From 361033952354561b569d0429d0671b30154cbfbd Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 29 Apr 2020 17:01:28 +0200
Subject: [PATCH 1/4] rewrite macro
---
shared/macros-ansible.jinja | 119 +++++++-----------------------------
1 file changed, 22 insertions(+), 97 deletions(-)
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 8f94f1803a..f9a5b53302 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -349,21 +349,12 @@ The macro requires following parameters:
{{#
The following macro remediates Audit syscall rule in /etc/audit/rules.d directory.
The macro requires following parameters:
+- arch: an architecture to be used in the Audit rule (b32, b64)
- syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc.
- key: a key to use as rule identifier.
Note that if there already exists a rule wit the same key in the /etc/audit/rules.d directory, the rule will be placed in the same file.
-The rule determines the architecture of the system and apply appropriate remediations.
-It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architecture.
#}}
-
-{{% macro ansible_audit_augenrules_add_syscall_rule(syscalls=[], key="") -%}}
-#
-# What architecture are we on?
-#
-- name: Set architecture for audit tasks
- set_fact:
- audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
-
+{{% macro ansible_audit_augenrules_add_syscall_rule(arch="", syscalls=[], key="") -%}}
- name: Declare list of syscals
set_fact:
syscalls: {{{ syscalls }}}
@@ -371,27 +362,16 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur
- name: Declare number of syscalls
set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}"
-- name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/
- find:
- paths: "/etc/audit/rules.d"
- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
- patterns: "*.rules"
- register: audit_syscalls_found_32_rules_d
- loop: "{{ syscalls }}"
-
-- name: Get number of matched 32 bit syscalls in /etc/audit/rules.d/
- set_fact: audit_syscalls_matched_32_rules_d="{{audit_syscalls_found_32_rules_d.results|sum(attribute='matched')|int }}"
-
-- name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/
+- name: Check existence of syscalls for architecture {{{ arch }}} in /etc/audit/rules.d/
find:
paths: "/etc/audit/rules.d"
- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
+ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch={{{ arch }}}[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
patterns: "*.rules"
- register: audit_syscalls_found_64_rules_d
+ register: audit_syscalls_found_{{{ arch }}}_rules_d
loop: "{{ syscalls }}"
-- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/
- set_fact: audit_syscalls_matched_64_rules_d="{{audit_syscalls_found_64_rules_d.results|sum(attribute='matched')|int }}"
+- name: Get number of matched syscalls for architecture {{{ arch }}}in /etc/audit/rules.d/
+ set_fact: audit_syscalls_matched_{{{ arch }}}_rules_d="{{audit_syscalls_found_{{{ arch }}}_rules_d.results|sum(attribute='matched')|int }}"
- name: Search /etc/audit/rules.d for other rules with the key {{{ key }}}
find:
@@ -412,31 +392,13 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur
- "{{ find_syscalls_files.files | map(attribute='path') | list | first }}"
when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0
-- name: "Insert the syscall rule in {{ all_files[0] }} when on x86"
- block:
- - name: "Construct rule: add rule list, action and arch"
- set_fact: tmpline="-a always,exit -F arch=b32 "
- - name: "Construct rule: add syscalls"
- set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}"
- loop: "{{ audit_syscalls_found_32_rules_d.results }}"
- when: item.matched is defined and item.matched == 0
- - name: "Construct rule: add key"
- set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}"
- - name: "Insert the line in {{ all_files[0] }}"
- lineinfile:
- path: "{{ all_files[0] }}"
- line: "{{ tmpline }}"
- create: true
- state: present
- when: audit_syscalls_matched_32_rules_d < audit_syscalls_number_of_syscalls
-
-- name: "Insert the syscall rule in {{ all_files[0] }} when on x86_64"
+- name: "Insert the syscall rule in {{ all_files[0] }}"
block:
- name: "Construct rule: add rule list, action and arch"
- set_fact: tmpline="-a always,exit -F arch=b64 "
+ set_fact: tmpline="-a always,exit -F arch={{{ arch }}} "
- name: "Construct rule: add syscalls"
set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}"
- loop: "{{ audit_syscalls_found_64_rules_d.results }}"
+ loop: "{{ audit_syscalls_found_{{{ arch }}}_rules_d.results }}"
when: item.matched is defined and item.matched == 0
- name: "Construct rule: add key"
set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}"
@@ -446,25 +408,17 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur
line: "{{ tmpline }}"
create: true
state: present
- when: audit_syscalls_matched_64_rules_d < audit_syscalls_number_of_syscalls and audit_arch is defined and audit_arch == 'b64'
+ when: audit_syscalls_matched_{{{ arch }}}_rules_d < audit_syscalls_number_of_syscalls
{{%- endmacro %}}
{{#
The following macro remediates Audit syscall rule in /etc/audit/audit.rules file.
The macro requires following parameters:
+- arch: an architecture to be used in the Audit rule (b32, b64)
- syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc.
- key: a key to use as rule identifier.
-The rule determines the architecture of the system and apply appropriate remediations.
-It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architecture.
#}}
-{{% macro ansible_audit_auditctl_add_syscall_rule(syscalls=[], key="") -%}}
-#
-# What architecture are we on?
-#
-- name: Set architecture for audit tasks
- set_fact:
- audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
-
+{{% macro ansible_audit_auditctl_add_syscall_rule(arch="", syscalls=[], key="") -%}}
- name: Declare list of syscals
set_fact:
syscalls: {{{ syscalls }}}
@@ -472,53 +426,24 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur
- name: Declare number of syscalls
set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}"
-- name: Check existence of syscalls for 32 bit architecture in /etc/audit/audit.rules
+- name: Check existence of syscalls for architecture {{{ arch }}} in /etc/audit/audit.rules
find:
paths: "/etc/audit"
- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
+ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch={{{ arch }}}[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
patterns: "audit.rules"
- register: audit_syscalls_found_32_audit_rules
+ register: audit_syscalls_found_{{{ arch }}}_audit_rules
loop: "{{ syscalls }}"
-- name: Get number of matched 32 bit syscalls in /etc/audit/audit.rules
- set_fact: audit_syscalls_matched_32_audit_rules="{{audit_syscalls_found_32_audit_rules.results|sum(attribute='matched')|int }}"
-
-- name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules
- find:
- paths: "/etc/audit"
- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
- patterns: "audit.rules"
- register: audit_syscalls_found_64_audit_rules
- loop: "{{ syscalls }}"
-
-- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/*
- set_fact: audit_syscalls_matched_64_audit_rules="{{audit_syscalls_found_64_audit_rules.results|sum(attribute='matched')|int }}"
-
-- name: Insert the syscall rule in /etc/audit/audit.rules when on x86
- block:
- - name: "Construct rule: add rule list, action and arch"
- set_fact: tmpline="-a always,exit -F arch=b32 "
- - name: "Construct rule: add syscalls"
- set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}"
- loop: "{{ audit_syscalls_found_32_audit_rules.results }}"
- when: item.matched is defined and item.matched == 0
- - name: "Construct rule: add key"
- set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}"
- - name: Insert the line in /etc/audit/audit.rules
- lineinfile:
- path: "/etc/audit/audit.rules"
- line: "{{ tmpline }}"
- create: true
- state: present
- when: audit_syscalls_matched_32_audit_rules < audit_syscalls_number_of_syscalls
+- name: Get number of matched syscalls for architecture {{{ arch }}} in /etc/audit/audit.rules
+ set_fact: audit_syscalls_matched_{{{ arch }}}_audit_rules="{{audit_syscalls_found_{{{ arch }}}_audit_rules.results|sum(attribute='matched')|int }}"
-- name: Insert the syscall rule in /etc/audit/rules.d when on x86_64
+- name: Insert the syscall rule in /etc/audit/audit.rules
block:
- name: "Construct rule: add rule list, action and arch"
- set_fact: tmpline="-a always,exit -F arch=b64 "
+ set_fact: tmpline="-a always,exit -F arch={{{ arch }}} "
- name: "Construct rule: add syscalls"
set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}"
- loop: "{{ audit_syscalls_found_64_audit_rules.results }}"
+ loop: "{{ audit_syscalls_found_{{{ arch }}}_audit_rules.results }}"
when: item.matched is defined and item.matched == 0
- name: "Construct rule: add key"
set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}"
@@ -528,5 +453,5 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur
line: "{{ tmpline }}"
create: true
state: present
- when: audit_syscalls_matched_64_audit_rules < audit_syscalls_number_of_syscalls and audit_arch is defined and audit_arch == 'b64'
+ when: audit_syscalls_matched_{{{ arch }}}_audit_rules < audit_syscalls_number_of_syscalls
{{%- endmacro %}}
From c1b10847d740f289f6be58a1409df6433f1b84d5 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 29 Apr 2020 17:01:43 +0200
Subject: [PATCH 2/4] rewrite rule
---
.../ansible/shared.yml | 34 +++++++++++++++----
1 file changed, 27 insertions(+), 7 deletions(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
index 3b16dd1989..d2dcc8c1fe 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
@@ -3,11 +3,31 @@
# strategy = restrict
# complexity = low
# disruption = low
+#
+# What architecture are we on?
+#
+- name: Set architecture for audit tasks
+ set_fact:
+ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
-{{% if product == "rhel6" %}}
-{{{ ansible_audit_augenrules_add_syscall_rule(syscalls=["init_module", "delete_module"], key="modules") }}}
-{{{ ansible_audit_auditctl_add_syscall_rule(syscalls=["init_module", "delete_module"], key="modules") }}}
-{{% else %}}
-{{{ ansible_audit_augenrules_add_syscall_rule(syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}}
-{{{ ansible_audit_auditctl_add_syscall_rule(syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}}
-{{% endif %}}
+
+- name: perform remediation of Audit rules for kernel module loading for x86 platform
+ block:
+ {{% if product == "rhel6" %}}
+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}}
+ {{% else %}}
+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}}
+ {{% endif %}}
+
+- name: perform remediation of Audit rules for kernel module loading for x86_64 platform
+ block:
+ {{% if product == "rhel6" %}}
+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}}
+ {{% else %}}
+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}}
+ {{% endif %}}
+ when: audit_arch == "b64"
From 1505ef7f1632eeb76743410a88b9e50a8f9c44c4 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 29 Apr 2020 17:15:37 +0200
Subject: [PATCH 3/4] fix task names
---
.../audit_rules_kernel_module_loading/ansible/shared.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
index d2dcc8c1fe..c80f836b6c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
@@ -11,7 +11,7 @@
audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
-- name: perform remediation of Audit rules for kernel module loading for x86 platform
+- name: Perform remediation of Audit rules for kernel module loading for x86 platform
block:
{{% if product == "rhel6" %}}
{{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}}
@@ -21,7 +21,7 @@
{{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}}
{{% endif %}}
-- name: perform remediation of Audit rules for kernel module loading for x86_64 platform
+- name: Perform remediation of Audit rules for kernel module loading for x86_64 platform
block:
{{% if product == "rhel6" %}}
{{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}}
From 7474ee0d7eb901f417336d7b75a4cfa61dfab7ca Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 30 Apr 2020 09:27:28 +0200
Subject: [PATCH 4/4] use variable, remove duplicate code
---
.../ansible/shared.yml | 24 ++++++++-----------
shared/macros-ansible.jinja | 2 +-
2 files changed, 11 insertions(+), 15 deletions(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
index c80f836b6c..c1ba35bf25 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
@@ -10,24 +10,20 @@
set_fact:
audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
+# set list of syscalls based on rhel version
+{{% if product == "rhel6" %}}
+{{% set audit_syscalls = ["init_module", "delete_module"] %}}
+{{% else %}}
+{{% set audit_syscalls = ["init_module", "delete_module", "finit_module"] %}}
+{{% endif %}}
- name: Perform remediation of Audit rules for kernel module loading for x86 platform
block:
- {{% if product == "rhel6" %}}
- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}}
- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}}
- {{% else %}}
- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}}
- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}}
- {{% endif %}}
+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=audit_syscalls, key="modules")|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=audit_syscalls, key="modules")|indent(4) }}}
- name: Perform remediation of Audit rules for kernel module loading for x86_64 platform
block:
- {{% if product == "rhel6" %}}
- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}}
- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}}
- {{% else %}}
- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}}
- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}}
- {{% endif %}}
+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=audit_syscalls, key="modules")|indent(4) }}}
+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=audit_syscalls, key="modules")|indent(4) }}}
when: audit_arch == "b64"
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index f9a5b53302..03e4306051 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -370,7 +370,7 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul
register: audit_syscalls_found_{{{ arch }}}_rules_d
loop: "{{ syscalls }}"
-- name: Get number of matched syscalls for architecture {{{ arch }}}in /etc/audit/rules.d/
+- name: Get number of matched syscalls for architecture {{{ arch }}} in /etc/audit/rules.d/
set_fact: audit_syscalls_matched_{{{ arch }}}_rules_d="{{audit_syscalls_found_{{{ arch }}}_rules_d.results|sum(attribute='matched')|int }}"
- name: Search /etc/audit/rules.d for other rules with the key {{{ key }}}