Some more hardening
This commit is contained in:
parent
3837a7dc20
commit
af346c5220
211
ansible/etc/audit/rules.d/custom.rules.j2
Normal file
211
ansible/etc/audit/rules.d/custom.rules.j2
Normal file
@ -0,0 +1,211 @@
|
|||||||
|
###################
|
||||||
|
# Remove any existing rules
|
||||||
|
###################
|
||||||
|
|
||||||
|
-D
|
||||||
|
|
||||||
|
###################
|
||||||
|
# Buffer Size
|
||||||
|
###################
|
||||||
|
# Might need to be increased, depending on the load of your system.
|
||||||
|
-b 8192
|
||||||
|
|
||||||
|
###################
|
||||||
|
# Failure Mode
|
||||||
|
###################
|
||||||
|
# 0=Silent
|
||||||
|
# 1=printk, print failure message
|
||||||
|
# 2=panic, halt system
|
||||||
|
-f 1
|
||||||
|
|
||||||
|
###################
|
||||||
|
# Audit the audit logs.
|
||||||
|
###################
|
||||||
|
-w /var/log/audit/ -k auditlog
|
||||||
|
|
||||||
|
###################
|
||||||
|
## Auditd configuration
|
||||||
|
###################
|
||||||
|
## Modifications to audit configuration that occur while the audit (check your paths)
|
||||||
|
-w /etc/audit/ -p wa -k auditconfig
|
||||||
|
-w /etc/libaudit.conf -p wa -k auditconfig
|
||||||
|
-w /etc/audisp/ -p wa -k audispconfig
|
||||||
|
|
||||||
|
###################
|
||||||
|
# Monitor for use of audit management tools
|
||||||
|
###################
|
||||||
|
# Check your paths
|
||||||
|
-w /sbin/auditctl -p x -k audittools
|
||||||
|
-w /sbin/auditd -p x -k audittools
|
||||||
|
|
||||||
|
###################
|
||||||
|
# Special files
|
||||||
|
###################
|
||||||
|
-a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles
|
||||||
|
-a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles
|
||||||
|
|
||||||
|
###################
|
||||||
|
# Mount operations
|
||||||
|
###################
|
||||||
|
-a exit,always -F arch=b32 -S mount -S umount -S umount2 -k mount
|
||||||
|
-a exit,always -F arch=b64 -S mount -S umount2 -k mount
|
||||||
|
|
||||||
|
###################
|
||||||
|
# Changes to the time
|
||||||
|
###################
|
||||||
|
-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -k time
|
||||||
|
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time
|
||||||
|
-w /etc/localtime -p wa -k localtime
|
||||||
|
|
||||||
|
###################
|
||||||
|
# Use of stunnel
|
||||||
|
###################
|
||||||
|
-w /usr/sbin/stunnel -p x -k stunnel
|
||||||
|
|
||||||
|
###################
|
||||||
|
# Schedule jobs
|
||||||
|
###################
|
||||||
|
-w /etc/cron.allow -p wa -k cron
|
||||||
|
-w /etc/cron.deny -p wa -k cron
|
||||||
|
-w /etc/cron.d/ -p wa -k cron
|
||||||
|
-w /etc/cron.daily/ -p wa -k cron
|
||||||
|
-w /etc/cron.hourly/ -p wa -k cron
|
||||||
|
-w /etc/cron.monthly/ -p wa -k cron
|
||||||
|
-w /etc/cron.weekly/ -p wa -k cron
|
||||||
|
-w /etc/crontab -p wa -k cron
|
||||||
|
-w /var/spool/cron/crontabs/ -k cron
|
||||||
|
|
||||||
|
## user, group, password databases
|
||||||
|
-w /etc/group -p wa -k etcgroup
|
||||||
|
-w /etc/passwd -p wa -k etcpasswd
|
||||||
|
-w /etc/gshadow -k etcgroup
|
||||||
|
-w /etc/shadow -k etcpasswd
|
||||||
|
-w /etc/security/opasswd -k opasswd
|
||||||
|
|
||||||
|
###################
|
||||||
|
# Monitor usage of passwd command
|
||||||
|
###################
|
||||||
|
-w /usr/bin/passwd -p x -k passwd_modification
|
||||||
|
|
||||||
|
###################
|
||||||
|
# Monitor user/group tools
|
||||||
|
###################
|
||||||
|
-w /usr/sbin/groupadd -p x -k group_modification
|
||||||
|
-w /usr/sbin/groupmod -p x -k group_modification
|
||||||
|
-w /usr/sbin/addgroup -p x -k group_modification
|
||||||
|
-w /usr/sbin/useradd -p x -k user_modification
|
||||||
|
-w /usr/sbin/usermod -p x -k user_modification
|
||||||
|
-w /usr/sbin/adduser -p x -k user_modification
|
||||||
|
|
||||||
|
###################
|
||||||
|
# Login configuration and stored info
|
||||||
|
###################
|
||||||
|
-w /etc/login.defs -p wa -k login
|
||||||
|
-w /etc/securetty -p wa -k login
|
||||||
|
-w /var/log/faillog -p wa -k login
|
||||||
|
-w /var/log/lastlog -p wa -k login
|
||||||
|
-w /var/log/tallylog -p wa -k login
|
||||||
|
|
||||||
|
###################
|
||||||
|
# Network configuration
|
||||||
|
###################
|
||||||
|
-w /etc/hosts -p wa -k hosts
|
||||||
|
-w /etc/network/ -p wa -k network
|
||||||
|
|
||||||
|
###################
|
||||||
|
## system startup scripts
|
||||||
|
###################
|
||||||
|
-w /etc/inittab -p wa -k init
|
||||||
|
-w /etc/init.d/ -p wa -k init
|
||||||
|
-w /etc/init/ -p wa -k init
|
||||||
|
|
||||||
|
###################
|
||||||
|
# Library search paths
|
||||||
|
###################
|
||||||
|
-w /etc/ld.so.conf -p wa -k libpath
|
||||||
|
|
||||||
|
###################
|
||||||
|
# Kernel parameters and modules
|
||||||
|
###################
|
||||||
|
-w /etc/sysctl.conf -p wa -k sysctl
|
||||||
|
-w /etc/modprobe.conf -p wa -k modprobe
|
||||||
|
###################
|
||||||
|
|
||||||
|
###################
|
||||||
|
# PAM configuration
|
||||||
|
###################
|
||||||
|
-w /etc/pam.d/ -p wa -k pam
|
||||||
|
-w /etc/security/limits.conf -p wa -k pam
|
||||||
|
-w /etc/security/pam_env.conf -p wa -k pam
|
||||||
|
-w /etc/security/namespace.conf -p wa -k pam
|
||||||
|
-w /etc/security/namespace.init -p wa -k pam
|
||||||
|
|
||||||
|
###################
|
||||||
|
# Puppet (SSL)
|
||||||
|
###################
|
||||||
|
-w /etc/puppet/ssl -p wa -k puppet_ssl
|
||||||
|
|
||||||
|
###################
|
||||||
|
# Postfix configuration
|
||||||
|
###################
|
||||||
|
-w /etc/aliases -p wa -k mail
|
||||||
|
-w /etc/postfix/ -p wa -k mail
|
||||||
|
###################
|
||||||
|
|
||||||
|
###################
|
||||||
|
# SSH configuration
|
||||||
|
###################
|
||||||
|
-w /etc/ssh/sshd_config -k sshd
|
||||||
|
|
||||||
|
###################
|
||||||
|
# Hostname
|
||||||
|
###################
|
||||||
|
-a exit,always -F arch=b32 -S sethostname -k hostname
|
||||||
|
-a exit,always -F arch=b64 -S sethostname -k hostname
|
||||||
|
|
||||||
|
###################
|
||||||
|
# Changes to issue
|
||||||
|
###################
|
||||||
|
-w /etc/issue -p wa -k etcissue
|
||||||
|
-w /etc/issue.net -p wa -k etcissue
|
||||||
|
|
||||||
|
###################
|
||||||
|
# Log all commands executed by root
|
||||||
|
###################
|
||||||
|
-a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd
|
||||||
|
-a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd
|
||||||
|
|
||||||
|
###################
|
||||||
|
## Capture all failures to access on critical elements
|
||||||
|
###################
|
||||||
|
-a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileacess
|
||||||
|
-a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileacess
|
||||||
|
-a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileacess
|
||||||
|
-a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileacess
|
||||||
|
-a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileacess
|
||||||
|
-a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileacess
|
||||||
|
-a exit,always -F arch=b64 -S open -F dir=/usr/local/bin -F success=0 -k unauthedfileacess
|
||||||
|
-a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileacess
|
||||||
|
-a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileacess
|
||||||
|
|
||||||
|
###################
|
||||||
|
## su/sudo
|
||||||
|
###################
|
||||||
|
-w /bin/su -p x -k priv_esc
|
||||||
|
-w /usr/bin/sudo -p x -k priv_esc
|
||||||
|
-w /etc/sudoers -p rw -k priv_esc
|
||||||
|
|
||||||
|
###################
|
||||||
|
# Poweroff/reboot tools
|
||||||
|
###################
|
||||||
|
-w /sbin/halt -p x -k power
|
||||||
|
-w /sbin/poweroff -p x -k power
|
||||||
|
-w /sbin/reboot -p x -k power
|
||||||
|
-w /sbin/shutdown -p x -k power
|
||||||
|
|
||||||
|
###################
|
||||||
|
# Make the configuration immutable
|
||||||
|
###################
|
||||||
|
-e 2
|
||||||
|
|
||||||
|
# EOF
|
10
ansible/etc/default/sysstat.j2
Normal file
10
ansible/etc/default/sysstat.j2
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
#
|
||||||
|
# Default settings for /etc/init.d/sysstat, /etc/cron.d/sysstat
|
||||||
|
# and /etc/cron.daily/sysstat files
|
||||||
|
#
|
||||||
|
|
||||||
|
# Should sadc collect system activity informations? Valid values
|
||||||
|
# are "true" and "false". Please do not put other values, they
|
||||||
|
# will be overwritten by debconf!
|
||||||
|
ENABLED="true"
|
||||||
|
|
@ -221,6 +221,71 @@
|
|||||||
dest: /etc/logcheck/ignore.d.server/local-server
|
dest: /etc/logcheck/ignore.d.server/local-server
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
||||||
|
# -------------------------------------------------------------------------
|
||||||
|
# Process accounting.
|
||||||
|
# -------------------------------------------------------------------------
|
||||||
|
|
||||||
|
- name: Install acct
|
||||||
|
apt:
|
||||||
|
name: acct
|
||||||
|
register: acct
|
||||||
|
|
||||||
|
- name: Switch on process accounting
|
||||||
|
command: accton on
|
||||||
|
when: acct is changed
|
||||||
|
|
||||||
|
# -------------------------------------------------------------------------
|
||||||
|
# System performance monitor.
|
||||||
|
# -------------------------------------------------------------------------
|
||||||
|
|
||||||
|
- name: Install sysstat
|
||||||
|
apt:
|
||||||
|
name: sysstat
|
||||||
|
register: sysstat
|
||||||
|
|
||||||
|
- name: Configure sysstat
|
||||||
|
template:
|
||||||
|
src: ./etc/default/sysstat.j2
|
||||||
|
dest: /etc/default/sysstat
|
||||||
|
mode: 0644
|
||||||
|
register: sysstat_cfg
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Start sysstat
|
||||||
|
command: /etc/init.d/sysstat start
|
||||||
|
|
||||||
|
- name: Set sysstat defaults
|
||||||
|
command: update-rc.d sysstat defaults
|
||||||
|
|
||||||
|
when:
|
||||||
|
sysstat is changed or
|
||||||
|
sysstat_cfg is changed
|
||||||
|
|
||||||
|
# -------------------------------------------------------------------------
|
||||||
|
# Auditing.
|
||||||
|
# -------------------------------------------------------------------------
|
||||||
|
|
||||||
|
- name: Install auditd
|
||||||
|
apt:
|
||||||
|
name: auditd
|
||||||
|
register: auditd
|
||||||
|
|
||||||
|
- name: Configure auditd
|
||||||
|
template:
|
||||||
|
src: ./etc/audit/rules.d/custom.rules.j2
|
||||||
|
dest: /etc/audit/rules.d/custom.rules
|
||||||
|
mode: 0644
|
||||||
|
register: auditd_cfg
|
||||||
|
|
||||||
|
- name: Enable and restart auditd
|
||||||
|
service:
|
||||||
|
name: auditd
|
||||||
|
state: restarted
|
||||||
|
enabled: yes
|
||||||
|
when:
|
||||||
|
auditd is changed or
|
||||||
|
auditd_cfg is changed
|
||||||
|
|
||||||
# -------------------------------------------------------------------------
|
# -------------------------------------------------------------------------
|
||||||
# Chkrootkit and Rkhunter.
|
# Chkrootkit and Rkhunter.
|
||||||
# -------------------------------------------------------------------------
|
# -------------------------------------------------------------------------
|
||||||
|
Reference in New Issue
Block a user