openstack-ansible-security/tasks/auditd.yml

293 lines
7.5 KiB
YAML

---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: V-38631/38632 - The operating system must produce audit records (start auditd)
service:
name: auditd
state: started
enabled: true
when: not check_mode
tags:
- auditd
- cat2
- V-38632
- V-38631
- name: Verify that auditd.conf exists
stat:
path: /etc/audit/auditd.conf
register: auditd_conf
always_run: true
tags:
- auditd
- always
- name: V-38633 - The system must set a maximum audit log file size
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?max_log_file(?!_action)"
line: "max_log_file = {{ security_max_log_file }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38633
- name: V-38634 - The system must rotate audit log files that reach the max file size
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?max_log_file_action ="
line: "max_log_file_action = {{ security_max_log_file_action }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38634
- name: V-38636 - The system must retain enough rotated audit logs to cover the required log retention period.
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?num_logs ="
line: "num_logs = {{ security_num_logs }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38636
# The debsums command returns 0 if the files haven't been altered but it
# returns 2 otherwise. We also will check to see if auditd has been installed
# and fail if it's not installed.
- name: Checking auditd package contents for alterations with debsums (for V-38637)
shell: debsums auditd -c
register: v38637_result
changed_when: False
failed_when: "'not installed' in v38637_result.stdout"
when: ansible_pkg_mgr == 'apt'
tags:
- auditd
- cat2
- V-38637
- name: V-38637 - Contents of auditd package must be verified
fail:
msg: "Could not verify that files from auditd package are unaltered"
when:
- not check_mode
- ansible_pkg_mgr == 'apt'
- v38637_result.rc == 2
tags:
- auditd
- cat2
- V-38637
- name: Check audit package contents for alterations with rpm (for V-38637)
shell: "rpmverify audit audit-libs | egrep -v '/(etc|var)' | wc -l"
register: v38637_result
changed_when: False
when: ansible_pkg_mgr == 'yum'
tags:
- auditd
- cat2
- V-38637
- name: V-38637 - Contents of auditd package must be verified
fail:
msg: "Could not verify that files from auditd package are unaltered"
when:
- not check_mode
- ansible_pkg_mgr == 'yum'
- v38637_result.stdout != "0"
tags:
- auditd
- cat2
- V-38637
- name: Verify that auditd log directory exists (for V-38445)
stat:
path: /var/log/audit/
register: auditd_log_dir
always_run: True
tags:
- auditd
- always
- name: V-38445 - Audit log files must be group-owned by root
file:
dest: /var/log/audit/
group: root
recurse: true
when: auditd_log_dir.stat.exists | bool
tags:
- auditd
- cat2
- V-38445
- name: V-38464 - The audit system must take action for disk errors
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?disk_error_action"
line: "disk_error_action = {{ security_disk_error_action }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38464
- name: V-38468 - The audit system must take action when the disk is full
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?disk_full_action"
line: "disk_full_action = {{ security_disk_full_action }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38468
- name: V-38678 - Lower limit of available disk space when auditd triggers space_left_action
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?space_left(?!_action)"
line: "space_left = {{ security_space_left }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38678
- name: V-38470 - The audit system must take action when the disk is almost full
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?space_left_action"
line: "space_left_action = {{ security_space_left_action }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38470
- name: V-38680 - Audit system must send email notifications when storage capacity is low
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?action_mail_acct"
line: "action_mail_acct = {{ security_action_mail_acct }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38680
- name: V-38495 - Audit log files must be owned by root
file:
dest: /var/log/audit/
owner: root
recurse: true
when: auditd_log_dir.stat.exists | bool
tags:
- auditd
- cat2
- V-38495
# TODO: Ansible 2.0 offers the find module and that will allow this task to
# avoid using the shell module to get a list of logs. This task should be
# adjusted to use the find module when Ansible 2.0 is fully released.
- name: Get a list of audit logs in the auditd directory (for V-38498)
shell: ls /var/log/audit/
register: v38498_result
changed_when: false
when: auditd_log_dir.stat.exists | bool
tags:
- auditd
- cat2
- V-38498
# On most systems, the active log file is 0600 and the older logs are 0400.
# This task ensures that all logs meet or exceed the STIG requirement.
- name: V-38498 - Audit log files must have mode 0640 or less
file:
dest: "/var/log/audit/{{ item }}"
mode: "u-x,g-wx,o-rwx"
with_items: "{{ v38498_result.stdout_lines | default([]) }}"
when: auditd_log_dir.stat.exists | bool
tags:
- auditd
- cat2
- V-38498
- name: Remove system default audit.rules file
file:
path: /etc/audit/rules.d/audit.rules
state: absent
when:
- auditd_conf.stat.exists
notify:
- generate auditd rules
tags:
- always
- name: Auditd rules (includes several STIGs)
template:
src: osas-auditd.j2
dest: /etc/audit/rules.d/osas-auditd.rules
notify:
- generate auditd rules
tags:
- auditd
- cat3
- name: V-38471 - Forward auditd records to syslog
lineinfile:
dest: /etc/audisp/plugins.d/syslog.conf
regexp: "^(#)?active"
line: "active = yes"
state: present
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat3
- V-38471
- name: V-54381 - The audit system must switch to single user mode when disk space is low
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?admin_space_left_action"
line: "admin_space_left_action = {{ security_admin_space_left_action }}"
when: auditd_conf.stat.exists | bool
notify:
- restart auditd
tags:
- auditd
- cat2
- V-54381