X-Git-Url: https://gerrit.akraino.org/r/gitweb?p=ta%2Finfra-ansible.git;a=blobdiff_plain;f=roles%2Faudit%2Ftemplates%2F30-stig.rules.j2;h=add45f9cfe1895ab31f45ccc1260795319d41819;hp=14cc06adefe906e598a77dc4454c85324f9cfff7;hb=070e5c7e2d2ac18fc59f3fe83d364062f4883050;hpb=b2e13865c2b899ce48148879da20323bd9bc988c diff --git a/roles/audit/templates/30-stig.rules.j2 b/roles/audit/templates/30-stig.rules.j2 index 14cc06a..add45f9 100644 --- a/roles/audit/templates/30-stig.rules.j2 +++ b/roles/audit/templates/30-stig.rules.j2 @@ -12,14 +12,36 @@ ## the syscall file rules with a directory, like -F dir=/etc ## 5) You can search for the results on the key fields in the rules ## + +## Filter syscalls not available on certain platforms ## +{%- set S_chmod = '-S chmod' %} +{%- set S_chown = '-S chown' %} +{%- set S_lchown = '-S lchown' %} +{%- set S_creat = '-S creat' %} +{%- set S_open = '-S open' %} +{%- set S_rmdir = '-S rmdir' %} +{%- set S_unlink = '-S unlink' %} +{%- set S_rename = '-S rename' %} + +{% if ansible_architecture in ['aarch64'] %} + {%- set S_chmod = '' %} + {%- set S_chown = '' %} + {%- set S_lchown = '' %} + {%- set S_creat = '' %} + {%- set S_open = '' %} + {%- set S_rmdir = '' %} + {%- set S_unlink = '' %} + {%- set S_rename = '' %} +{% endif %} + ## (GEN002880: CAT II) The IAO will ensure the auditing software can -## record the following for each audit event: -##- Date and time of the event -##- Userid that initiated the event -##- Type of event -##- Success or failure of the event -##- For I&A events, the origin of the request (e.g., terminal ID) +## record the following for each audit event: +##- Date and time of the event +##- Userid that initiated the event +##- Type of event +##- Success or failure of the event +##- For I&A events, the origin of the request (e.g., terminal ID) ##- For events that introduce an object into a user's address space, and ## for object deletion events, the name of the object, and in MLS ## systems, the object's security level. @@ -67,7 +89,7 @@ ## (GEN002920: CAT III) The IAO will ensure audit files are backed up ## no less than weekly onto a different system than the system being -## audited or backup media. +## audited or backup media. ## ## Can be done with cron script @@ -100,20 +122,20 @@ ##- Discretionary access control permission modification (unsuccessful ## and successful use of chown/chmod) --a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -S chown -S fchown -S fchownat -S lchown -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod --a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -S chown -S fchown -S fchownat -S lchown -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod +-a always,exit -F arch=b64 {{ S_chmod }} -S fchmod -S fchmodat {{ S_chown }} -S fchown -S fchownat {{ S_lchown }} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod +-a always,exit -F arch=b32 {{ S_chmod }} -S fchmod -S fchmodat {{ S_chown }} -S fchown -S fchownat {{ S_lchown }} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod -##- Unauthorized access attempts to files (unsuccessful) --a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F key=access --a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F key=access --a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F key=access --a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F key=access +##- Unauthorized access attempts to files (unsuccessful) +-a always,exit -F arch=b64 {{ S_creat }} {{ S_open }} -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F key=access +-a always,exit -F arch=b32 {{ S_creat }} {{ S_open }} -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F key=access +-a always,exit -F arch=b64 {{ S_creat }} {{ S_open }} -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F key=access +-a always,exit -F arch=b32 {{ S_creat }} {{ S_open }} -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F key=access ##- Use of privileged commands (unsuccessful and successful) ## use find /bin -type f -perm -04000 2>/dev/null and put all those files in a rule like this #-a always,exit -F path=/bin/ping -F perm=x -F key=privileged -##- Use of print command (unsuccessful and successful) +##- Use of print command (unsuccessful and successful) ##- Export to media (successful) ## You have to mount media before using it. You must disable all automounting @@ -125,12 +147,12 @@ ##- System startup and shutdown (unsuccessful and successful) ##- Files and programs deleted by the user (successful and unsuccessful) --a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -k delete --a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -k delete +-a always,exit -F arch=b64 {{ S_rmdir }} {{ S_unlink }} -S unlinkat {{ S_rename }} -S renameat -k delete +-a always,exit -F arch=b32 {{ S_rmdir }} {{ S_unlink }} -S unlinkat {{ S_rename }} -S renameat -k delete -##- All system administration actions +##- All system administration actions ##- All security personnel actions -## +## ## Look for pam_tty_audit and add it to your login entry point's pam configs. ## If that is not found, use sudo which should be patched to record its ## commands to the audit system. Do not allow unrestricted root shells or