tripleo-heat-templates/environments/auditd.yaml
Cédric Jeanneret 8a5e9e68dd Use the new tripleo_auditd ansible role instead of puppet
Since puppet-auditd is deprecated and archived, we have to switch to a
new way of configuring that service.

This patch also cleans deprecated rules/parameters.

Beware of the release note: existing custom configuration must now be
passed as a standard parameter_defaults entry via the AuditdConfig dict.

Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/848758
Change-Id: I0222d32be13d640280d42e3c0956eed352f97e1c
Closes-Bug: #1964733
2022-08-16 07:36:09 +00:00

117 lines
6.9 KiB
YAML

resource_registry:
OS::TripleO::Services::AuditD: ../deployment/auditd/auditd-baremetal-ansible.yaml
parameter_defaults:
AuditdRules:
'Record attempts to alter time through adjtimex':
content: '-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules'
order : 1
'Record attempts to alter time through settimeofday':
content: '-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules'
order : 2
'Record Attempts to Alter Time Through clock_settime':
content: '-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules'
order : 3
'Record Attempts to Alter the localtime File':
content: '-w /etc/localtime -p wa -k audit_time_rules'
order : 4
'Record Events that Modify the Systems Discretionary Access Controls - chmod':
content: '-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 4
'Record Events that Modify the Systems Discretionary Access Controls - chown':
content: '-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 5
'Record Events that Modify the Systems Discretionary Access Controls - fchmod':
content: '-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 6
'Record Events that Modify the Systems Discretionary Access Controls - fchmodat':
content: '-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 7
'Record Events that Modify the Systems Discretionary Access Controls - fchown':
content: '-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 8
'Record Events that Modify the Systems Discretionary Access Controls - fchownat':
content: '-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 9
'Record Events that Modify the Systems Discretionary Access Controls - fremovexattr':
content: '-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 10
'Record Events that Modify the Systems Discretionary Access Controls - fsetxattr':
content: '-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 11
'Record Events that Modify the Systems Discretionary Access Controls - lchown':
content: '-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 12
'Record Events that Modify the Systems Discretionary Access Controls - lremovexattr':
content: '-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 13
'Record Events that Modify the Systems Discretionary Access Controls - lsetxattr':
content: '-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 14
'Record Events that Modify the Systems Discretionary Access Controls - removexattr':
content: '-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 15
'Record Events that Modify the Systems Discretionary Access Controls - setxattr':
content: '-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 16
'Record Events that Modify User/Group Information - /etc/group':
content: '-w /etc/group -p wa -k audit_rules_usergroup_modification'
order : 17
'Record Events that Modify User/Group Information - /etc/passwd':
content: '-w /etc/passwd -p wa -k audit_rules_usergroup_modification'
order : 18
'Record Events that Modify User/Group Information - /etc/gshadow':
content: '-w /etc/gshadow -p wa -k audit_rules_usergroup_modification'
order : 19
'Record Events that Modify User/Group Information - /etc/shadow':
content: '-w /etc/shadow -p wa -k audit_rules_usergroup_modification'
order : 20
'Record Events that Modify User/Group Information - /etc/opasswd':
content: '-w /etc/opasswd -p wa -k audit_rules_usergroup_modification'
order : 21
'Record Events that Modify the Systems Network Environment - sethostname / setdomainname':
content: '-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification'
order : 22
'Record Events that Modify the Systems Network Environment - /etc/issue':
content: '-w /etc/issue -p wa -k audit_rules_networkconfig_modification'
order : 23
'Record Events that Modify the Systems Network Environment - /etc/issue.net':
content: '-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification'
order : 24
'Record Events that Modify the Systems Network Environment - /etc/hosts':
content: '-w /etc/hosts -p wa -k audit_rules_networkconfig_modification'
order : 25
'Record Events that Modify the Systems Network Environment - /etc/sysconfig/network':
content: '-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification'
order : 26
'Record Events that Modify the Systems Mandatory Access Controls':
content: '-w /etc/selinux/ -p wa -k MAC-policy'
order : 27
'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EACCES)':
content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
order : 28
'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EPERM)':
content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
order : 29
'Ensure auditd Collects Information on the Use of Privileged Commands':
content: '-a always,exit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged'
order : 30
'Ensure auditd Collects Information on Exporting to Media (successful)':
content: '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export'
order : 31
'Ensure auditd Collects File Deletion Events by User':
content: '-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
order : 32
'Ensure auditd Collects System Administrator Actions':
content: '-w /etc/sudoers -p wa -k actions'
order : 33
'Ensure auditd Collects Information on Kernel Module Loading and Unloading (insmod)':
content: '-w /usr/sbin/insmod -p x -k modules'
order : 34
'Ensure auditd Collects Information on Kernel Module Loading and Unloading (rmmod)':
content: '-w /usr/sbin/rmmod -p x -k modules'
order : 35
'Ensure auditd Collects Information on Kernel Module Loading and Unloading (modprobe)':
content: '-w /usr/sbin/modprobe -p x -k modules'
order : 36