Add AuditD composable service

This patch allows the management of the AuditD service and its associated
files (such as `audit.rules`)

This is achieved by means of the `puppet-auditd` puppet module.

Also places ssh banner capabilities map on top of patch

Change-Id: Ib8bb52dde88304cb58b051bced9779c97a314d0d
Depends-On: Ie31c063b674075e35e1bfa28d1fc07f3f897407b
This commit is contained in:
Steven Hardy 2017-01-18 12:25:56 +00:00 committed by lhinds
parent c349789089
commit afdc138987
6 changed files with 184 additions and 0 deletions

View File

@ -541,6 +541,14 @@ topics:
- title: Security Options
description: Security Hardening Options
environment_groups:
- title: SSH Banner Text
description: Enables population of SSH Banner Text
environments:
- file: environments/sshd-banner.yaml
title: SSH Banner Text
description:
requires:
- overcloud-resource-registry-puppet.yaml
- title: Horizon Password Validation
description: Enable Horizon Password validation
environments:
@ -549,3 +557,11 @@ topics:
description:
requires:
- overcloud-resource-registry-puppet.yaml
- title: AuditD Rules
description: Management of AuditD rules
environments:
- file: environments/auditd.yaml
title: AuditD Rule Management
description:
requires:
- overcloud-resource-registry-puppet.yaml

119
environments/auditd.yaml Normal file
View File

@ -0,0 +1,119 @@
resource_registry:
OS::TripleO::Services::AuditD: ../puppet/services/auditd.yaml
parameter_defaults:
AuditdRules:
'Record attempts to alter time through adjtimex':
content: '-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules'
order : 1
'Record attempts to alter time through settimeofday':
content: '-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules'
order : 2
'Record Attempts to Alter Time Through stime':
content: '-a always,exit -F arch=b64 -S stime -k audit_time_rules'
order : 3
'Record Attempts to Alter Time Through clock_settime':
content: '-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules'
order : 4
'Record Attempts to Alter the localtime File':
content: '-w /etc/localtime -p wa -k audit_time_rules'
order : 5
'Record Events that Modify the Systems Discretionary Access Controls - chmod':
content: '-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 5
'Record Events that Modify the Systems Discretionary Access Controls - chown':
content: '-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 6
'Record Events that Modify the Systems Discretionary Access Controls - fchmod':
content: '-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 7
'Record Events that Modify the Systems Discretionary Access Controls - fchmodat':
content: '-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 8
'Record Events that Modify the Systems Discretionary Access Controls - fchown':
content: '-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 9
'Record Events that Modify the Systems Discretionary Access Controls - fchownat':
content: '-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 10
'Record Events that Modify the Systems Discretionary Access Controls - fremovexattr':
content: '-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 11
'Record Events that Modify the Systems Discretionary Access Controls - fsetxattr':
content: '-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 12
'Record Events that Modify the Systems Discretionary Access Controls - lchown':
content: '-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 13
'Record Events that Modify the Systems Discretionary Access Controls - lremovexattr':
content: '-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 14
'Record Events that Modify the Systems Discretionary Access Controls - lsetxattr':
content: '-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 15
'Record Events that Modify the Systems Discretionary Access Controls - removexattr':
content: '-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 16
'Record Events that Modify the Systems Discretionary Access Controls - setxattr':
content: '-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 17
'Record Events that Modify User/Group Information - /etc/group':
content: '-w /etc/group -p wa -k audit_rules_usergroup_modification'
order : 18
'Record Events that Modify User/Group Information - /etc/passwd':
content: '-w /etc/passwd -p wa -k audit_rules_usergroup_modification'
order : 19
'Record Events that Modify User/Group Information - /etc/gshadow':
content: '-w /etc/gshadow -p wa -k audit_rules_usergroup_modification'
order : 20
'Record Events that Modify User/Group Information - /etc/shadow':
content: '-w /etc/shadow -p wa -k audit_rules_usergroup_modification'
order : 21
'Record Events that Modify User/Group Information - /etc/opasswd':
content: '-w /etc/opasswd -p wa -k audit_rules_usergroup_modification'
order : 22
'Record Events that Modify the Systems Network Environment - sethostname / setdomainname':
content: '-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification'
order : 23
'Record Events that Modify the Systems Network Environment - /etc/issue':
content: '-w /etc/issue -p wa -k audit_rules_networkconfig_modification'
order : 24
'Record Events that Modify the Systems Network Environment - /etc/issue.net':
content: '-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification'
order : 25
'Record Events that Modify the Systems Network Environment - /etc/hosts':
content: '-w /etc/hosts -p wa -k audit_rules_networkconfig_modification'
order : 26
'Record Events that Modify the Systems Network Environment - /etc/sysconfig/network':
content: '-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification'
order : 27
'Record Events that Modify the Systems Mandatory Access Controls':
content: '-w /etc/selinux/ -p wa -k MAC-policy'
order : 28
'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EACCES)':
content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
order : 29
'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EPERM)':
content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
order : 30
'Ensure auditd Collects Information on the Use of Privileged Commands':
content: '-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged'
order : 31
'Ensure auditd Collects Information on Exporting to Media (successful)':
content: '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export'
order : 32
'Ensure auditd Collects File Deletion Events by User':
content: '-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
order : 33
'Ensure auditd Collects System Administrator Actions':
content: '-w /etc/sudoers -p wa -k actions'
order : 34
'Ensure auditd Collects Information on Kernel Module Loading and Unloading (insmod)':
content: '-w /usr/sbin/insmod -p x -k modules'
order : 35
'Ensure auditd Collects Information on Kernel Module Loading and Unloading (rmmod)':
content: '-w /usr/sbin/rmmod -p x -k modules'
order : 36
'Ensure auditd Collects Information on Kernel Module Loading and Unloading (modprobe)':
content: '-w /usr/sbin/modprobe -p x -k modules'
order : 37

View File

@ -240,6 +240,7 @@ resource_registry:
OS::TripleO::Services::CinderHPELeftHandISCSI: OS::Heat::None
OS::TripleO::Services::Etcd: OS::Heat::None
OS::TripleO::Services::Ec2Api: OS::Heat::None
OS::TripleO::Services::AuditD: OS::Heat::None
parameter_defaults:
EnablePackageInstall: false

View File

@ -0,0 +1,34 @@
heat_template_version: ocata
description: >
AuditD configured with Puppet
parameters:
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
AuditdRules:
description: Mapping of auditd rules
type: json
default: {}
outputs:
role_data:
description: Role data for the auditd service
value:
service_name: auditd
config_settings:
auditd::rules: {get_param: AuditdRules}
step_config: |
include ::tripleo::profile::base::auditd

View File

@ -0,0 +1,9 @@
---
features:
- |
Adds the ability to manage auditd.service and enter audit.rules via tripleo
heat templates. This in turn enforces an audit log of system events, such
as system time changes, modifications to Discretionary Access Controls,
Failed login attempts.

View File

@ -112,6 +112,7 @@
- OS::TripleO::Services::NeutronML2FujitsuFossw
- OS::TripleO::Services::CinderHPELeftHandISCSI
- OS::TripleO::Services::Etcd
- OS::TripleO::Services::AuditD
- name: Compute
CountDefault: 1
@ -139,6 +140,7 @@
- OS::TripleO::Services::OpenDaylightOvs
- OS::TripleO::Services::SensuClient
- OS::TripleO::Services::FluentdClient
- OS::TripleO::Services::AuditD
- name: BlockStorage
ServicesDefault:
@ -153,6 +155,7 @@
- OS::TripleO::Services::TripleoFirewall
- OS::TripleO::Services::SensuClient
- OS::TripleO::Services::FluentdClient
- OS::TripleO::Services::AuditD
- name: ObjectStorage
disable_upgrade_deployment: True
@ -169,6 +172,7 @@
- OS::TripleO::Services::TripleoFirewall
- OS::TripleO::Services::SensuClient
- OS::TripleO::Services::FluentdClient
- OS::TripleO::Services::AuditD
- name: CephStorage
disable_upgrade_deployment: True
@ -184,3 +188,4 @@
- OS::TripleO::Services::TripleoFirewall
- OS::TripleO::Services::SensuClient
- OS::TripleO::Services::FluentdClient
- OS::TripleO::Services::AuditD