Browse Source

aduit rules added

pull/1/head
akremo 1 year ago
parent
commit
67c37391b2
  1. 9
      README.md
  2. 735
      roles/disa-v2r6/tasks/main.yml

9
README.md

@ -52,4 +52,11 @@ This is heavily based on the [MindPointGroup/RHEL7-STIG](https://github.com/Mind
| CAT-II | V-72073 | RHEL-07-021620 |
| CAT-II | V-72075 | RHEL-07-021700 |
| CAT-I | V-72213 | RHEL-07-032000 |
| CAT-II | V-72219 | RHEL-07-040100 |
| CAT-II | V-72219 | RHEL-07-040100 |
| CAT II | V-72081 | RHEL-07-030010 | can be changed to f1 for availability
| CAT II | V-72083 | RHEL-07-030300 |
| CAT II | V-72087 | RHEL-07-030320 |
| CAT II | V-72063 | RHEL-07-030321 |
| CAT II | V-72089 | RHEL-07-030330 |
| CAT II | V-72091 | RHEL-07-030340 |
| CAT II | V-72093 | RHEL-07-030350 |

735
roles/disa-v2r6/tasks/main.yml

@ -1483,7 +1483,740 @@
## 030010-030920 Audit stuff
##031000 and RHEL-07-031010 pull from logging.yml may need to be manual depending on loggin solution
- name: "CAT II | RHEL-07-030010 | The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure."
command: auditctl -f 2
- name: "CAT II | RHEL-07-030200 | The Red Hat Enterprise Linux operating system must be configured to use the au-remote plugin."
block:
stat:
path: /etc/audisp/plugins.d/au-remote.conf
register: au-remote_status
file:
path: /etc/audisp/plugins.d/au-remote.conf
state: touch
when: au-remote_status.exists == false
- name: |
"CAT II | RHEL-07-030201 | The Red Hat Enterprise Linux operating system must configure the au-remote plugin to off-load audit logs using the audisp-remote daemon."
"CAT II | RHEL-07-030210 | The Red Hat Enterprise Linux operating system must take appropriate action when the audisp-remote buffer is full."
"CAT II | RHEL-07-030211 | The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server."
block:
- name: "regiester existence of au-remote.cont"
stat:
path: /etc/audisp/plugins.d/au-remote.conf
register: au-remote_change
- name: "Configure audispd.conf"
lineinfile:
path: /etc/audisp/plugins.d/au-remote.conf
line: '{{ itme }}'
with_items:
- 'active = yes'
- 'direction = out'
- 'path = /sbin/audisp-remote'
- 'type = always'
- 'overflow_action = syslog'
- 'name_format = hostname'
when: au-remote_status.exists
tags:
- CAT-II
- RHEL-07-030201
- RHEL-07-030210
- name: "CAT II | RHEL-07-030360 | The Red Hat Enterprise Linux operating system must audit all executions of privileged functions."
block:
- name: "Create an Audit config file to house all the DISA STIG RULES"
file:
path: /etc/audit/rules.d/DISA-STIGs.rules
state: touch
owner: root
group: root
mode: '0644'
- name: RHEL-07-030360
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid'
- '-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid'
- '-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid'
- '-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid'
tags:
- CAT-II
- RHEL-07-030360
- name: "CAT II | RHEL-07-030370 | The Red Hat Enterprise Linux operating system must audit all uses of the chown syscall"
# Chown usage
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
- '-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
tags:
- CAT-II
- RHEL-07-030370
- name: "CAT II | RHEL-07-030380 | The Red Hat Enterprise Linux operating system must audit all uses of the fchown syscall."
# fChown usage
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
- '-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
tags:
- CAT-II
- RHEL-07-030380
- name: CAT II | RHEL-07-030390 | The Red Hat Enterprise Linux operating system must audit all uses of the lchown syscall
# lChown usage
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
- '-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
tags:
- CAT II
- RHEL-07-030390
- name: CAT II | RHEL-07-030400 | The Red Hat Enterprise Linux operating system must audit all uses of the fchownat syscall.
# fChownat usage
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
- '-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
tags:
- CAT-II
- RHEL-07-030400
- name: CAT II | RHEL-07-030410 | The Red Hat Enterprise Linux operating system must audit all uses of the chmod syscall.
# chmod usage
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'
- '-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'
tags:
- CAT-II
- RHEL-07-030410
- name: CAT II | RHEL-07-030420 | The Red Hat Enterprise Linux operating system must audit all uses of the fchmod syscall.
# fchmod usage
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'
- '-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'
tags:
- CAT-II
- RHEL-07-030420
- name: CAT II | RHEL-07-030430 | The Red Hat Enterprise Linux operating system must audit all uses of the fchmodat syscall.
# fchmodat usage
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
- '-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
tags:
- CAT-II
- RHEL-07-030430
- name: CAT II | RHEL-07-030440 | The Red Hat Enterprise Linux operating system must audit all uses of the setxattr syscall.
# setxattr usage
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
- '-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
tags:
- CAT-II
- RHEL-07-030440
- name: CAT II | RHEL-07-030450 | The Red Hat Enterprise Linux operating system must audit all uses of the fsetxattr syscall.
# fsetxattr usage
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
- '-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
tags:
- CAT-II
- RHEL-07-030450
- name: CAT II | RHEL-07-030460 | The Red Hat Enterprise Linux operating system must audit all uses of the lsetxattr syscall.
# lsetxattr usage
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
- '-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
tags:
- CAT-II
- RHEL-07-030460
- name: CAT II | RHEL-07-030470 | The Red Hat Enterprise Linux operating system must audit all uses of the removexattr syscall.
# removexattr usage
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
- '-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
tags:
- CAT-II
- RHEL-07-030470
- name: CAT II | RHEL-07-030480 | The Red Hat Enterprise Linux operating system must audit all uses of the fremovexattr syscall.
# fremovexattr usage
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
- '-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
tags:
- CAT-II
- RHEL-07-030480
- name: CAT II | RHEL-07-030490 | The Red Hat Enterprise Linux operating system must audit all uses of the lremovexattr syscall.
# lremovexattr usage
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
- '-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
tags:
- CAT-II
- RHEL-07-030490
- name: CAT II | RHEL-07-030500 | The Red Hat Enterprise Linux operating system must audit all uses of the creat syscall
# successful and unsuccessful uses of creat syscall
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
tags:
- CAT-II
- RHEL-07-030500
- name: CAT II | RHEL-07-030510 | The Red Hat Enterprise Linux operating system must audit all uses of the open syscall.
# successful and unsuccessful uses of open syscall
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
tags:
- CAT-II
- RHEL-07-030510
- name: CAT II | RHEL-07-030520 | The Red Hat Enterprise Linux operating system must audit all uses of the openat syscall.
# successful and unsuccessful uses of openat syscall
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
tags:
- CAT-II
- RHEL-07-030520
- name: CAT II | RHEL-07-030530 | The Red Hat Enterprise Linux operating system must audit all uses of the open_by_handle_at syscall.
# successful and unsuccessful uses of open_by_handle_at syscall
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
tags:
- CAT-II
- RHEL-07-030530
- name: CAT II | RHEL-07-030540 | The Red Hat Enterprise Linux operating system must audit all uses of the truncate syscall.
# successful and unsuccessful uses of truncate syscall
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
tags:
- CAT-II
- RHEL-07-030540
- name: CAT II | RHEL-07-030550 | The Red Hat Enterprise Linux operating system must audit all uses of the ftruncate syscall.
# successful and unsuccessful uses of ftruncate syscall
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
tags:
- CAT-II
- RHEL-07-030550
- name: CAT II | RHEL-07-030560 | The Red Hat Enterprise Linux operating system must audit all uses of the semanage command.
# successful and unsuccessful uses of semanage syscall
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'
tags:
- CAT-II
- RHEL-07-030560
- name: CAT II | RHEL-07-030570 | The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command.
# successful and unsuccessful uses of setsebool syscall
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'
tags:
- CAT-II
- RHEL-07-030570
- name: CAT II | RHEL-07-030580 | The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command.
# successful and unsuccessful uses of chcon syscall
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'
tags:
- CAT-II
- RHEL-07-030580
- name: CAT II | RHEL-07-030590 | The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command.
# successful and unsuccessful uses of setfiles syscall
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'
tags:
- CAT-II
- RHEL-07-030590
- name: CAT II | RHEL-07-030610 | The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account access events.
# failed logins
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-w /var/run/faillock -p wa -k logins'
tags:
- CAT-II
- RHEL-07-030610
- name: CAT II | RHEL-07-030620 | The Red Hat Enterprise Linux operating system must generate audit records for all successful account access events.
# successful logins
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-w /var/log/lastlog -p wa -k logins'
tags:
- CAT-II
- RHEL-07-030620
- name: CAT II | RHEL-07-030630 | The Red Hat Enterprise Linux operating system must audit all uses of the passwd command.
# successful and unsuccessful attempts to use the "passwd" command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd'
tags:
- CAT-II
- RHEL-07-030630
- name: CAT II | RHEL-07-030640 | The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command.
# successful and unsuccessful attempts to use the unix_chkpwd command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd'
tags:
- CAT-II
- RHEL-07-030640
- name: CAT II | RHEL-07-030650 | The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command.
# successful and unsuccessful attempts to use the gpasswd command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd'
tags:
- CAT-II
- RHEL-07-030650
- name: CAT II | RHEL-07-030660 | The Red Hat Enterprise Linux operating system must audit all uses of the chage command.
# successful and unsuccessful attempts to use the chage command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=4294967295 -k privileged-passwd'
tags:
- CAT-II
- RHEL-07-030660
- name: CAT II | RHEL-07-030670 | The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command.
# successful and unsuccessful attempts to use the userhelper command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=4294967295 -k privileged-passwd'
tags:
- CAT-II
- RHEL-07-030670
- name: CAT II | RHEL-07-030680 | The Red Hat Enterprise Linux operating system must audit all uses of the su command.
# successful and unsuccessful attempts to use the su command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'
tags:
- CAT-II
- RHEL-07-030680
- name: CAT II | RHEL-07-030690 | The Red Hat Enterprise Linux operating system must audit all uses of the sudo command.
# successful and unsuccessful attempts to use the sudo command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'
tags:
- CAT-II
- RHEL-07-030690
- name: CAT II | RHEL-07-030700 | The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.
# successful and unsuccessful attempts to access the sudoers file and directory
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-w /etc/sudoers -p wa -k privileged-actions'
- '-w /etc/sudoers.d/ -p wa -k privileged-actions'
tags:
- CAT-II
- RHEL-07-030700
- name: CAT II | RHEL-07-030710 | The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command.
# successful and unsuccessful attempts to use the newgrp command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'
tags:
- CAT-II
- RHEL-07-030710
- name: CAT II | RHEL-07-030720 | The Red Hat Enterprise Linux operating system must audit all uses of the chsh command.
# successful and unsuccessful attempts to use the chsh command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'
tags:
- CAT-II
- RHEL-07-030720
- name: CAT II | RHEL-07-030740 | The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall.
# successful and unsuccessful attempts to use the mount commands and syscalls
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount'
- '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount'
- '-a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount'
tags:
- CAT-II
- RHEL-07-030740
- name: CAT II | RHEL-07-030750 | The Red Hat Enterprise Linux operating system must audit all uses of the umount command.
# successful and unsuccessful attempts to use the umount command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=4294967295 -k privileged-mount'
tags:
- CAT-II
- RHEL-07-030750
- name: CAT II | RHEL-07-030760 | The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command.
# successful and unsuccessful attempts to use the postdrop command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
tags:
- CAT-II
- RHEL-07-030760
- name: CAT II | RHEL-07-030770 | The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command.
# successful and unsuccessful attempts to use the postqueue command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
tags:
- CAT-II
- RHEL-07-030770
- name: CAT II | RHEL-07-030780 | The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command.
# successful and unsuccessful attempts to use the ssh-keysign command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=4294967295 -k privileged-ssh'
tags:
- CAT-II
- RHEL-07-030780
- name: CAT II | RHEL-07-030800 | The Red Hat Enterprise Linux operating system must audit all uses of the crontab command.
# successful and unsuccessful attempts to use the crontab command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
tags:
- CAT-II
- RHEL-07-030800
- name: CAT II | RHEL-07-030810 | The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command.
# successful and unsuccessful attempts to use the pam_timestamp_check command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
tags:
- CAT-II
- RHEL-07-030810
- name: CAT II | RHEL-07-030819 | The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall.
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S create_module -k module-change'
- '-a always,exit -F arch=b64 -S create_module -k module-change'
tags:
- CAT-II
- RHEL-07-030819
- name: CAT II | RHEL-07-030820 | The Red Hat Enterprise Linux operating system must audit all uses of the init_module syscall.
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S init_module -k module-change'
- '-a always,exit -F arch=b64 -S init_module -k module-change'
tags:
- CAT-II
- RHEL-07-030820
- name: CAT II | RHEL-07-030821 | The Red Hat Enterprise Linux operating system must audit all uses of the finit_module syscall.
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S finit_module -k module-change'
- '-a always,exit -F arch=b64 -S finit_module -k module-change'
tags:
- CAT-II
- RHEL-07-030821
- name: CAT II | RHEL-07-030830 | The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall.
# successful and unsuccessful attempts to use the delete_module syscall occur
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S delete_module -k module-change'
- '-a always,exit -F arch=b64 -S delete_module -k module-change'
tags:
- CAT-II
- RHEL-07-030830
- name: CAT II | RHEL-07-030840 | The Red Hat Enterprise Linux operating system must audit all uses of the kmod command.
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-w /usr/bin/kmod -p x -F auid!=4294967295 -k module-change'
tags:
- CAT-II
- RHEL-07-030840
- name: CAT II | RHEL-07-030870 | The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
# Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-w /etc/passwd -p wa -k identity'
tags:
- CAT-II
- RHEL-07-030870
- name: CAT II | RHEL-07-030871 | The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
# onfigure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group".
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-w /etc/group -p wa -k identity'
tags:
- CAT-II
- RHEL-07-030871
- name: CAT II | RHEL-07-030872 | The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
# onfigure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-w /etc/gshadow -p wa -k identity'
tags:
- CAT-II
- RHEL-07-030872
- name: CAT II | RHEL-07-030873 | The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
# onfigure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow".
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-w /etc/shadow -p wa -k identity'
tags:
- CAT-II
- RHEL-07-030873
- name: CAT II | RHEL-07-030874 |The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
# onfigure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/opasswd".
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-w /etc/security/opasswd -p wa -k identity'
tags:
- CAT-II
- RHEL-07-030874
- name: CAT II | RHEL-07-030880 | The Red Hat Enterprise Linux operating system must audit all uses of the rename syscall.
# successful and unsuccessful attempts to use the rename syscall occur
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=4294967295 -k delete'
- '-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=4294967295 -k delete'
tags:
- CAT-II
- RHEL-07-030880
- name: CAT II | RHEL-07-030890 | The Red Hat Enterprise Linux operating system must audit all uses of the renameat syscall
# successful and unsuccessful attempts to use the renameat syscall occur
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
- '-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
tags:
- CAT-II
- RHEL-07-030890
- name: "CAT II | RHEL-07-030900 | The Red Hat Enterprise Linux operating system must audit all uses of the rmdir syscall."
# successful and unsuccessful attempts to use the rmdir syscall occur
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete'
- '-a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete'
tags:
- CAT-II
- RHEL-07-030900
- name: "CAT II | RHEL-07-030910 | The Red Hat Enterprise Linux operating system must audit all uses of the unlink syscall."
# successful and unsuccessful attempts to use the unlink syscall occur
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=4294967295 -k delete'
- '-a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=4294967295 -k delete'
tags:
- CAT-II
- RHEL-07-030910
- name: "CAT II | RHEL-07-030920 | The Red Hat Enterprise Linux operating system must audit all uses of the unlinkat syscall."
# successful and unsuccessful attempts to use the unlinkatsyscall occur
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete'
- '-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete'
tags:
- CAT-II
- RHEL-07-030920
- name: load all the rules into the main audit rules file
shell: /usr/sbin/augenrules --load
register: command_result
failed_when: "'FAILED' in command_result.stderr"
##031000 and RHEL-07-031010 pull from logging.yml may need to be manual depending on loggin solution
- name: "CAT III| RHEL-07-040000 | The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types."

Loading…
Cancel
Save