Skip to content

Commit

Permalink
Cleanup audit rules (#2)
Browse files Browse the repository at this point in the history 
Some of rules in base set do not exist in the version of auditd
we distribute. A few files in STIG rules do not exist in TrueNAS
and prevent auditd load.

This commit also adds an optional prefix argument for script to
generate privileged rules. This is due to script being run outside
chroot environment in scale_build.
  • Loading branch information
@anodos325
anodos325 authored Dec 9, 2024
1 parent f983c65 commit 091bd1e
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 14 deletions.
3 changes: 0 additions & 3 deletions rules/10-base-config.rules
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,3 @@

## This determine how long to wait in burst of events
--backlog_wait_time 60000

## Set failure mode to syslog
-f
4 changes: 1 addition & 3 deletions rules/30-stig.rules
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,8 +40,6 @@
-a always,exit -F arch=b64 -F path=/etc/hosts -F perm=wa -F key=system-locale
-a always,exit -F arch=b32 -F path=/etc/hostname -F perm=wa -F key=system-locale
-a always,exit -F arch=b64 -F path=/etc/hostname -F perm=wa -F key=system-locale
-a always,exit -F arch=b32 -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale
-a always,exit -F arch=b64 -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale

## Things that could affect MAC policy
-a always,exit -F arch=b32 -F dir=/etc/selinux/ -F perm=wa -F key=MAC-policy
Expand Down Expand Up @@ -136,7 +134,7 @@
-a always,exit -F arch=b64 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation

## Always audit call to disable rootfs protection
-a always,exit -F arch=b64 -F path=/usr/local/libexec/disable-rootfs-protection -F perm=x -F auid!=unset -F key=maybe-escalation
-a always,exit -F arch=b64 -F path=/usr/local/libexec/disable-rootfs-protection -F perm=x -F key=maybe-escalation

## ZFS-related binares can also be used to bypass system protections.
-a always,exit -F arch=b64 -F path=/sbin/zfs -F perm=x -F auid>0 -F key=maybe-escalation
Expand Down
29 changes: 21 additions & 8 deletions rules/privileged-rules.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,30 +21,37 @@ def file_has_setuid_bit(target: str) -> bool:
return stat(target).st_mode & S_ISUID


def audit_entry_string(target: str, arch: str) -> str:
def __strip_prefix(target: str, prefix: str) -> str:
return target[len(prefix):]


def audit_entry_string(target: str, arch: str, prefix: str) -> str:
return (
'-a always,exit '
f'-F arch={arch} '
f'-F path={target} '
f'-F path={__strip_prefix(target, prefix)} '
'-F perm=x '
f'-F auid>={USER_ID_MIN} -F auid!=unset '
'-F key=privileged\n'
)


def write_audit_entry(target: str, fh: TextIOWrapper) -> None:
fh.write(audit_entry_string(target, ARCH64))
fh.write(audit_entry_string(target, ARCH32))
def write_audit_entry(target: str, fh: TextIOWrapper, prefix: str) -> None:
fh.write(audit_entry_string(target, ARCH64, prefix))
fh.write(audit_entry_string(target, ARCH32, prefix))


def generate_audit_privilege(target_dir: str, privilege_file: str, prefix: str) -> None:
if prefix and not target_dir.startswith(prefix):
raise ValueError(f'{target_dir}: target_dir does not start with prefix [{prefix}]')

def generate_audit_privilege(target_dir: str, privilege_file: str) -> None:
with open(privilege_file, 'w') as f:
for root, dirs, files in walk(target_dir):
for name in files:
target = path.join(root, name)
try:
if file_has_setuid_bit(target) or file_has_capability(target):
write_audit_entry(target, f)
write_audit_entry(target, f, prefix)
except FileNotFoundError:
# possibly broken symlink
pass
Expand All @@ -62,9 +69,15 @@ def main():
'-p', '--privilege_file',
help='File in which to write privilege rules.'
)
parser.add_argument(
'-x', '--prefix',
help='File in which to write privilege rules.',
default=''
)

args = parser.parse_args()
generate_audit_privilege(args.target_dir, args.privilege_file)

generate_audit_privilege(args.target_dir, args.privilege_file, args.prefix)


if __name__ == '__main__':
Expand Down

0 comments on commit 091bd1e

Please sign in to comment.