are usually only needed by developers and may contain sensitive information
-      
+
   - name: set 10.hardcore.conf perms to 0400 and root ownership
     file:
       path: /etc/security/limits.d/10.hardcore.conf
       owner: 'root'
       group: 'root'
       mode: '0440'
-  
+
   when: 'not os_security_kernel_enable_core_dump'
 
 - name: remove 10.hardcore.conf config file
   file:
     path: /etc/security/limits.d/10.hardcore.conf
     state: absent
 
+- name: create sane limits.conf | sysctl-31a, sysctl-31b
+  template:
+    src: 'etc/security/limits.d/limits.conf.j2'
+    dest: '/etc/security/limits.d/10.hardcore.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0440'
   when: 'os_security_kernel_enable_core_dump'
diff --git a/tasks/login_defs.yml b/tasks/login_defs.yml
@@ -1,7 +1,7 @@
 ---
 - name: create login.defs | os-05, os-05b
   template:
-    src: 'login.defs.j2'
+    src: 'etc/login.defs.j2'
     dest: '/etc/login.defs'
     owner: 'root'
     group: 'root'

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -13,13 +13,16 @@
       skip: true
   tags: always
 
+- import_tasks: auditd.yml
+  tags: auditd
+
 - import_tasks: limits.yml
   tags: limits
 
 - import_tasks: login_defs.yml
   tags: login_defs
 
-- include_tasks: minimize_access.yml
+- import_tasks: minimize_access.yml
   tags: minimize_access
 
 - import_tasks: pam.yml

diff --git a/tasks/modprobe.yml b/tasks/modprobe.yml
@@ -6,7 +6,7 @@
 
 - name: disable unused filesystems | os-10
   template:
-    src: 'modprobe.j2'
+    src: 'etc/modprobe.d/modprobe.j2'
     dest: '/etc/modprobe.d/dev-sec.conf'
     owner: 'root'
     group: 'root'

diff --git a/tasks/pam.yml b/tasks/pam.yml
@@ -33,7 +33,7 @@
 
 - name: configure passwdqc
   template:
-    src: 'pam_passwdqc.j2'
+    src: 'usr/share/pam-configs/pam_passwdqd.j2'
     dest: '{{ passwdqc_path }}'
     mode: '0640'
     owner: 'root'
@@ -54,7 +54,7 @@
 
 - name: configure tally2
   template:
-    src: 'pam_tally2.j2'
+    src: 'usr/share/pam-configs/pam_tally2.j2'
     dest: '{{ tally2_path }}'
     mode: '0640'
     owner: 'root'
@@ -87,15 +87,15 @@
 
 - name: configure passwdqc and tally via central system-auth confic
   template:
-    src: 'rhel_system_auth.j2'
+    src: 'etc/pam.d/rhel_system_auth.j2'
     dest: '/etc/pam.d/system-auth-ac'
     mode: '0640'
     owner: 'root'
     group: 'root'
 
 - name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
   template:
-    src: 'rhel_libuser.conf.j2'
+    src: 'etc/rhel_libuser.conf.j2'
     dest: '/etc/libuser.conf'
     mode: '0640'
     owner: 'root'

diff --git a/tasks/profile.yml b/tasks/profile.yml
@@ -1,7 +1,7 @@
 ---
 - name: add pinerolo_profile.sh to profile.d
   template:
-    src: 'profile.conf.j2'
+    src: 'etc/profile.d/profile.conf.j2'
     dest: '/etc/profile.d/pinerolo_profile.sh'
     owner: 'root'
     group: 'root'

diff --git a/tasks/securetty.yml b/tasks/securetty.yml
@@ -1,7 +1,7 @@
 ---
 - name: create securetty
   template:
-    src: 'securetty.j2'
+    src: 'etc/securetty.j2'
     dest: '/etc/securetty'
     owner: 'root'
     group: 'root'

diff --git a/tasks/sysctl.yml b/tasks/sysctl.yml
@@ -8,7 +8,7 @@
 
 - name: set Daemon umask, do config for rhel-family | NSA 2.2.4.1
   template:
-    src: 'rhel_sysconfig_init.j2'
+    src: 'etc/sysconfig/rhel_sysconfig_init.j2'
     dest: '/etc/sysconfig/init'
     owner: 'root'
     group: 'root'
@@ -24,7 +24,7 @@
 
 - name: rebuild initramfs with starting pack of modules, if module loading at runtime is disabled
   template:
-    src: 'modules.j2'
+    src: 'etc/initramfs-tools/modules.j2'
     dest: '/etc/initramfs-tools/modules'
     owner: 'root'
     group: 'root'
@@ -63,7 +63,7 @@
 
 - name: Apply ufw defaults
   template:
-    src: 'ufw.j2'
+    src: 'etc/default/ufw.j2'
     dest: '/etc/default/ufw'
   when: ufw_manage_defaults and (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu')
   tags: ufw
diff --git a/templates/etc/audit/auditd.conf.j2 b/templates/etc/audit/auditd.conf.j2
@@ -0,0 +1,28 @@
+log_file = /var/log/audit/audit.log
+log_format = RAW
+log_group = root
+priority_boost = 4
+flush = INCREMENTAL
+freq = 20
+num_logs = 5
+disp_qos = lossy
+dispatcher = /sbin/audispd
+name_format = NONE
+##name = mydomain
+max_log_file = 6
+max_log_file_action = keep_logs
+space_left = 75
+space_left_action = SYSLOG
+action_mail_acct = root
+admin_space_left = 50
+admin_space_left_action = SUSPEND
+disk_full_action = SUSPEND
+disk_error_action = SUSPEND
+##tcp_listen_port =
+tcp_listen_queue = 5
+tcp_max_per_addr = 1
+##tcp_client_ports = 1024-65535
+tcp_client_max_idle = 0
+enable_krb5 = no
+krb5_principal = auditd
+##krb5_key_file = /etc/audit/audit.key
diff --git a/templates/ufw.j2 → templates/etc/default/ufw.j2 b/templates/ufw.j2 → templates/etc/default/ufw.j2
diff --git a/templates/modules.j2 → templates/etc/initramfs-tools/modules.j2 b/templates/modules.j2 → templates/etc/initramfs-tools/modules.j2
diff --git a/templates/login.defs.j2 → templates/etc/login.defs.j2 b/templates/login.defs.j2 → templates/etc/login.defs.j2
diff --git a/templates/modprobe.j2 → templates/etc/modprobe.d/modprobe.j2 b/templates/modprobe.j2 → templates/etc/modprobe.d/modprobe.j2
diff --git a/templates/rhel_system_auth.j2 → templates/etc/pam.d/rhel_system_auth.j2 b/templates/rhel_system_auth.j2 → templates/etc/pam.d/rhel_system_auth.j2
diff --git a/templates/profile.conf.j2 → templates/etc/profile.d/profile.conf.j2 b/templates/profile.conf.j2 → templates/etc/profile.d/profile.conf.j2
diff --git a/templates/rhel_libuser.conf.j2 → templates/etc/rhel_libuser.conf.j2 b/templates/rhel_libuser.conf.j2 → templates/etc/rhel_libuser.conf.j2
diff --git a/templates/securetty.j2 → templates/etc/securetty.j2 b/templates/securetty.j2 → templates/etc/securetty.j2
diff --git a/templates/etc/security/limits.d/limits.conf.j2 b/templates/etc/security/limits.d/limits.conf.j2
@@ -0,0 +1,3 @@
+# {{ ansible_managed | comment }}
+# Prevent core dumps for all users. These are usually only needed by developers and may contain sensitive information.
+* hard core 0
diff --git a/templates/rhel_sysconfig_init.j2 → ...ates/etc/sysconfig/rhel_sysconfig_init.j2 b/templates/rhel_sysconfig_init.j2 → ...ates/etc/sysconfig/rhel_sysconfig_init.j2
diff --git a/templates/pam_passwdqc.j2 → ...tes/usr/share/pam-configs/pam_passwdqd.j2 b/templates/pam_passwdqc.j2 → ...tes/usr/share/pam-configs/pam_passwdqd.j2
diff --git a/templates/pam_tally2.j2 → ...lates/usr/share/pam-configs/pam_tally2.j2 b/templates/pam_tally2.j2 → ...lates/usr/share/pam-configs/pam_tally2.j2
diff --git a/vars/Debian.yml b/vars/Debian.yml
@@ -5,6 +5,7 @@ passwdqc_path: '/usr/share/pam-configs/passwdqc'
 tally2_path: '/usr/share/pam-configs/tally2'
 os_nologin_shell_path: '/usr/sbin/nologin'
 
+auditd_package: 'auditd'
 modprobe_package: 'kmod'
 
 # Different distros use different standards for /etc/shadow perms, e.g.

diff --git a/vars/RedHat.yml b/vars/RedHat.yml
@@ -1,6 +1,7 @@
 ---
 
 modprobe_package: 'module-init-tools'
+auditd_package: 'audit'
 
 os_packages_pam_ccreds: 'pam_ccreds'
 os_packages_pam_passwdqc: 'pam_passwdqc'