diff --git a/cloud.yml b/cloud.yml index df1d117..db10f15 100644 --- a/cloud.yml +++ b/cloud.yml @@ -42,7 +42,7 @@ - name: "do_server_name" prompt: "Name the vpn server:\n" - default: "strongswan" + default: "strongswan.local" private: no tasks: diff --git a/common.yml b/common.yml index 63a4707..8ab0568 100644 --- a/common.yml +++ b/common.yml @@ -2,7 +2,6 @@ - name: Common tools hosts: vpn-host - gather_facts: false remote_user: root vars_files: - config.cfg @@ -25,6 +24,9 @@ - apparmor-utils - uuid-runtime - coreutils + - auditd + - rsyslog + - sendmail - name: Enable packet forwarding for IPv4 sysctl: name=net.ipv4.ip_forward value=1 @@ -35,5 +37,45 @@ - name: Do not send ICMP redirects (we are not a router) sysctl: name=net.ipv4.conf.all.send_redirects value=0 + - name: Collect Use of Privileged Commands + shell: > + /usr/bin/find {/usr/local/sbin,/usr/local/bin,/sbin,/bin,/usr/sbin,/usr/bin} -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged" }' + args: + executable: /bin/bash + register: privileged_programs + + - name: Auditd rules configured + template: src=audit.rules.j2 dest=/etc/audit/audit.rules + notify: + - restart auditd + + - name: Auditd configured + template: src=auditd.conf.j2 dest=/etc/audit/auditd.conf + notify: + - restart auditd + + - name: Rsyslog configured + template: src=rsyslog.conf.j2 dest=/etc/rsyslog.conf + notify: + - restart rsyslog + + - name: Rsyslog CIS configured + template: src=CIS.conf.j2 dest=/etc/rsyslog.d/CIS.conf owner=root group=root mode=0644 + notify: + - restart rsyslog + + - name: Enable services + service: name={{ item }} enabled=yes + with_items: + - auditd + - rsyslog + + + handlers: + - name: restart auditd + service: name=auditd state=restarted + + - name: restart rsyslog + service: name=rsyslog state=restarted \ No newline at end of file diff --git a/config.cfg b/config.cfg index e191734..7b98fc5 100644 --- a/config.cfg +++ b/config.cfg @@ -1,5 +1,6 @@ --- +# # IKEv2 currently supports only the following three curves: # prime256v1 # secp384r1 @@ -19,3 +20,9 @@ server_ip: "{{ ansible_ssh_host }}" users: - mr.smith - mrs.smith + +# +# auditd options +# email for auditd actions: +auditd_action_mail_acct: e601809@gmail.com + diff --git a/templates/CIS.conf.j2 b/templates/CIS.conf.j2 new file mode 100644 index 0000000..96b3a59 --- /dev/null +++ b/templates/CIS.conf.j2 @@ -0,0 +1,15 @@ +*.emerg :omusrmsg:* +mail.* -/var/log/mail +mail.info -/var/log/mail.info +mail.warning -/var/log/mail.warn +mail.err /var/log/mail.err +news.crit -/var/log/news/news.crit +news.err -/var/log/news/news.err +news.notice -/var/log/news/news.notice +*.=warning;*.=err -/var/log/warn +*.crit /var/log/warn +*.*;mail.none;news.none -/var/log/messages +local0,local1.* -/var/log/localmessages +local2,local3.* -/var/log/localmessages +local4,local5.* -/var/log/localmessages +local6,local7.* -/var/log/localmessages \ No newline at end of file diff --git a/templates/audit.rules.j2 b/templates/audit.rules.j2 new file mode 100644 index 0000000..3464e2a --- /dev/null +++ b/templates/audit.rules.j2 @@ -0,0 +1,101 @@ +# This file contains the auditctl rules that are loaded +# whenever the audit daemon is started via the initscripts. +# The rules are simply the parameters that would be passed +# to auditctl. +# +# First rule - delete all +-D + +# Increase the buffers to survive stress events. +# Make this bigger for busy systems +-b 320 + +# Feel free to add below this line. See auditctl man page + +# Record Events That Modify Date and Time Information +{% if ansible_architecture == "x86_64" %} +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +{% endif %} +-a always,exit -F arch=b32 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-w /etc/localtime -p wa -k time-change + +# Record Events That Modify User/Group Information +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +# Record Events That Modify the System's Network Environment +{% if ansible_architecture == "x86_64" %} +-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale +{% endif %} +-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network/interfaces -p wa -k system-locale + +# Collect Login and Logout Events +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +# Collect Session Initiation Information +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k session +-w /var/log/btmp -p wa -k session + +# Collect Discretionary Access Control Permission Modification Events +{% if ansible_architecture == "x86_64" %} +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod +{% endif %} +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod + +# Collect Unsuccessful Unauthorized Access Attempts to Files +{% if ansible_architecture == "x86_64" %} +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access +{% endif %} +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access + +# Collect Use of Privileged Commands +{% if privileged_programs is defined and privileged_programs.stdout_lines|length > 0 %} +{{ privileged_programs.stdout }} +{% endif %} + +# Collect Successful File System Mounts +{% if ansible_architecture == "x86_64" %} +-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts +{% endif %} +-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts + +# Collect File Deletion Events by User +{% if ansible_architecture == "x86_64" %} +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete +{% endif %} +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete + +# Collect Changes to System Administration Scope +-w /etc/sudoers -p wa -k scope + +# Collect System Administrator Actions (sudolog) +-w /var/log/sudo.log -p wa -k actions + +# Collect Kernel Module Loading and Unloading +{% if ansible_architecture == "x86_64" %} +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules +{% endif %} +-a always,exit -F arch=b32 -S init_module -S delete_module -k modules +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules + +-e 2 diff --git a/templates/auditd.conf.j2 b/templates/auditd.conf.j2 new file mode 100644 index 0000000..24aac73 --- /dev/null +++ b/templates/auditd.conf.j2 @@ -0,0 +1,32 @@ +# +# This file controls the configuration of the audit daemon +# + +log_file = /var/log/audit/audit.log +log_format = RAW +log_group = root +priority_boost = 4 +flush = INCREMENTAL +freq = 20 +num_logs = 5 +disp_qos = lossy +dispatcher = /sbin/audispd +name_format = NONE +##name = mydomain +max_log_file = 10 +max_log_file_action = keep_logs +space_left = 75 +space_left_action = email +action_mail_acct = {{ auditd_action_mail_acct }} +admin_space_left = 50 +admin_space_left_action = email +disk_full_action = SUSPEND +disk_error_action = SUSPEND +##tcp_listen_port = +tcp_listen_queue = 5 +tcp_max_per_addr = 1 +##tcp_client_ports = 1024-65535 +tcp_client_max_idle = 0 +enable_krb5 = no +krb5_principal = auditd +##krb5_key_file = /etc/audit/audit.key \ No newline at end of file diff --git a/templates/rsyslog.conf.j2 b/templates/rsyslog.conf.j2 new file mode 100644 index 0000000..2551380 --- /dev/null +++ b/templates/rsyslog.conf.j2 @@ -0,0 +1,61 @@ +# /etc/rsyslog.conf Configuration file for rsyslog. +# +# For more information see +# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html +# +# Default logging rules can be found in /etc/rsyslog.d/50-default.conf + +# +################# +#### MODULES #### +################# + +module(load="imuxsock") # provides support for local system logging +module(load="imklog") # provides kernel logging support +#module(load="immark") # provides --MARK-- message capability + +# provides UDP syslog reception +#module(load="imudp") +#input(type="imudp" port="514") + +# provides TCP syslog reception +#module(load="imtcp") +#input(type="imtcp" port="514") + +# Enable non-kernel facility klog messages +$KLogPermitNonKernelFacility on + +########################### +#### GLOBAL DIRECTIVES #### +########################### + +# +# Use traditional timestamp format. +# To enable high precision timestamps, comment out the following line. +# +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + +# Filter duplicated messages +$RepeatedMsgReduction on + +# +# Set the default permissions for all log files. +# +$FileOwner syslog +$FileGroup adm +$FileCreateMode 0640 +$DirCreateMode 0755 +$Umask 0022 +$PrivDropToUser syslog +$PrivDropToGroup syslog + +# +# Where to place spool and state files +# +$WorkDirectory /var/spool/rsyslog + +# +# Include all config files in /etc/rsyslog.d/ +# +$IncludeConfig /etc/rsyslog.d/*.conf +