mirror of https://github.com/trailofbits/algo
remove the logging role
parent
27680b9403
commit
3b8d04d06c
@ -1,5 +0,0 @@
|
|||||||
- name: restart rsyslog
|
|
||||||
service: name=rsyslog state=restarted
|
|
||||||
|
|
||||||
- name: restart auditd
|
|
||||||
service: name=auditd state=restarted
|
|
@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
dependencies:
|
|
||||||
- { role: common, tags: common }
|
|
@ -1,35 +0,0 @@
|
|||||||
# Auditd
|
|
||||||
|
|
||||||
- name: Auditd installed
|
|
||||||
apt: name=auditd state=latest
|
|
||||||
|
|
||||||
- name: Auditd rules configured
|
|
||||||
template: src=audit.rules.j2 dest=/etc/audit/audit.rules
|
|
||||||
notify:
|
|
||||||
- restart auditd
|
|
||||||
|
|
||||||
- name: Auditd configured
|
|
||||||
template: src=auditd.conf.j2 dest=/etc/audit/auditd.conf
|
|
||||||
notify:
|
|
||||||
- restart auditd
|
|
||||||
|
|
||||||
- name: Enable services
|
|
||||||
service: name=auditd enabled=yes
|
|
||||||
|
|
||||||
# Rsyslog
|
|
||||||
|
|
||||||
- name: Rsyslog installed
|
|
||||||
apt: name=rsyslog state=latest
|
|
||||||
|
|
||||||
- name: Rsyslog configured
|
|
||||||
template: src=rsyslog.conf.j2 dest=/etc/rsyslog.conf
|
|
||||||
notify:
|
|
||||||
- restart rsyslog
|
|
||||||
|
|
||||||
- name: Rsyslog CIS configured
|
|
||||||
template: src=CIS.conf.j2 dest=/etc/rsyslog.d/CIS.conf owner=root group=root mode=0644
|
|
||||||
notify:
|
|
||||||
- restart rsyslog
|
|
||||||
|
|
||||||
- name: Enable services
|
|
||||||
service: name=rsyslog enabled=yes
|
|
@ -1,15 +0,0 @@
|
|||||||
*.emerg :omusrmsg:*
|
|
||||||
mail.* -/var/log/mail
|
|
||||||
mail.info -/var/log/mail.info
|
|
||||||
mail.warning -/var/log/mail.warn
|
|
||||||
mail.err /var/log/mail.err
|
|
||||||
news.crit -/var/log/news/news.crit
|
|
||||||
news.err -/var/log/news/news.err
|
|
||||||
news.notice -/var/log/news/news.notice
|
|
||||||
*.=warning;*.=err -/var/log/warn
|
|
||||||
*.crit /var/log/warn
|
|
||||||
*.*;mail.none;news.none -/var/log/messages
|
|
||||||
local0,local1.* -/var/log/localmessages
|
|
||||||
local2,local3.* -/var/log/localmessages
|
|
||||||
local4,local5.* -/var/log/localmessages
|
|
||||||
local6,local7.* -/var/log/localmessages
|
|
@ -1,101 +0,0 @@
|
|||||||
# This file contains the auditctl rules that are loaded
|
|
||||||
# whenever the audit daemon is started via the initscripts.
|
|
||||||
# The rules are simply the parameters that would be passed
|
|
||||||
# to auditctl.
|
|
||||||
#
|
|
||||||
# First rule - delete all
|
|
||||||
-D
|
|
||||||
|
|
||||||
# Increase the buffers to survive stress events.
|
|
||||||
# Make this bigger for busy systems
|
|
||||||
-b 320
|
|
||||||
|
|
||||||
# Feel free to add below this line. See auditctl man page
|
|
||||||
|
|
||||||
# Record Events That Modify Date and Time Information
|
|
||||||
{% if ansible_architecture == "x86_64" %}
|
|
||||||
-a always,exit -F arch=b64 -S clock_settime -k time-change
|
|
||||||
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
|
|
||||||
{% endif %}
|
|
||||||
-a always,exit -F arch=b32 -S clock_settime -k time-change
|
|
||||||
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
|
|
||||||
-w /etc/localtime -p wa -k time-change
|
|
||||||
|
|
||||||
# Record Events That Modify User/Group Information
|
|
||||||
-w /etc/group -p wa -k identity
|
|
||||||
-w /etc/passwd -p wa -k identity
|
|
||||||
-w /etc/gshadow -p wa -k identity
|
|
||||||
-w /etc/shadow -p wa -k identity
|
|
||||||
-w /etc/security/opasswd -p wa -k identity
|
|
||||||
|
|
||||||
# Record Events That Modify the System's Network Environment
|
|
||||||
{% if ansible_architecture == "x86_64" %}
|
|
||||||
-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
|
|
||||||
{% endif %}
|
|
||||||
-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
|
|
||||||
-w /etc/issue -p wa -k system-locale
|
|
||||||
-w /etc/issue.net -p wa -k system-locale
|
|
||||||
-w /etc/hosts -p wa -k system-locale
|
|
||||||
-w /etc/network/interfaces -p wa -k system-locale
|
|
||||||
|
|
||||||
# Collect Login and Logout Events
|
|
||||||
-w /var/log/faillog -p wa -k logins
|
|
||||||
-w /var/log/lastlog -p wa -k logins
|
|
||||||
-w /var/log/tallylog -p wa -k logins
|
|
||||||
|
|
||||||
# Collect Session Initiation Information
|
|
||||||
-w /var/run/utmp -p wa -k session
|
|
||||||
-w /var/log/wtmp -p wa -k session
|
|
||||||
-w /var/log/btmp -p wa -k session
|
|
||||||
|
|
||||||
# Collect Discretionary Access Control Permission Modification Events
|
|
||||||
{% if ansible_architecture == "x86_64" %}
|
|
||||||
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
|
|
||||||
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
|
|
||||||
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
|
|
||||||
{% endif %}
|
|
||||||
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
|
|
||||||
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
|
|
||||||
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
|
|
||||||
|
|
||||||
# Collect Unsuccessful Unauthorized Access Attempts to Files
|
|
||||||
{% if ansible_architecture == "x86_64" %}
|
|
||||||
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
|
|
||||||
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
|
|
||||||
{% endif %}
|
|
||||||
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
|
|
||||||
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
|
|
||||||
|
|
||||||
# Collect Use of Privileged Commands
|
|
||||||
{% if privileged_programs is defined and privileged_programs.stdout_lines|length > 0 %}
|
|
||||||
{{ privileged_programs.stdout }}
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
# Collect Successful File System Mounts
|
|
||||||
{% if ansible_architecture == "x86_64" %}
|
|
||||||
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
|
|
||||||
{% endif %}
|
|
||||||
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
|
|
||||||
|
|
||||||
# Collect File Deletion Events by User
|
|
||||||
{% if ansible_architecture == "x86_64" %}
|
|
||||||
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
|
|
||||||
{% endif %}
|
|
||||||
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
|
|
||||||
|
|
||||||
# Collect Changes to System Administration Scope
|
|
||||||
-w /etc/sudoers -p wa -k scope
|
|
||||||
|
|
||||||
# Collect System Administrator Actions (sudolog)
|
|
||||||
-w /var/log/sudo.log -p wa -k actions
|
|
||||||
|
|
||||||
# Collect Kernel Module Loading and Unloading
|
|
||||||
{% if ansible_architecture == "x86_64" %}
|
|
||||||
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
|
|
||||||
{% endif %}
|
|
||||||
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules
|
|
||||||
-w /sbin/insmod -p x -k modules
|
|
||||||
-w /sbin/rmmod -p x -k modules
|
|
||||||
-w /sbin/modprobe -p x -k modules
|
|
||||||
|
|
||||||
-e 2
|
|
@ -1,32 +0,0 @@
|
|||||||
#
|
|
||||||
# This file controls the configuration of the audit daemon
|
|
||||||
#
|
|
||||||
|
|
||||||
log_file = /var/log/audit/audit.log
|
|
||||||
log_format = RAW
|
|
||||||
log_group = root
|
|
||||||
priority_boost = 4
|
|
||||||
flush = INCREMENTAL
|
|
||||||
freq = 20
|
|
||||||
num_logs = 5
|
|
||||||
disp_qos = lossy
|
|
||||||
dispatcher = /sbin/audispd
|
|
||||||
name_format = NONE
|
|
||||||
##name = mydomain
|
|
||||||
max_log_file = 10
|
|
||||||
max_log_file_action = keep_logs
|
|
||||||
space_left = 75
|
|
||||||
space_left_action = email
|
|
||||||
action_mail_acct = {{ auditd_action_mail_acct }}
|
|
||||||
admin_space_left = 50
|
|
||||||
admin_space_left_action = email
|
|
||||||
disk_full_action = SUSPEND
|
|
||||||
disk_error_action = SUSPEND
|
|
||||||
##tcp_listen_port =
|
|
||||||
tcp_listen_queue = 5
|
|
||||||
tcp_max_per_addr = 1
|
|
||||||
##tcp_client_ports = 1024-65535
|
|
||||||
tcp_client_max_idle = 0
|
|
||||||
enable_krb5 = no
|
|
||||||
krb5_principal = auditd
|
|
||||||
##krb5_key_file = /etc/audit/audit.key
|
|
@ -1,61 +0,0 @@
|
|||||||
# /etc/rsyslog.conf Configuration file for rsyslog.
|
|
||||||
#
|
|
||||||
# For more information see
|
|
||||||
# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
|
|
||||||
#
|
|
||||||
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf
|
|
||||||
|
|
||||||
#
|
|
||||||
#################
|
|
||||||
#### MODULES ####
|
|
||||||
#################
|
|
||||||
|
|
||||||
module(load="imuxsock") # provides support for local system logging
|
|
||||||
module(load="imklog") # provides kernel logging support
|
|
||||||
#module(load="immark") # provides --MARK-- message capability
|
|
||||||
|
|
||||||
# provides UDP syslog reception
|
|
||||||
#module(load="imudp")
|
|
||||||
#input(type="imudp" port="514")
|
|
||||||
|
|
||||||
# provides TCP syslog reception
|
|
||||||
#module(load="imtcp")
|
|
||||||
#input(type="imtcp" port="514")
|
|
||||||
|
|
||||||
# Enable non-kernel facility klog messages
|
|
||||||
$KLogPermitNonKernelFacility on
|
|
||||||
|
|
||||||
###########################
|
|
||||||
#### GLOBAL DIRECTIVES ####
|
|
||||||
###########################
|
|
||||||
|
|
||||||
#
|
|
||||||
# Use traditional timestamp format.
|
|
||||||
# To enable high precision timestamps, comment out the following line.
|
|
||||||
#
|
|
||||||
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
|
|
||||||
|
|
||||||
# Filter duplicated messages
|
|
||||||
$RepeatedMsgReduction on
|
|
||||||
|
|
||||||
#
|
|
||||||
# Set the default permissions for all log files.
|
|
||||||
#
|
|
||||||
$FileOwner syslog
|
|
||||||
$FileGroup adm
|
|
||||||
$FileCreateMode 0640
|
|
||||||
$DirCreateMode 0755
|
|
||||||
$Umask 0022
|
|
||||||
$PrivDropToUser syslog
|
|
||||||
$PrivDropToGroup syslog
|
|
||||||
|
|
||||||
#
|
|
||||||
# Where to place spool and state files
|
|
||||||
#
|
|
||||||
$WorkDirectory /var/spool/rsyslog
|
|
||||||
|
|
||||||
#
|
|
||||||
# Include all config files in /etc/rsyslog.d/
|
|
||||||
#
|
|
||||||
$IncludeConfig /etc/rsyslog.d/*.conf
|
|
||||||
|
|
Loading…
Reference in New Issue