Ordered audit rules
Change-Id: Idb705cfab5cebb4568109f9b25a6087b9a667d1b
Closes-PROD: https://mirantis.jira.com/browse/PROD-21187
diff --git a/README.rst b/README.rst
index b9df62f..6e81855 100644
--- a/README.rst
+++ b/README.rst
@@ -71,7 +71,8 @@
enabled: 0
bufsize: 8192
rules:
- some_rule_key:
+ 1:
+ key: some_rule_key
enabled: true
rule_list:
- '-w /etc/passwd -p wa'
diff --git a/auditd/files/auditd.rules.conf b/auditd/files/auditd.rules.conf
index 8012bcb..031b268 100644
--- a/auditd/files/auditd.rules.conf
+++ b/auditd/files/auditd.rules.conf
@@ -1,38 +1,36 @@
{%- from "auditd/map.jinja" import rules with context %}
{%- set filter_fs = rules.get('filter_fs', []) -%}
{%- set filter_paths = rules.get('filter_paths', []) -%}
+{%- set auid = rules.get('auid', 1000) -%}
-D
{%- set bufsize = rules.get('options', {}).get('bufsize', 8192) %}
-b {{ bufsize }}
-{%- set ruledict = rules.get('rules', {}) %}
-{%- if ruledict|length > 0 %}
-# Rules
-{%- for rulegroup, options in ruledict.items() %}
-# {{ rulegroup }} section
-{%- if options.get('enabled', false) -%}
-{%- for rule in options.get('rule_list', []) %}
-{{ rule }} -k {{ rulegroup }}
-{%- endfor %}
-{%- endif %}
-{%- endfor %}
-{%- endif %}
-
-{# Dynamically generated list of binaries which have sgid/suid bit #}
-{# It can be extended via the auditd.rules.rules.privileged.rule_list #}
-{%- if pillar.auditd.rules.rules.privileged is defined -%}
-{%- if ruledict.privileged.get('enabled') -%}
-{%- set privileged_list = salt['auditd.find_privileged'](filter_fs=filter_fs,filter_paths=filter_paths) -%}
-# Dinamically generated list of privileged files
-{%- for bin in privileged_list -%}
-{%- set rule = '-a always,exit -F path='+ bin +' -F perm=x -F auid>=1000 -F auid!=4294967295' -%}
-{%- if rule not in ruledict.get('privileged', {}).get('rule_list', []) %}
-{{ rule + ' -k privileged' }}
+# Rules (might be empty)
+{%- for _, ruleblock in rules.get('rules', {})|dictsort %}
+{%- if ruleblock.get('enabled', false) %}
+{%- set rules = ruleblock.get('rule_list', []) %}
+{%- set rulekey = ruleblock['key'] %}
+{%- if rulekey == 'privileged' -%}
+{# Generate suid/sgid binaries list dynamically.
+This behavior can not be changed but the list can be extended via the corresponding pillar. #}
+{%- set privileged_list = salt['auditd.find_privileged'](filter_fs=filter_fs,filter_paths=filter_paths) -%}
+{%- for bin in privileged_list -%}
+{%- set rule = '-a always,exit -F path='+ bin +' -F perm=x -F auid>='~ auid ~' -F auid!=4294967295' -%}
+{%- if rule not in rules %}
+{%- do rules.append(rule) %}
{%- endif %}
-{%- endfor -%}
-{%- endif -%}
-{%- endif %}
+{%- endfor %}
+{%- endif %}
+{% if rules|length > 0 %}
+# "{{ rulekey }}" section
+{%- for rule in rules %}
+{{ rule }} -k {{ rulekey }}
+{%- endfor %}
+{%- endif %}
+{%- endif %}
+{%- endfor %}
# Enabled
{%- set enabled = rules.get('options', {}).get('enabled', 0) %}
diff --git a/metadata/service/rules/ciscat.yml b/metadata/service/rules/ciscat.yml
index 2417e1c..fca89c3 100644
--- a/metadata/service/rules/ciscat.yml
+++ b/metadata/service/rules/ciscat.yml
@@ -25,90 +25,104 @@
enabled: 2
bufsize: 8192
rules:
- MAC_policy:
+ 100:
+ key: MAC_policy
enabled: true
rule_list:
- - '-w /etc/apparmor/ -p wa'
- - '-w /etc/apparmor.d/ -p wa'
- access:
+ - '-w /etc/apparmor/ -p wa'
+ - '-w /etc/apparmor.d/ -p wa'
+ 110:
+ key: access
enabled: true
rule_list:
- - '-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295'
- actions:
+ - '-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295'
+ - '-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295'
+ - '-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295'
+ - '-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295'
+ 120:
+ key: actions
enabled: true
rule_list:
- - '-w /var/log/sudo.log -p wa'
- delete:
+ - '-w /var/log/sudo.log -p wa'
+ 130:
+ key: delete
enabled: true
rule_list:
- - '-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295'
- identity:
+ - '-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295'
+ - '-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295'
+ 140:
+ key: identity
enabled: true
rule_list:
- - '-w /etc/group -p wa'
- - '-w /etc/passwd -p wa'
- - '-w /etc/gshadow -p wa'
- - '-w /etc/shadow -p wa'
- - '-w /etc/security/opasswd -p wa'
- logins:
+ - '-w /etc/group -p wa'
+ - '-w /etc/passwd -p wa'
+ - '-w /etc/gshadow -p wa'
+ - '-w /etc/shadow -p wa'
+ - '-w /etc/security/opasswd -p wa'
+ 150:
+ key: logins
enabled: true
rule_list:
- - '-w /var/log/faillog -p wa'
- - '-w /var/log/lastlog -p wa'
- - '-w /var/log/tallylog -p wa'
- modules:
+ - '-w /var/log/faillog -p wa'
+ - '-w /var/log/lastlog -p wa'
+ - '-w /var/log/tallylog -p wa'
+ 160:
+ key: modules
enabled: true
rule_list:
- - '-w /sbin/insmod -p x'
- - '-w /sbin/rmmod -p x'
- - '-w /sbin/modprobe -p x'
- - '-a always,exit -F arch=b64 -S init_module -S delete_module'
- mounts:
+ - '-w /sbin/insmod -p x'
+ - '-w /sbin/rmmod -p x'
+ - '-w /sbin/modprobe -p x'
+ - '-a always,exit -F arch=b64 -S init_module -S delete_module'
+ 170:
+ key: mounts
enabled: true
rule_list:
- - '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295'
- perm_mod:
+ - '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295'
+ - '-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295'
+ 180:
+ key: perm_mod
enabled: true
rule_list:
- - '-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295'
- privileged:
+ - '-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295'
+ - '-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295'
+ - '-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295'
+ - '-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295'
+ - '-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295'
+ - '-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295'
+ 190:
+ key: privileged
enabled: true
- scope:
+ 200:
+ key: scope
enabled: true
rule_list:
- - '-w /etc/sudoers -p wa'
- - '-w /etc/sudoers.d -p wa'
- session:
+ - '-w /etc/sudoers -p wa'
+ - '-w /etc/sudoers.d -p wa'
+ 210:
+ key: session
enabled: true
rule_list:
- - '-w /var/run/utmp -p wa'
- - '-w /var/log/wtmp -p wa'
- - '-w /var/log/btmp -p wa'
- system_locale:
+ - '-w /var/run/utmp -p wa'
+ - '-w /var/log/wtmp -p wa'
+ - '-w /var/log/btmp -p wa'
+ 220:
+ key: system_locale
enabled: true
rule_list:
- - '-a always,exit -F arch=b64 -S sethostname -S setdomainname'
- - '-a always,exit -F arch=b32 -S sethostname -S setdomainname'
- - '-w /etc/issue -p wa'
- - '-w /etc/issue.net -p wa'
- - '-w /etc/hosts -p wa'
- - '-w /etc/network -p wa'
- - '-w /etc/networks -p wa'
- time_change:
+ - '-a always,exit -F arch=b64 -S sethostname -S setdomainname'
+ - '-a always,exit -F arch=b32 -S sethostname -S setdomainname'
+ - '-w /etc/issue -p wa'
+ - '-w /etc/issue.net -p wa'
+ - '-w /etc/hosts -p wa'
+ - '-w /etc/network -p wa'
+ - '-w /etc/networks -p wa'
+ 230:
+ key: time_change
enabled: true
rule_list:
- - '-a always,exit -F arch=b64 -S adjtimex -S settimeofday'
- - '-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime'
- - '-a always,exit -F arch=b64 -S clock_settime'
- - '-a always,exit -F arch=b32 -S clock_settime'
- - '-w /etc/localtime -p wa'
+ - '-a always,exit -F arch=b64 -S adjtimex -S settimeofday'
+ - '-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime'
+ - '-a always,exit -F arch=b64 -S clock_settime'
+ - '-a always,exit -F arch=b32 -S clock_settime'
+ - '-w /etc/localtime -p wa'
diff --git a/tests/pillar/rules.sls b/tests/pillar/rules.sls
index 2e4bb0d..e77aff2 100644
--- a/tests/pillar/rules.sls
+++ b/tests/pillar/rules.sls
@@ -29,7 +29,8 @@
enabled: 0
bufzise: 4096
rules:
- host_conf:
+ 1:
+ key: host_conf
enabled: true
rule_list:
- '-w /etc/host.conf -p wa'