auditd

cloud.yml

@@ -42,7 +42,7 @@
     
   - name: "do_server_name"
     prompt: "Name the vpn server:\n"
-    default: "strongswan"
+    default: "strongswan.local"
     private: no
 
   tasks:

common.yml

@@ -2,7 +2,6 @@
 
 - name: Common tools
   hosts: vpn-host
-  gather_facts: false
   remote_user: root
   vars_files:
     - config.cfg    
@@ -25,6 +24,9 @@
       - apparmor-utils
       - uuid-runtime
       - coreutils
+      - auditd
+      - rsyslog
+      - sendmail
 
   - name: Enable packet forwarding for IPv4
     sysctl: name=net.ipv4.ip_forward value=1
@@ -35,5 +37,45 @@
   - name: Do not send ICMP redirects (we are not a router)
     sysctl: name=net.ipv4.conf.all.send_redirects value=0
     
+  - name: Collect Use of Privileged Commands
+    shell: > 
+      /usr/bin/find {/usr/local/sbin,/usr/local/bin,/sbin,/bin,/usr/sbin,/usr/bin} -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged" }'
+    args:
+      executable: /bin/bash
+    register: privileged_programs
+    
+  - name: Auditd rules configured
+    template: src=audit.rules.j2 dest=/etc/audit/audit.rules
+    notify:
+      - restart auditd
+      
+  - name: Auditd configured
+    template: src=auditd.conf.j2 dest=/etc/audit/auditd.conf
+    notify:
+      - restart auditd       
+      
+  - name: Rsyslog configured
+    template: src=rsyslog.conf.j2 dest=/etc/rsyslog.conf
+    notify:
+      - restart rsyslog    
+
+  - name: Rsyslog CIS configured
+    template: src=CIS.conf.j2 dest=/etc/rsyslog.d/CIS.conf owner=root group=root mode=0644
+    notify:
+      - restart rsyslog   
+      
+  - name: Enable services
+    service: name={{ item }} enabled=yes
+    with_items:
+      - auditd
+      - rsyslog
+      
+  
+  handlers:
+    - name: restart auditd
+      service: name=auditd state=restarted
+
+    - name: restart rsyslog
+      service: name=rsyslog state=restarted      
 
     

config.cfg

@@ -1,5 +1,6 @@
 ---
 
+#
 # IKEv2 currently supports only the following three curves:
 #  prime256v1
 #  secp384r1
@@ -19,3 +20,9 @@ server_ip: "{{ ansible_ssh_host }}"
 users:
   - mr.smith
   - mrs.smith
+  
+#  
+# auditd options
+# email for auditd actions:
+auditd_action_mail_acct: e601809@gmail.com
+

templates/CIS.conf.j2

@@ -0,0 +1,15 @@
+*.emerg :omusrmsg:*
+mail.* -/var/log/mail
+mail.info -/var/log/mail.info
+mail.warning -/var/log/mail.warn
+mail.err /var/log/mail.err
+news.crit -/var/log/news/news.crit
+news.err -/var/log/news/news.err
+news.notice -/var/log/news/news.notice
+*.=warning;*.=err -/var/log/warn
+*.crit /var/log/warn
+*.*;mail.none;news.none -/var/log/messages
+local0,local1.* -/var/log/localmessages
+local2,local3.* -/var/log/localmessages
+local4,local5.* -/var/log/localmessages
+local6,local7.* -/var/log/localmessages

templates/audit.rules.j2

@@ -0,0 +1,101 @@
+# This file contains the auditctl rules that are loaded
+# whenever the audit daemon is started via the initscripts.
+# The rules are simply the parameters that would be passed
+# to auditctl.
+#
+# First rule - delete all
+-D
+
+# Increase the buffers to survive stress events.
+# Make this bigger for busy systems
+-b 320
+
+# Feel free to add below this line. See auditctl man page
+
+# Record Events That Modify Date and Time Information
+{% if ansible_architecture == "x86_64" %}
+-a always,exit -F arch=b64 -S clock_settime -k time-change
+-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
+{% endif %}
+-a always,exit -F arch=b32 -S clock_settime -k time-change
+-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
+-w /etc/localtime -p wa -k time-change
+
+# Record Events That Modify User/Group Information
+-w /etc/group -p wa -k identity
+-w /etc/passwd -p wa -k identity
+-w /etc/gshadow -p wa -k identity
+-w /etc/shadow -p wa -k identity
+-w /etc/security/opasswd -p wa -k identity
+
+# Record Events That Modify the System's Network Environment
+{% if ansible_architecture == "x86_64" %}
+-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
+{% endif %}
+-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
+-w /etc/issue -p wa -k system-locale
+-w /etc/issue.net -p wa -k system-locale
+-w /etc/hosts -p wa -k system-locale
+-w /etc/network/interfaces -p wa -k system-locale
+
+# Collect Login and Logout Events
+-w /var/log/faillog -p wa -k logins
+-w /var/log/lastlog -p wa -k logins
+-w /var/log/tallylog -p wa -k logins
+
+#  Collect Session Initiation Information 
+-w /var/run/utmp -p wa -k session
+-w /var/log/wtmp -p wa -k session
+-w /var/log/btmp -p wa -k session
+
+# Collect Discretionary Access Control Permission Modification Events
+{% if ansible_architecture == "x86_64" %}
+-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
+{% endif %}
+-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
+
+# Collect Unsuccessful Unauthorized Access Attempts to Files
+{% if ansible_architecture == "x86_64" %}
+-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
+-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
+{% endif %}
+-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
+-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
+
+# Collect Use of Privileged Commands
+{% if privileged_programs is defined and privileged_programs.stdout_lines|length > 0 %}
+{{ privileged_programs.stdout }}
+{% endif %}
+
+# Collect Successful File System Mounts
+{% if ansible_architecture == "x86_64" %}
+-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
+{% endif %}
+-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
+
+# Collect File Deletion Events by User
+{% if ansible_architecture == "x86_64" %}
+-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
+{% endif %}
+-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
+    
+# Collect Changes to System Administration Scope
+-w /etc/sudoers -p wa -k scope
+
+# Collect System Administrator Actions (sudolog)
+-w /var/log/sudo.log -p wa -k actions
+
+# Collect Kernel Module Loading and Unloading
+{% if ansible_architecture == "x86_64" %}
+-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
+{% endif %}
+-a always,exit -F arch=b32 -S init_module -S delete_module -k modules 
+-w /sbin/insmod -p x -k modules
+-w /sbin/rmmod -p x -k modules
+-w /sbin/modprobe -p x -k modules
+
+-e 2

templates/auditd.conf.j2

@@ -0,0 +1,32 @@
+#
+# This file controls the configuration of the audit daemon
+#
+
+log_file = /var/log/audit/audit.log
+log_format = RAW
+log_group = root
+priority_boost = 4
+flush = INCREMENTAL
+freq = 20
+num_logs = 5
+disp_qos = lossy
+dispatcher = /sbin/audispd
+name_format = NONE
+##name = mydomain
+max_log_file = 10
+max_log_file_action = keep_logs
+space_left = 75
+space_left_action = email
+action_mail_acct = {{ auditd_action_mail_acct }}
+admin_space_left = 50
+admin_space_left_action = email
+disk_full_action = SUSPEND
+disk_error_action = SUSPEND
+##tcp_listen_port = 
+tcp_listen_queue = 5
+tcp_max_per_addr = 1
+##tcp_client_ports = 1024-65535
+tcp_client_max_idle = 0
+enable_krb5 = no
+krb5_principal = auditd
+##krb5_key_file = /etc/audit/audit.key

templates/rsyslog.conf.j2

@@ -0,0 +1,61 @@
+#  /etc/rsyslog.conf    Configuration file for rsyslog.
+#
+#           For more information see
+#           /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
+#
+#  Default logging rules can be found in /etc/rsyslog.d/50-default.conf
+
+#
+#################
+#### MODULES ####
+#################
+
+module(load="imuxsock") # provides support for local system logging
+module(load="imklog")   # provides kernel logging support
+#module(load="immark")  # provides --MARK-- message capability
+
+# provides UDP syslog reception
+#module(load="imudp")
+#input(type="imudp" port="514")
+
+# provides TCP syslog reception
+#module(load="imtcp")
+#input(type="imtcp" port="514")
+
+# Enable non-kernel facility klog messages
+$KLogPermitNonKernelFacility on
+
+###########################
+#### GLOBAL DIRECTIVES ####
+###########################
+
+#
+# Use traditional timestamp format.
+# To enable high precision timestamps, comment out the following line.
+#
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+
+# Filter duplicated messages
+$RepeatedMsgReduction on
+
+#
+# Set the default permissions for all log files.
+#
+$FileOwner syslog
+$FileGroup adm
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0022
+$PrivDropToUser syslog
+$PrivDropToGroup syslog
+
+#
+# Where to place spool and state files
+#
+$WorkDirectory /var/spool/rsyslog
+
+#
+# Include all config files in /etc/rsyslog.d/
+#
+$IncludeConfig /etc/rsyslog.d/*.conf
+