commit 4b1f289b5b782dc92288c88dcaba0fdad21c0611
author Vasyl Saienko <vsaienko@mirantis.com> Mon Jul 16 10:51:56 2018 +0000
committer Gerrit Code Review <gerrit2@853267bf53e2> Mon Jul 16 10:51:56 2018 +0000
tree 33557898b85df0297156bd7066bee012d7426231
parent 91e02458ddccf2c20381c9b68695406de67b8481
parent 05a3658159fb16f4f8e8027fb05bda09966f8185

Merge "Fix Python version for Travis CI tests"

README.rst

diff --git a/README.rst b/README.rst
index a3713c1..ec2992d 100644
--- a/README.rst
+++ b/README.rst
@@ -13,6 +13,15 @@
 These violations can further be prevented by additional security
 measures such as SELinux.
 
+Please, be aware of one *feature*.
+If you enable auditd.rules.rules.privileged it will dynamically generate a list
+of binaries which have suid/sgid bit for all mounted file systems which do not
+have **nosuid** or **noexec** mount option (except the *special* file systems
+such as **sysfs**, **nsfs**, **cgroup**, **proc** and so one).
+It was done because it is nearly impossible to create that list manually. It
+always will differ from one installation to another.
+This behavior can not be changed but it can be extended manually by putting
+necessary rules into the **rule_list** list).
 
 
 Sample Metadata

auditd/files/auditd.rules.conf

diff --git a/auditd/files/auditd.rules.conf b/auditd/files/auditd.rules.conf
index e218cfc..2920129 100644
--- a/auditd/files/auditd.rules.conf
+++ b/auditd/files/auditd.rules.conf
@@ -1,4 +1,10 @@
 {%- from "auditd/map.jinja" import rules with context %}
+{%- set filtered_fs = [
+'binfmt_misc', 'cgroup', 'configfs', 'debugfs',
+'devpts', 'mqueue', 'nsfs', 'proc', 'pstore',
+'securityfs', 'sysfs','tracefs'
+]-%}
+
 -D
 {%- set bufsize = rules.get('options', {}).get('bufsize', 8192) %}
 -b {{ bufsize }}
@@ -16,6 +22,30 @@
 {%- endfor %}
 {%- endif %}
 
+{# Dynamically generated list of binaries which has sgid/suid bit #}
+{# It can be extended via auditd.rules.rules.privileged.rule_list #}
+{%- if pillar.auditd.rules.rules.privileged is defined -%}
+{%-   if ruledict.privileged.get('enabled') -%}
+{%-     for partition, options in salt['mount.active']().items() -%}
+{%-         if ('noexec' not in options.opts) and
+               ('nosuid' not in options.opts) and
+               options.fstype not in filtered_fs -%}
+{%-           set cmd = 'find '+ partition +' -xdev \( -perm -4000 -o -perm -2000 \) -type f' %}
+{%-           set binaries = salt['cmd.shell'](cmd).splitlines() -%}
+{%-           if binaries|length > 0 %}
+# Dinamically generated privileged list for {{ partition }}
+{%-           endif %}
+{%-           for bin in binaries -%}
+{%-             set rule = '-a always,exit -F path='+ bin +' -F perm=x -F auid>=1000 -F auid!=4294967295' -%}
+{%-             if rule not in ruledict.get('privileged', {}).get('rule_list', []) %}
+{{ rule + ' -k privileged' }}
+{%-             endif %}
+{%-           endfor -%}
+{%-       endif -%}
+{%-     endfor -%}
+{%-   endif -%}
+{%- endif %}
+
 # Enabled
 {%- set enabled = rules.get('options', {}).get('enabled', 0) %}
 -e {{ enabled }}

metadata/service/rules/ciscat.yml

diff --git a/metadata/service/rules/ciscat.yml b/metadata/service/rules/ciscat.yml
index 8482c09..1596dd5 100644
--- a/metadata/service/rules/ciscat.yml
+++ b/metadata/service/rules/ciscat.yml
@@ -6,7 +6,7 @@
   auditd:
     rules:
       options:
-        enabled: 1
+        enabled: 2
         bufsize: 8192
       rules:
         MAC_policy:
@@ -67,23 +67,6 @@
             - '-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295'
         privileged:
           enabled: true
-          rule_list:
-            - '-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295'
-            - '-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295'
-            - '-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295'
-            - '-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295'
-            - '-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295'
-            - '-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295'
-            - '-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295'
-            - '-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295'
-            - '-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295'
-            - '-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295'
-            - '-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295'
-            - '-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295'
-            - '-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295'
-            - '-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295'
-            - '-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295'
-            - '-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295'
         scope:
           enabled: true
           rule_list: