Merge "Fix Python version for Travis CI tests"
diff --git a/README.rst b/README.rst
index a3713c1..ec2992d 100644
--- a/README.rst
+++ b/README.rst
@@ -13,6 +13,15 @@
These violations can further be prevented by additional security
measures such as SELinux.
+Please, be aware of one *feature*.
+If you enable auditd.rules.rules.privileged it will dynamically generate a list
+of binaries which have suid/sgid bit for all mounted file systems which do not
+have **nosuid** or **noexec** mount option (except the *special* file systems
+such as **sysfs**, **nsfs**, **cgroup**, **proc** and so one).
+It was done because it is nearly impossible to create that list manually. It
+always will differ from one installation to another.
+This behavior can not be changed but it can be extended manually by putting
+necessary rules into the **rule_list** list).
Sample Metadata
diff --git a/auditd/files/auditd.rules.conf b/auditd/files/auditd.rules.conf
index e218cfc..2920129 100644
--- a/auditd/files/auditd.rules.conf
+++ b/auditd/files/auditd.rules.conf
@@ -1,4 +1,10 @@
{%- from "auditd/map.jinja" import rules with context %}
+{%- set filtered_fs = [
+'binfmt_misc', 'cgroup', 'configfs', 'debugfs',
+'devpts', 'mqueue', 'nsfs', 'proc', 'pstore',
+'securityfs', 'sysfs','tracefs'
+]-%}
+
-D
{%- set bufsize = rules.get('options', {}).get('bufsize', 8192) %}
-b {{ bufsize }}
@@ -16,6 +22,30 @@
{%- endfor %}
{%- endif %}
+{# Dynamically generated list of binaries which has sgid/suid bit #}
+{# It can be extended via auditd.rules.rules.privileged.rule_list #}
+{%- if pillar.auditd.rules.rules.privileged is defined -%}
+{%- if ruledict.privileged.get('enabled') -%}
+{%- for partition, options in salt['mount.active']().items() -%}
+{%- if ('noexec' not in options.opts) and
+ ('nosuid' not in options.opts) and
+ options.fstype not in filtered_fs -%}
+{%- set cmd = 'find '+ partition +' -xdev \( -perm -4000 -o -perm -2000 \) -type f' %}
+{%- set binaries = salt['cmd.shell'](cmd).splitlines() -%}
+{%- if binaries|length > 0 %}
+# Dinamically generated privileged list for {{ partition }}
+{%- endif %}
+{%- for bin in binaries -%}
+{%- set rule = '-a always,exit -F path='+ bin +' -F perm=x -F auid>=1000 -F auid!=4294967295' -%}
+{%- if rule not in ruledict.get('privileged', {}).get('rule_list', []) %}
+{{ rule + ' -k privileged' }}
+{%- endif %}
+{%- endfor -%}
+{%- endif -%}
+{%- endfor -%}
+{%- endif -%}
+{%- endif %}
+
# Enabled
{%- set enabled = rules.get('options', {}).get('enabled', 0) %}
-e {{ enabled }}
diff --git a/metadata/service/rules/ciscat.yml b/metadata/service/rules/ciscat.yml
index 8482c09..1596dd5 100644
--- a/metadata/service/rules/ciscat.yml
+++ b/metadata/service/rules/ciscat.yml
@@ -6,7 +6,7 @@
auditd:
rules:
options:
- enabled: 1
+ enabled: 2
bufsize: 8192
rules:
MAC_policy:
@@ -67,23 +67,6 @@
- '-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295'
privileged:
enabled: true
- rule_list:
- - '-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295'
scope:
enabled: true
rule_list: