Some more hardening

This commit is contained in:
Wojciech Kozlowski 2018-12-16 11:05:29 +00:00
parent 3837a7dc20
commit af346c5220
3 changed files with 286 additions and 0 deletions

View File

@ -0,0 +1,211 @@
###################
# Remove any existing rules
###################
-D
###################
# Buffer Size
###################
# Might need to be increased, depending on the load of your system.
-b 8192
###################
# Failure Mode
###################
# 0=Silent
# 1=printk, print failure message
# 2=panic, halt system
-f 1
###################
# Audit the audit logs.
###################
-w /var/log/audit/ -k auditlog
###################
## Auditd configuration
###################
## Modifications to audit configuration that occur while the audit (check your paths)
-w /etc/audit/ -p wa -k auditconfig
-w /etc/libaudit.conf -p wa -k auditconfig
-w /etc/audisp/ -p wa -k audispconfig
###################
# Monitor for use of audit management tools
###################
# Check your paths
-w /sbin/auditctl -p x -k audittools
-w /sbin/auditd -p x -k audittools
###################
# Special files
###################
-a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles
-a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles
###################
# Mount operations
###################
-a exit,always -F arch=b32 -S mount -S umount -S umount2 -k mount
-a exit,always -F arch=b64 -S mount -S umount2 -k mount
###################
# Changes to the time
###################
-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -k time
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time
-w /etc/localtime -p wa -k localtime
###################
# Use of stunnel
###################
-w /usr/sbin/stunnel -p x -k stunnel
###################
# Schedule jobs
###################
-w /etc/cron.allow -p wa -k cron
-w /etc/cron.deny -p wa -k cron
-w /etc/cron.d/ -p wa -k cron
-w /etc/cron.daily/ -p wa -k cron
-w /etc/cron.hourly/ -p wa -k cron
-w /etc/cron.monthly/ -p wa -k cron
-w /etc/cron.weekly/ -p wa -k cron
-w /etc/crontab -p wa -k cron
-w /var/spool/cron/crontabs/ -k cron
## user, group, password databases
-w /etc/group -p wa -k etcgroup
-w /etc/passwd -p wa -k etcpasswd
-w /etc/gshadow -k etcgroup
-w /etc/shadow -k etcpasswd
-w /etc/security/opasswd -k opasswd
###################
# Monitor usage of passwd command
###################
-w /usr/bin/passwd -p x -k passwd_modification
###################
# Monitor user/group tools
###################
-w /usr/sbin/groupadd -p x -k group_modification
-w /usr/sbin/groupmod -p x -k group_modification
-w /usr/sbin/addgroup -p x -k group_modification
-w /usr/sbin/useradd -p x -k user_modification
-w /usr/sbin/usermod -p x -k user_modification
-w /usr/sbin/adduser -p x -k user_modification
###################
# Login configuration and stored info
###################
-w /etc/login.defs -p wa -k login
-w /etc/securetty -p wa -k login
-w /var/log/faillog -p wa -k login
-w /var/log/lastlog -p wa -k login
-w /var/log/tallylog -p wa -k login
###################
# Network configuration
###################
-w /etc/hosts -p wa -k hosts
-w /etc/network/ -p wa -k network
###################
## system startup scripts
###################
-w /etc/inittab -p wa -k init
-w /etc/init.d/ -p wa -k init
-w /etc/init/ -p wa -k init
###################
# Library search paths
###################
-w /etc/ld.so.conf -p wa -k libpath
###################
# Kernel parameters and modules
###################
-w /etc/sysctl.conf -p wa -k sysctl
-w /etc/modprobe.conf -p wa -k modprobe
###################
###################
# PAM configuration
###################
-w /etc/pam.d/ -p wa -k pam
-w /etc/security/limits.conf -p wa -k pam
-w /etc/security/pam_env.conf -p wa -k pam
-w /etc/security/namespace.conf -p wa -k pam
-w /etc/security/namespace.init -p wa -k pam
###################
# Puppet (SSL)
###################
-w /etc/puppet/ssl -p wa -k puppet_ssl
###################
# Postfix configuration
###################
-w /etc/aliases -p wa -k mail
-w /etc/postfix/ -p wa -k mail
###################
###################
# SSH configuration
###################
-w /etc/ssh/sshd_config -k sshd
###################
# Hostname
###################
-a exit,always -F arch=b32 -S sethostname -k hostname
-a exit,always -F arch=b64 -S sethostname -k hostname
###################
# Changes to issue
###################
-w /etc/issue -p wa -k etcissue
-w /etc/issue.net -p wa -k etcissue
###################
# Log all commands executed by root
###################
-a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd
-a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd
###################
## Capture all failures to access on critical elements
###################
-a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/usr/local/bin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileacess
###################
## su/sudo
###################
-w /bin/su -p x -k priv_esc
-w /usr/bin/sudo -p x -k priv_esc
-w /etc/sudoers -p rw -k priv_esc
###################
# Poweroff/reboot tools
###################
-w /sbin/halt -p x -k power
-w /sbin/poweroff -p x -k power
-w /sbin/reboot -p x -k power
-w /sbin/shutdown -p x -k power
###################
# Make the configuration immutable
###################
-e 2
# EOF

View File

@ -0,0 +1,10 @@
#
# Default settings for /etc/init.d/sysstat, /etc/cron.d/sysstat
# and /etc/cron.daily/sysstat files
#
# Should sadc collect system activity informations? Valid values
# are "true" and "false". Please do not put other values, they
# will be overwritten by debconf!
ENABLED="true"

View File

@ -221,6 +221,71 @@
dest: /etc/logcheck/ignore.d.server/local-server dest: /etc/logcheck/ignore.d.server/local-server
mode: 0644 mode: 0644
# -------------------------------------------------------------------------
# Process accounting.
# -------------------------------------------------------------------------
- name: Install acct
apt:
name: acct
register: acct
- name: Switch on process accounting
command: accton on
when: acct is changed
# -------------------------------------------------------------------------
# System performance monitor.
# -------------------------------------------------------------------------
- name: Install sysstat
apt:
name: sysstat
register: sysstat
- name: Configure sysstat
template:
src: ./etc/default/sysstat.j2
dest: /etc/default/sysstat
mode: 0644
register: sysstat_cfg
- block:
- name: Start sysstat
command: /etc/init.d/sysstat start
- name: Set sysstat defaults
command: update-rc.d sysstat defaults
when:
sysstat is changed or
sysstat_cfg is changed
# -------------------------------------------------------------------------
# Auditing.
# -------------------------------------------------------------------------
- name: Install auditd
apt:
name: auditd
register: auditd
- name: Configure auditd
template:
src: ./etc/audit/rules.d/custom.rules.j2
dest: /etc/audit/rules.d/custom.rules
mode: 0644
register: auditd_cfg
- name: Enable and restart auditd
service:
name: auditd
state: restarted
enabled: yes
when:
auditd is changed or
auditd_cfg is changed
# ------------------------------------------------------------------------- # -------------------------------------------------------------------------
# Chkrootkit and Rkhunter. # Chkrootkit and Rkhunter.
# ------------------------------------------------------------------------- # -------------------------------------------------------------------------