Commit d7ee971e authored by ale's avatar ale

Use a macro for real user checks in audit rules

Also raise the 'real user' limit to >1000, which conveniently
excludes the vagrant user on Vagrant boxes, so the audit log
won't be flooded with execve traces whenever we run Vagrant.
parent 7f75daba
{# TODO: this macro is useless, remove these rules from production? #}
{% macro is_real_user() %}-F auid>=1000 -F auid!=4294967295{% endmacro %}
# Collect Use of Privileged Commands
{% if privileged_programs is defined and privileged_programs.stdout_lines|length > 0 %}
......@@ -5,38 +7,38 @@
{% endif %}
# Events related to privilege escalations (for non-system users)
-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -k sudo
-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k privesc
-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k privesc
-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k privesc
-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k privesc
-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k privesc
-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k privesc
-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k privesc
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k privesc
-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k privesc
-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k privesc
-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k privesc
-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k privesc
-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k privesc
-a always,exit -F arch=b32 -C auid!=uid -S execve -F auid>=500 -F auid!=-1 -k privesc
-a always,exit -F dir=/home -F uid=0 {{ is_real_user() }} -C auid!=obj_uid -k sudo
-a always,exit -F arch=b32 -S chmod {{ is_real_user() }} -k privesc
-a always,exit -F arch=b32 -S chown {{ is_real_user() }} -k privesc
-a always,exit -F arch=b32 -S fchmod {{ is_real_user() }} -k privesc
-a always,exit -F arch=b32 -S fchmodat {{ is_real_user() }} -k privesc
-a always,exit -F arch=b32 -S fchown {{ is_real_user() }} -k privesc
-a always,exit -F arch=b32 -S fchownat {{ is_real_user() }} -k privesc
-a always,exit -F arch=b32 -S fremovexattr {{ is_real_user() }} -k privesc
-a always,exit -F arch=b32 -S fsetxattr {{ is_real_user() }} -k privesc
-a always,exit -F arch=b32 -S lchown {{ is_real_user() }} -k privesc
-a always,exit -F arch=b32 -S lremovexattr {{ is_real_user() }} -k privesc
-a always,exit -F arch=b32 -S lsetxattr {{ is_real_user() }} -k privesc
-a always,exit -F arch=b32 -S removexattr {{ is_real_user() }} -k privesc
-a always,exit -F arch=b32 -S setxattr {{ is_real_user() }} -k privesc
-a always,exit -F arch=b32 -C auid!=uid -S execve {{ is_real_user() }} -F auid!=-1 -k privesc
-a always,exit -F arch=b32 -S setuid -S setgid -S setreuid -S setregid -k privesc
-a always,exit -F arch=b32 -S setuid -S setgid -S setreuid -S setregid -F exit=EPERM -k privesc
{% if ansible_architecture == "x86_64" %}
-a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -k privesc
-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k privesc
-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k privesc
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k privesc
-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k privesc
-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k privesc
-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k privesc
-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k privesc
-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k privesc
-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k privesc
-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k privesc
-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k privesc
-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k privesc
-a always,exit -F arch=b64 -C auid!=uid -S execve -F auid>=500 -F auid!=-1 -k privesc
-a always,exit -F arch=b64 -S chmod {{ is_real_user() }} -k privesc
-a always,exit -F arch=b64 -S chown {{ is_real_user() }} -k privesc
-a always,exit -F arch=b64 -S fchmod {{ is_real_user() }} -k privesc
-a always,exit -F arch=b64 -S fchmodat {{ is_real_user() }} -k privesc
-a always,exit -F arch=b64 -S fchown {{ is_real_user() }} -k privesc
-a always,exit -F arch=b64 -S fchownat {{ is_real_user() }} -k privesc
-a always,exit -F arch=b64 -S fremovexattr {{ is_real_user() }} -k privesc
-a always,exit -F arch=b64 -S fsetxattr {{ is_real_user() }} -k privesc
-a always,exit -F arch=b64 -S lchown {{ is_real_user() }} -k privesc
-a always,exit -F arch=b64 -S lremovexattr {{ is_real_user() }} -k privesc
-a always,exit -F arch=b64 -S lsetxattr {{ is_real_user() }} -k privesc
-a always,exit -F arch=b64 -S removexattr {{ is_real_user() }} -k privesc
-a always,exit -F arch=b64 -S setxattr {{ is_real_user() }} -k privesc
-a always,exit -F arch=b64 -C auid!=uid -S execve {{ is_real_user() }} -F auid!=-1 -k privesc
-a always,exit -F arch=b64 -S setuid -S setgid -S setreuid -S setregid -k privesc
-a always,exit -F arch=b64 -S setuid -S setgid -S setreuid -S setregid -F exit=EPERM -k privesc
{% endif %}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment