From 03c44366cd4bc16808e000eac7b3eb548851cb1a Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 29 Apr 2020 10:59:43 +0200 Subject: [PATCH 1/4] Add Ansible remediations for syscall time changes Uses Ansible audit macros to add remediations for: - adjtimex - settimeofday - stime --- .../ansible/shared.yml | 20 +++++++++++++++++++ .../ansible/shared.yml | 20 +++++++++++++++++++ .../audit_rules_time_stime/ansible/shared.yml | 14 +++++++++++++ 3 files changed, 54 insertions(+) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml new file mode 100644 index 0000000000..2ecbf5f998 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml @@ -0,0 +1,20 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +- name: Set architecture for audit tasks + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + +- name: Perform remediation of Audit rules for adjtimex for x86 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule(arch=b32, syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} + +- name: Perform remediation of Audit rules for adjtimex for x86_64 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule(arch=b64, syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} + when: audit_arch == "b64" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml new file mode 100644 index 0000000000..e97a752298 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml @@ -0,0 +1,20 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +- name: Set architecture for audit tasks + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + +- name: Perform remediation of Audit rules for settimeofday for x86 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule(arch=b32, syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} + +- name: Perform remediation of Audit rules for settimeofday for x86_64 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule(arch=b64, syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} + when: audit_arch == "b64" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml new file mode 100644 index 0000000000..b1e9380781 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml @@ -0,0 +1,14 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +- name: Set architecture for audit tasks + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + +- name: Perform remediation of Audit rules for stime syscall for x86 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule(arch=b32, syscalls=["stime"], key="audit_time_rules")|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["stime"], key="audit_time_rules")|indent(4) }}} From c004e5bdceb4a942585adff1cb085165e6dcbc1b Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 29 Apr 2020 12:02:23 +0200 Subject: [PATCH 2/4] time_adjtimex: Rename, simplify and add tests --- .../tests/correct_syscall.pass.sh | 7 +++++++ .../audit_rules_time_adjtimex/tests/correct_value.pass.sh | 8 -------- .../tests/line_not_there.fail.sh | 5 ----- .../tests/syscall_not_there.fail.sh | 5 +++++ 4 files changed, 12 insertions(+), 13 deletions(-) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_syscall.pass.sh delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_value.pass.sh delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/line_not_there.fail.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/syscall_not_there.fail.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_syscall.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_syscall.pass.sh new file mode 100644 index 0000000000..51c8e8705e --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_syscall.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +# profiles = xccdf_org.ssgproject.content_profile_cis + +rm -rf /etc/audit/rules.d/*.rules +echo "-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules" >> /etc/audit/rules.d/time.rules +echo "-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules" >> /etc/audit/rules.d/time.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_value.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_value.pass.sh deleted file mode 100644 index d37d624763..0000000000 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_value.pass.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -# profiles = xccdf_org.ssgproject.content_profile_ospp - -if grep -qv "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$" /etc/audit/rules.d/*.rules; then - echo "-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules" >> /etc/audit/rules.d/time.rules - echo "-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules" >> /etc/audit/rules.d/time.rules -fi diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/line_not_there.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/line_not_there.fail.sh deleted file mode 100644 index bdf8c837f2..0000000000 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/line_not_there.fail.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash - -# profiles = xccdf_org.ssgproject.content_profile_ospp - -sed -i "/^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$/d" /etc/audit/rules.d/*.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/syscall_not_there.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/syscall_not_there.fail.sh new file mode 100644 index 0000000000..73eec5e777 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/syscall_not_there.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +# profiles = xccdf_org.ssgproject.content_profile_cis + +rm -rf /etc/audit/rules.d/*.rules From f09c6fd53814d00d85a1ca311887dea11c48d3ad Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 30 Apr 2020 10:47:00 +0200 Subject: [PATCH 3/4] Add Ansible remedation to watch for time changes --- .../audit_rules_time_watch_localtime/ansible/shared.yml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/ansible/shared.yml diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/ansible/shared.yml new file mode 100644 index 0000000000..629dea88bb --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/ansible/shared.yml @@ -0,0 +1,8 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +{{{ ansible_audit_augenrules_add_watch_rule(path="/etc/localtime", permissions="wa", key="audit_time_rules") }}} +{{{ ansible_audit_auditctl_add_watch_rule(path="/etc/localtime", permissions="wa", key="audit_time_rules") }}} From fe5e3be44528cd331ab7697daa2d0373e01d8d62 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 30 Apr 2020 16:32:08 +0200 Subject: [PATCH 4/4] Fix arch parameter and useless arch task --- .../audit_rules_time_adjtimex/ansible/shared.yml | 4 ++-- .../audit_rules_time_settimeofday/ansible/shared.yml | 4 ++-- .../audit_rules_time_stime/ansible/shared.yml | 6 +----- 3 files changed, 5 insertions(+), 9 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml index 2ecbf5f998..921b8e34cb 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml @@ -10,11 +10,11 @@ - name: Perform remediation of Audit rules for adjtimex for x86 platform block: - {{{ ansible_audit_augenrules_add_syscall_rule(arch=b32, syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} + {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} - name: Perform remediation of Audit rules for adjtimex for x86_64 platform block: - {{{ ansible_audit_augenrules_add_syscall_rule(arch=b64, syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} + {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} when: audit_arch == "b64" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml index e97a752298..b1a25c2776 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml @@ -10,11 +10,11 @@ - name: Perform remediation of Audit rules for settimeofday for x86 platform block: - {{{ ansible_audit_augenrules_add_syscall_rule(arch=b32, syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} + {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} - name: Perform remediation of Audit rules for settimeofday for x86_64 platform block: - {{{ ansible_audit_augenrules_add_syscall_rule(arch=b64, syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} + {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} when: audit_arch == "b64" diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml index b1e9380781..b57c71ce21 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml @@ -4,11 +4,7 @@ # complexity = low # disruption = low -- name: Set architecture for audit tasks - set_fact: - audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" - - name: Perform remediation of Audit rules for stime syscall for x86 platform block: - {{{ ansible_audit_augenrules_add_syscall_rule(arch=b32, syscalls=["stime"], key="audit_time_rules")|indent(4) }}} + {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["stime"], key="audit_time_rules")|indent(4) }}} {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["stime"], key="audit_time_rules")|indent(4) }}}