Changes according to the ciscat requirements
It is nearly impossible to use static "privileged" rules due to such lists
will differ from one installation to another. By this change it will generate
the list dynamically. It can be extended via common rule_list when needed.
Also the enabled option now is immutable.
Change-Id: I537124cd7201bdea831f0a98c3f98c20c7d77707
diff --git a/README.rst b/README.rst
index a3713c1..ec2992d 100644
--- a/README.rst
+++ b/README.rst
@@ -13,6 +13,15 @@
These violations can further be prevented by additional security
measures such as SELinux.
+Please, be aware of one *feature*.
+If you enable auditd.rules.rules.privileged it will dynamically generate a list
+of binaries which have suid/sgid bit for all mounted file systems which do not
+have **nosuid** or **noexec** mount option (except the *special* file systems
+such as **sysfs**, **nsfs**, **cgroup**, **proc** and so one).
+It was done because it is nearly impossible to create that list manually. It
+always will differ from one installation to another.
+This behavior can not be changed but it can be extended manually by putting
+necessary rules into the **rule_list** list).
Sample Metadata
diff --git a/auditd/files/auditd.rules.conf b/auditd/files/auditd.rules.conf
index e218cfc..2920129 100644
--- a/auditd/files/auditd.rules.conf
+++ b/auditd/files/auditd.rules.conf
@@ -1,4 +1,10 @@
{%- from "auditd/map.jinja" import rules with context %}
+{%- set filtered_fs = [
+'binfmt_misc', 'cgroup', 'configfs', 'debugfs',
+'devpts', 'mqueue', 'nsfs', 'proc', 'pstore',
+'securityfs', 'sysfs','tracefs'
+]-%}
+
-D
{%- set bufsize = rules.get('options', {}).get('bufsize', 8192) %}
-b {{ bufsize }}
@@ -16,6 +22,30 @@
{%- endfor %}
{%- endif %}
+{# Dynamically generated list of binaries which has sgid/suid bit #}
+{# It can be extended via auditd.rules.rules.privileged.rule_list #}
+{%- if pillar.auditd.rules.rules.privileged is defined -%}
+{%- if ruledict.privileged.get('enabled') -%}
+{%- for partition, options in salt['mount.active']().items() -%}
+{%- if ('noexec' not in options.opts) and
+ ('nosuid' not in options.opts) and
+ options.fstype not in filtered_fs -%}
+{%- set cmd = 'find '+ partition +' -xdev \( -perm -4000 -o -perm -2000 \) -type f' %}
+{%- set binaries = salt['cmd.shell'](cmd).splitlines() -%}
+{%- if binaries|length > 0 %}
+# Dinamically generated privileged list for {{ partition }}
+{%- endif %}
+{%- for bin in binaries -%}
+{%- set rule = '-a always,exit -F path='+ bin +' -F perm=x -F auid>=1000 -F auid!=4294967295' -%}
+{%- if rule not in ruledict.get('privileged', {}).get('rule_list', []) %}
+{{ rule + ' -k privileged' }}
+{%- endif %}
+{%- endfor -%}
+{%- endif -%}
+{%- endfor -%}
+{%- endif -%}
+{%- endif %}
+
# Enabled
{%- set enabled = rules.get('options', {}).get('enabled', 0) %}
-e {{ enabled }}
diff --git a/metadata/service/rules/ciscat.yml b/metadata/service/rules/ciscat.yml
index 8482c09..1596dd5 100644
--- a/metadata/service/rules/ciscat.yml
+++ b/metadata/service/rules/ciscat.yml
@@ -6,7 +6,7 @@
auditd:
rules:
options:
- enabled: 1
+ enabled: 2
bufsize: 8192
rules:
MAC_policy:
@@ -67,23 +67,6 @@
- '-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295'
privileged:
enabled: true
- rule_list:
- - '-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295'
- - '-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295'
scope:
enabled: true
rule_list: