NAS-133260 / Add script to parse output of the auditd af_unix socket

debian/control

@@ -8,6 +8,6 @@ Homepage: http://www.truenas.com
 
 Package: truenas-audit-rules
 Architecture: any
-Depends: truenas-files, ${misc:Depends}, ${shlibs:Depends}
+Depends: python3:any, truenas-files, ${misc:Depends}, ${shlibs:Depends}
 Description: Auditd rules for TrueNAS when STIG compatibiliy mode
  enabled.

debian/rules

@@ -8,6 +8,12 @@ override_dh_auto_install:
 	sh -c "\
 		mkdir -p debian/truenas-audit-rules/conf/audit_rules/; \
 		cp -a rules/* debian/truenas-audit-rules/conf/audit_rules/; \
+		mkdir -p debian/truenas-audit-rules/conf/audit_plugins/; \
+		cp -a plugins/* debian/truenas-audit-rules/conf/audit_plugins/; \
+		mkdir -p debian/truenas-audit-rules/usr/local/libexec/; \
+		cp -a scripts/* debian/truenas-audit-rules/usr/local/libexec/; \
+		mkdir -p debian/truenas-audit-rules/lib/systemd/system/; \
+		cp -a systemd/* debian/truenas-audit-rules/lib/systemd/system/; \
 	"
 
 override_dh_fixperms:

debian/truenas-audit-rules.lintian-overrides

@@ -1,3 +1,5 @@
 file-in-unusual-dir
 no-copyright-file
 non-standard-toplevel-dir
+dir-in-usr-local
+file-in-usr-local

plugins/af_unix.conf

@@ -0,0 +1,12 @@
+# This file controls the configuration of the
+# af_unix socket plugin. It simply takes events
+# and writes them to a unix domain socket. This
+# plugin can take 2 arguments, the path for the
+# socket and the socket permissions in octal.
+
+active = yes
+direction = out
+path = builtin_af_unix
+type = builtin
+args = 0600 /var/run/audispd_events
+format = string

rules/30-stig.rules

@@ -18,16 +18,16 @@
 -a always,exit -F arch=b64 -F path=/etc/localtime -F perm=wa -F key=time-change
 
 ## Things that affect identity
--a always,exit -F arch=b32 -F path=/etc/group -F perm=wa -F auid>0 -F key=identity
--a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F auid>0 -F key=identity
--a always,exit -F arch=b32 -F path=/etc/passwd -F perm=wa -F auid>0 -F key=identity
--a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -F auid>0 -F key=identity
--a always,exit -F arch=b32 -F path=/etc/gshadow -F perm=wa -F auid>0 -F key=identity
--a always,exit -F arch=b64 -F path=/etc/gshadow -F perm=wa -F auid>0 -F key=identity
--a always,exit -F arch=b32 -F path=/etc/shadow -F perm=wa -F auid>0 -F key=identity
--a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F auid>0 -F key=identity
--a always,exit -F arch=b32 -F path=/etc/security/opasswd -F auid>0 -F perm=wa -F key=identity
--a always,exit -F arch=b64 -F path=/etc/security/opasswd -F auid>0 -F perm=wa -F key=identity
+-a always,exit -F arch=b32 -F path=/etc/group -F perm=wa -F auid!=unset -F key=identity
+-a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F auid!=unset -F key=identity
+-a always,exit -F arch=b32 -F path=/etc/passwd -F perm=wa -F auid!=unset -F key=identity
+-a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -F auid!=unset -F key=identity
+-a always,exit -F arch=b32 -F path=/etc/gshadow -F perm=wa -F key=identity
+-a always,exit -F arch=b64 -F path=/etc/gshadow -F perm=wa -F key=identity
+-a always,exit -F arch=b32 -F path=/etc/shadow -F perm=wa -F auid!=unset -F key=identity
+-a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F auid!=unset -F key=identity
+-a always,exit -F arch=b32 -F path=/etc/security/opasswd -F perm=wa -F key=identity
+-a always,exit -F arch=b64 -F path=/etc/security/opasswd -F perm=wa -F key=identity
 
 ## Things that could affect system locale
 -a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
@@ -108,14 +108,14 @@
 ## You have to mount media before using it. You must disable all automounting
 ## so that its done manually in order to get the correct user requesting the
 ## export
--a always,exit -F arch=b32 -S mount -F auid>=900 -F auid!=unset -F key=export
--a always,exit -F arch=b64 -S mount -F auid>=900 -F auid!=unset -F key=export
+-a always,exit -F arch=b32 -S mount -F auid!=unset -F key=export
+-a always,exit -F arch=b64 -S mount -F auid!=unset -F key=export
 
 ##- System startup and shutdown (unsuccessful and successful)
 
 ##- Files and programs deleted by the user (successful and unsuccessful)
--a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=900 -F auid!=unset -F key=delete
--a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=900 -F auid!=unset -F key=delete
+#-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>900 -F auid!=unset -F key=delete
+#-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>900 -F auid!=unset -F key=delete
 
 ##- All system administration actions
 ##- All security personnel actions
@@ -124,18 +124,32 @@
 ## If that is not found, use sudo which should be patched to record its
 ## commands to the audit system. Do not allow unrestricted root shells or
 ## sudo cannot record the action.
--a always,exit -F arch=b32 -F path=/etc/sudoers -F perm=wa -F key=actions
--a always,exit -F arch=b64 -F path=/etc/sudoers -F perm=wa -F key=actions
--a always,exit -F arch=b32 -F dir=/etc/sudoers.d/ -F perm=wa -F key=actions
--a always,exit -F arch=b64 -F dir=/etc/sudoers.d/ -F perm=wa -F key=actions
+-a always,exit -F arch=b32 -F path=/etc/sudoers -F perm=wa -F key=escalation
+-a always,exit -F arch=b64 -F path=/etc/sudoers -F perm=wa -F key=escalation
+-a always,exit -F arch=b32 -F dir=/etc/sudoers.d/ -F perm=wa -F key=escalation
+-a always,exit -F arch=b64 -F dir=/etc/sudoers.d/ -F perm=wa -F key=escalation
 
 ## Special case for systemd-run. It is not audit aware, specifically watch it
--a always,exit -F arch=b32 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
--a always,exit -F arch=b64 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
+-a always,exit -F arch=b32 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=escalation
+-a always,exit -F arch=b64 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=escalation
 
 ## Always audit call to disable rootfs protection
--a always,exit -F arch=b64 -F path=/usr/local/libexec/disable-rootfs-protection -F perm=x -F key=maybe-escalation
+-a always,exit -F arch=b64 -F path=/usr/local/libexec/disable-rootfs-protection -F perm=x -F key=escalation
 
 ## ZFS-related binares can also be used to bypass system protections.
--a always,exit -F arch=b64 -F path=/sbin/zfs -F perm=x -F auid>0 -F key=maybe-escalation
--a always,exit -F arch=b64 -F path=/sbin/zpool -F perm=x -F auid>0 -F key=maybe-escalation
+-a always,exit -F arch=b64 -F path=/sbin/zfs -F perm=x -F auid!=unset -F key=escalation
+-a always,exit -F arch=b64 -F path=/sbin/zpool -F perm=x -F auid!=unset -F key=escalation
+
+## TrueNAS configuration
+-a always,exit -F arch=b64 -F dir=/data/ -F perm=r -F auid!=unset -F key=escalation
+-a always,exit -F arch=b64 -F dir=/var/run/middleware/ -F perm=r -F auid!=unset -F key=escalation
+-a always,exit -F arch=b64 -F dir=/var/db/system/ -F perm=r -F auid!=unset -F key=escalation
+-a always,exit -F arch=b64 -F dir=/var/run/samba-cache/ -F perm=r -F auid!=unset -F key=escalation
+
+## Server configuration
+-a always,exit -F arch=b64 -F path=/etc/exports -F perm=wa -F auid!=unset -F key=export
+-a always,exit -F arch=b64 -F dir=/etc/exports.d -F perm=wa -F auid!=unset -F key=export
+-a always,exit -F arch=b64 -F path=/etc/smb4.conf -F perm=wa -F auid!=unset -F key=export
+-a always,exit -F arch=b64 -F path=/etc/proftpd/proftpd.conf -F perm=wa -F auid!=unset -F key=export
+-a always,exit -F arch=b64 -F dir=/etc/proftpd/conf.d -F perm=wa -F auid!=unset -F key=export
+-a always,exit -F arch=b64 -F path=/etc/scst.conf -F perm=wa -F auid!=unset -F key=export