Add AuditD composable service
This patch allows the management of the AuditD service and its associated files (such as `audit.rules`) This is achieved by means of the `puppet-auditd` puppet module. Also places ssh banner capabilities map on top of patch Change-Id: Ib8bb52dde88304cb58b051bced9779c97a314d0d Depends-On: Ie31c063b674075e35e1bfa28d1fc07f3f897407b
This commit is contained in:
parent
c349789089
commit
afdc138987
|
@ -541,6 +541,14 @@ topics:
|
||||||
- title: Security Options
|
- title: Security Options
|
||||||
description: Security Hardening Options
|
description: Security Hardening Options
|
||||||
environment_groups:
|
environment_groups:
|
||||||
|
- title: SSH Banner Text
|
||||||
|
description: Enables population of SSH Banner Text
|
||||||
|
environments:
|
||||||
|
- file: environments/sshd-banner.yaml
|
||||||
|
title: SSH Banner Text
|
||||||
|
description:
|
||||||
|
requires:
|
||||||
|
- overcloud-resource-registry-puppet.yaml
|
||||||
- title: Horizon Password Validation
|
- title: Horizon Password Validation
|
||||||
description: Enable Horizon Password validation
|
description: Enable Horizon Password validation
|
||||||
environments:
|
environments:
|
||||||
|
@ -549,3 +557,11 @@ topics:
|
||||||
description:
|
description:
|
||||||
requires:
|
requires:
|
||||||
- overcloud-resource-registry-puppet.yaml
|
- overcloud-resource-registry-puppet.yaml
|
||||||
|
- title: AuditD Rules
|
||||||
|
description: Management of AuditD rules
|
||||||
|
environments:
|
||||||
|
- file: environments/auditd.yaml
|
||||||
|
title: AuditD Rule Management
|
||||||
|
description:
|
||||||
|
requires:
|
||||||
|
- overcloud-resource-registry-puppet.yaml
|
||||||
|
|
|
@ -0,0 +1,119 @@
|
||||||
|
resource_registry:
|
||||||
|
OS::TripleO::Services::AuditD: ../puppet/services/auditd.yaml
|
||||||
|
|
||||||
|
parameter_defaults:
|
||||||
|
AuditdRules:
|
||||||
|
'Record attempts to alter time through adjtimex':
|
||||||
|
content: '-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules'
|
||||||
|
order : 1
|
||||||
|
'Record attempts to alter time through settimeofday':
|
||||||
|
content: '-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules'
|
||||||
|
order : 2
|
||||||
|
'Record Attempts to Alter Time Through stime':
|
||||||
|
content: '-a always,exit -F arch=b64 -S stime -k audit_time_rules'
|
||||||
|
order : 3
|
||||||
|
'Record Attempts to Alter Time Through clock_settime':
|
||||||
|
content: '-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules'
|
||||||
|
order : 4
|
||||||
|
'Record Attempts to Alter the localtime File':
|
||||||
|
content: '-w /etc/localtime -p wa -k audit_time_rules'
|
||||||
|
order : 5
|
||||||
|
'Record Events that Modify the Systems Discretionary Access Controls - chmod':
|
||||||
|
content: '-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||||
|
order : 5
|
||||||
|
'Record Events that Modify the Systems Discretionary Access Controls - chown':
|
||||||
|
content: '-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||||
|
order : 6
|
||||||
|
'Record Events that Modify the Systems Discretionary Access Controls - fchmod':
|
||||||
|
content: '-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||||
|
order : 7
|
||||||
|
'Record Events that Modify the Systems Discretionary Access Controls - fchmodat':
|
||||||
|
content: '-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||||
|
order : 8
|
||||||
|
'Record Events that Modify the Systems Discretionary Access Controls - fchown':
|
||||||
|
content: '-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||||
|
order : 9
|
||||||
|
'Record Events that Modify the Systems Discretionary Access Controls - fchownat':
|
||||||
|
content: '-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||||
|
order : 10
|
||||||
|
'Record Events that Modify the Systems Discretionary Access Controls - fremovexattr':
|
||||||
|
content: '-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||||
|
order : 11
|
||||||
|
'Record Events that Modify the Systems Discretionary Access Controls - fsetxattr':
|
||||||
|
content: '-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||||
|
order : 12
|
||||||
|
'Record Events that Modify the Systems Discretionary Access Controls - lchown':
|
||||||
|
content: '-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||||
|
order : 13
|
||||||
|
'Record Events that Modify the Systems Discretionary Access Controls - lremovexattr':
|
||||||
|
content: '-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||||
|
order : 14
|
||||||
|
'Record Events that Modify the Systems Discretionary Access Controls - lsetxattr':
|
||||||
|
content: '-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||||
|
order : 15
|
||||||
|
'Record Events that Modify the Systems Discretionary Access Controls - removexattr':
|
||||||
|
content: '-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||||
|
order : 16
|
||||||
|
'Record Events that Modify the Systems Discretionary Access Controls - setxattr':
|
||||||
|
content: '-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||||
|
order : 17
|
||||||
|
'Record Events that Modify User/Group Information - /etc/group':
|
||||||
|
content: '-w /etc/group -p wa -k audit_rules_usergroup_modification'
|
||||||
|
order : 18
|
||||||
|
'Record Events that Modify User/Group Information - /etc/passwd':
|
||||||
|
content: '-w /etc/passwd -p wa -k audit_rules_usergroup_modification'
|
||||||
|
order : 19
|
||||||
|
'Record Events that Modify User/Group Information - /etc/gshadow':
|
||||||
|
content: '-w /etc/gshadow -p wa -k audit_rules_usergroup_modification'
|
||||||
|
order : 20
|
||||||
|
'Record Events that Modify User/Group Information - /etc/shadow':
|
||||||
|
content: '-w /etc/shadow -p wa -k audit_rules_usergroup_modification'
|
||||||
|
order : 21
|
||||||
|
'Record Events that Modify User/Group Information - /etc/opasswd':
|
||||||
|
content: '-w /etc/opasswd -p wa -k audit_rules_usergroup_modification'
|
||||||
|
order : 22
|
||||||
|
'Record Events that Modify the Systems Network Environment - sethostname / setdomainname':
|
||||||
|
content: '-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification'
|
||||||
|
order : 23
|
||||||
|
'Record Events that Modify the Systems Network Environment - /etc/issue':
|
||||||
|
content: '-w /etc/issue -p wa -k audit_rules_networkconfig_modification'
|
||||||
|
order : 24
|
||||||
|
'Record Events that Modify the Systems Network Environment - /etc/issue.net':
|
||||||
|
content: '-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification'
|
||||||
|
order : 25
|
||||||
|
'Record Events that Modify the Systems Network Environment - /etc/hosts':
|
||||||
|
content: '-w /etc/hosts -p wa -k audit_rules_networkconfig_modification'
|
||||||
|
order : 26
|
||||||
|
'Record Events that Modify the Systems Network Environment - /etc/sysconfig/network':
|
||||||
|
content: '-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification'
|
||||||
|
order : 27
|
||||||
|
'Record Events that Modify the Systems Mandatory Access Controls':
|
||||||
|
content: '-w /etc/selinux/ -p wa -k MAC-policy'
|
||||||
|
order : 28
|
||||||
|
'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EACCES)':
|
||||||
|
content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
|
||||||
|
order : 29
|
||||||
|
'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EPERM)':
|
||||||
|
content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
|
||||||
|
order : 30
|
||||||
|
'Ensure auditd Collects Information on the Use of Privileged Commands':
|
||||||
|
content: '-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged'
|
||||||
|
order : 31
|
||||||
|
'Ensure auditd Collects Information on Exporting to Media (successful)':
|
||||||
|
content: '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export'
|
||||||
|
order : 32
|
||||||
|
'Ensure auditd Collects File Deletion Events by User':
|
||||||
|
content: '-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
|
||||||
|
order : 33
|
||||||
|
'Ensure auditd Collects System Administrator Actions':
|
||||||
|
content: '-w /etc/sudoers -p wa -k actions'
|
||||||
|
order : 34
|
||||||
|
'Ensure auditd Collects Information on Kernel Module Loading and Unloading (insmod)':
|
||||||
|
content: '-w /usr/sbin/insmod -p x -k modules'
|
||||||
|
order : 35
|
||||||
|
'Ensure auditd Collects Information on Kernel Module Loading and Unloading (rmmod)':
|
||||||
|
content: '-w /usr/sbin/rmmod -p x -k modules'
|
||||||
|
order : 36
|
||||||
|
'Ensure auditd Collects Information on Kernel Module Loading and Unloading (modprobe)':
|
||||||
|
content: '-w /usr/sbin/modprobe -p x -k modules'
|
||||||
|
order : 37
|
|
@ -240,6 +240,7 @@ resource_registry:
|
||||||
OS::TripleO::Services::CinderHPELeftHandISCSI: OS::Heat::None
|
OS::TripleO::Services::CinderHPELeftHandISCSI: OS::Heat::None
|
||||||
OS::TripleO::Services::Etcd: OS::Heat::None
|
OS::TripleO::Services::Etcd: OS::Heat::None
|
||||||
OS::TripleO::Services::Ec2Api: OS::Heat::None
|
OS::TripleO::Services::Ec2Api: OS::Heat::None
|
||||||
|
OS::TripleO::Services::AuditD: OS::Heat::None
|
||||||
|
|
||||||
parameter_defaults:
|
parameter_defaults:
|
||||||
EnablePackageInstall: false
|
EnablePackageInstall: false
|
||||||
|
|
|
@ -0,0 +1,34 @@
|
||||||
|
heat_template_version: ocata
|
||||||
|
|
||||||
|
description: >
|
||||||
|
AuditD configured with Puppet
|
||||||
|
|
||||||
|
parameters:
|
||||||
|
ServiceNetMap:
|
||||||
|
default: {}
|
||||||
|
description: Mapping of service_name -> network name. Typically set
|
||||||
|
via parameter_defaults in the resource registry. This
|
||||||
|
mapping overrides those in ServiceNetMapDefaults.
|
||||||
|
type: json
|
||||||
|
DefaultPasswords:
|
||||||
|
default: {}
|
||||||
|
type: json
|
||||||
|
EndpointMap:
|
||||||
|
default: {}
|
||||||
|
description: Mapping of service endpoint -> protocol. Typically set
|
||||||
|
via parameter_defaults in the resource registry.
|
||||||
|
type: json
|
||||||
|
AuditdRules:
|
||||||
|
description: Mapping of auditd rules
|
||||||
|
type: json
|
||||||
|
default: {}
|
||||||
|
|
||||||
|
outputs:
|
||||||
|
role_data:
|
||||||
|
description: Role data for the auditd service
|
||||||
|
value:
|
||||||
|
service_name: auditd
|
||||||
|
config_settings:
|
||||||
|
auditd::rules: {get_param: AuditdRules}
|
||||||
|
step_config: |
|
||||||
|
include ::tripleo::profile::base::auditd
|
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Adds the ability to manage auditd.service and enter audit.rules via tripleo
|
||||||
|
heat templates. This in turn enforces an audit log of system events, such
|
||||||
|
as system time changes, modifications to Discretionary Access Controls,
|
||||||
|
Failed login attempts.
|
||||||
|
|
||||||
|
|
|
@ -112,6 +112,7 @@
|
||||||
- OS::TripleO::Services::NeutronML2FujitsuFossw
|
- OS::TripleO::Services::NeutronML2FujitsuFossw
|
||||||
- OS::TripleO::Services::CinderHPELeftHandISCSI
|
- OS::TripleO::Services::CinderHPELeftHandISCSI
|
||||||
- OS::TripleO::Services::Etcd
|
- OS::TripleO::Services::Etcd
|
||||||
|
- OS::TripleO::Services::AuditD
|
||||||
|
|
||||||
- name: Compute
|
- name: Compute
|
||||||
CountDefault: 1
|
CountDefault: 1
|
||||||
|
@ -139,6 +140,7 @@
|
||||||
- OS::TripleO::Services::OpenDaylightOvs
|
- OS::TripleO::Services::OpenDaylightOvs
|
||||||
- OS::TripleO::Services::SensuClient
|
- OS::TripleO::Services::SensuClient
|
||||||
- OS::TripleO::Services::FluentdClient
|
- OS::TripleO::Services::FluentdClient
|
||||||
|
- OS::TripleO::Services::AuditD
|
||||||
|
|
||||||
- name: BlockStorage
|
- name: BlockStorage
|
||||||
ServicesDefault:
|
ServicesDefault:
|
||||||
|
@ -153,6 +155,7 @@
|
||||||
- OS::TripleO::Services::TripleoFirewall
|
- OS::TripleO::Services::TripleoFirewall
|
||||||
- OS::TripleO::Services::SensuClient
|
- OS::TripleO::Services::SensuClient
|
||||||
- OS::TripleO::Services::FluentdClient
|
- OS::TripleO::Services::FluentdClient
|
||||||
|
- OS::TripleO::Services::AuditD
|
||||||
|
|
||||||
- name: ObjectStorage
|
- name: ObjectStorage
|
||||||
disable_upgrade_deployment: True
|
disable_upgrade_deployment: True
|
||||||
|
@ -169,6 +172,7 @@
|
||||||
- OS::TripleO::Services::TripleoFirewall
|
- OS::TripleO::Services::TripleoFirewall
|
||||||
- OS::TripleO::Services::SensuClient
|
- OS::TripleO::Services::SensuClient
|
||||||
- OS::TripleO::Services::FluentdClient
|
- OS::TripleO::Services::FluentdClient
|
||||||
|
- OS::TripleO::Services::AuditD
|
||||||
|
|
||||||
- name: CephStorage
|
- name: CephStorage
|
||||||
disable_upgrade_deployment: True
|
disable_upgrade_deployment: True
|
||||||
|
@ -184,3 +188,4 @@
|
||||||
- OS::TripleO::Services::TripleoFirewall
|
- OS::TripleO::Services::TripleoFirewall
|
||||||
- OS::TripleO::Services::SensuClient
|
- OS::TripleO::Services::SensuClient
|
||||||
- OS::TripleO::Services::FluentdClient
|
- OS::TripleO::Services::FluentdClient
|
||||||
|
- OS::TripleO::Services::AuditD
|
||||||
|
|
Loading…
Reference in New Issue