From 632571b0bba5620c06295b42135a67bec9be5948 Mon Sep 17 00:00:00 2001 From: Hoang Nguyen Date: Sat, 20 Jan 2024 00:00:00 +0700 Subject: [PATCH] Minor correction to audit rules --- group_vars/all.yml | 2 +- roles/auditd/templates/audit.rules.j2 | 27 +++++++++++++++------------ 2 files changed, 16 insertions(+), 13 deletions(-) diff --git a/group_vars/all.yml b/group_vars/all.yml index 1061740..2457441 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -1,6 +1,6 @@ --- # Choices of components ──────────────────────────────────────────────────────────── -# NOTE: verified with `reqirements/accepted_variables.yml`, so keep them as top-level +# NOTE: verified with `requirements/accepted_variables.yml`, so keep them as top-level snapshot_tool: btrbk diff --git a/roles/auditd/templates/audit.rules.j2 b/roles/auditd/templates/audit.rules.j2 index 40e6b1c..62df1ed 100644 --- a/roles/auditd/templates/audit.rules.j2 +++ b/roles/auditd/templates/audit.rules.j2 @@ -36,11 +36,11 @@ -a always,exit -F arch=b64 -F path=/usr/sbin/augenrules -F perm=x -F key=audittools ## Access to all audit trails --a always,exit -F path=/usr/sbin/ausearch -F perm=x -F key=auditlog_local_access --a always,exit -F path=/usr/sbin/aureport -F perm=x -F key=auditlog_local_access --a always,exit -F path=/usr/bin/aulast -F perm=x -F key=auditlog_local_access --a always,exit -F path=/usr/bin/aulastlog -F perm=x -F key=auditlog_local_access --a always,exit -F path=/usr/bin/auvirt -F perm=x -F key=auditlog_local_access +-a always,exit -F arch=b64 -F path=/usr/sbin/ausearch -F perm=x -F key=auditlog_local_access +-a always,exit -F arch=b64 -F path=/usr/sbin/aureport -F perm=x -F key=auditlog_local_access +-a always,exit -F arch=b64 -F path=/usr/bin/aulast -F perm=x -F key=auditlog_local_access +-a always,exit -F arch=b64 -F path=/usr/bin/aulastlog -F perm=x -F key=auditlog_local_access +-a always,exit -F arch=b64 -F path=/usr/bin/auvirt -F perm=x -F key=auditlog_local_access # Filters --------------------------------------------------------------------- @@ -59,8 +59,7 @@ {% endif %} ## High Volume Event Filter (especially on Linux Workstations) --a never,exit -F arch=b64 -F dir=/dev/shm -F key=sharedmemaccess --a never,exit -F arch=b64 -F dir=/var/lock/lvm -F key=locklvm +-a never,exit -F arch=b64 -F dir=/dev/shm/ -F key=sharedmemaccess # Rules ----------------------------------------------------------------------- @@ -96,14 +95,18 @@ -a always,exit -F arch=b64 -F path=/etc/localtime -F perm=wa -F key=localtime ## Cron configuration & scheduled jobs +-a always,exit -F arch=b64 -F dir=/etc/crontabs/ -F perm=wa -F key=cron +-a always,exit -F arch=b64 -F dir=/var/spool/cron/ -F perm=wa -F key=cron +-a always,exit -F arch=b64 -F dir=/etc/periodic/ -F perm=wa -F key=cron +{% if crond_provider == 'cronie' %} +-a always,exit -F arch=b64 -F dir=/etc/cron.d/ -F perm=wa -F key=cron -a always,exit -F arch=b64 -F path=/etc/cron.allow -F perm=wa -F key=cron -a always,exit -F arch=b64 -F path=/etc/cron.deny -F perm=wa -F key=cron +{% endif %} +{% if crond_provider == 'fcron' %} -a always,exit -F arch=b64 -F dir=/etc/fcron/ -F perm=wa -F key=cron --a always,exit -F arch=b64 -F dir=/etc/crontabs/ -F perm=wa -F key=cron --a always,exit -F arch=b64 -F dir=/etc/cron.d/ -F perm=wa -F key=cron --a always,exit -F arch=b64 -F dir=/var/spool/cron/ -F perm=wa -F key=cron -a always,exit -F arch=b64 -F dir=/var/spool/fcron/ -F perm=wa -F key=cron --a always,exit -F arch=b64 -F dir=/etc/periodic/ -F perm=wa -F key=cron +{% endif %} ## User, group, password databases -a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F key=etcgroup @@ -183,7 +186,7 @@ -a always,exit -F arch=b64 -F path=/sbin/halt -F perm=x -F key=power ## Session initiation information --a always,exit -F arch=b64 -F dir=/var/log/swtmp/ -F perm=wa -F key=session +-a always,exit -F arch=b64 -F dir=/var/log/swtpm/ -F perm=wa -F key=session # Special Rules ---------------------------------------------------------------