Updated UID discovery and var naming

Signed-off-by: Mark Bolwell <[email protected]>
ansible-lockdown · Nov 14, 2024 · 5a41681 · 5a41681
1 parent f6859f0
commit 5a41681
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 22 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -800,6 +800,19 @@ rhel8cis_auditd:
     admin_space_left_action: single
     max_log_file_action: keep_logs
 
+# UID settings for interactive users
+# These are discovered via logins.def if set true
+discover_int_uid: true
+### Controls:
+# This variable sets the minimum number from which to search for UID
+# Note that the value will be dynamically overwritten if variable `discover_int_uid` has
+# been set to `true`.
+min_int_uid: 1000
+### Controls:
+# Note that the value will be dynamically overwritten if variable `discover_int_uid` has
+# been set to `true`.
+max_int_uid: 65533
+
 # This can be used to configure other keys in auditd.conf
 rhel8cis_auditd_extra_conf: {}
 # Example:

diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -34,6 +34,29 @@
   changed_when: false
   register: discovered_interactive_uids
 
+- name: "PRELIM | Discover Interactive UID MIN and MIN from logins.def"
+  block:
+      - name: "PRELIM | Capture UID_MIN information from logins.def"
+        ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}'
+        changed_when: false
+        register: uid_min_id
+
+      - name: "PRELIM | Capture UID_MAX information from logins.def"
+        ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}'
+        changed_when: false
+        register: uid_max_id
+
+      - name: "PRELIM | Capture GID_MIN information from logins.def"
+        ansible.builtin.shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}'
+        changed_when: false
+        register: gid_min_id
+
+      - name: "PRELIM | set_facts for interactive uid/gid"
+        ansible.builtin.set_fact:
+            min_int_uid: "{{ uid_min_id.stdout }}"
+            max_int_uid: "{{ uid_max_id.stdout }}"
+            min_int_gid: "{{ gid_min_id.stdout }}"
+
 - name: "PRELIM | AUDIT | Set facts based on boot type"
   tags:
       - always

diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2
@@ -28,14 +28,14 @@
 {% endif %}
 {% if rhel8cis_rule_5_2_3_6 %}
 {% for proc in discovered_privilege_procs.stdout_lines -%}
--a always,exit -F path={{ proc }} -F perm=x -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -k privileged
+-a always,exit -F path={{ proc }} -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k privileged
 {% endfor %}
 {% endif %}
 {% if rhel8cis_rule_5_2_3_7 %}
--a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -F key=access
 {% endif %}
 {% if rhel8cis_rule_5_2_3_8 %}
 -w /etc/group -p wa -k identity
@@ -45,16 +45,16 @@
 -w /etc/security/opasswd -p wa -k identity
 {% endif %}
 {% if rhel8cis_rule_5_2_3_9 %}
--a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -F key=perm_mod
--a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -F key=perm_mod
--a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -F key=perm_mod
--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -F key=perm_mod
--a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -F key=perm_mod
--a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
 {% endif %}
 {% if rhel8cis_rule_5_2_3_10 %}
--a always,exit -F arch=b32 -S mount -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -k mounts
--a always,exit -F arch=b64 -S mount -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -k mounts
+-a always,exit -F arch=b32 -S mount -F auid>={{ min_int_uid }} -F auid!=unset -k mounts
+-a always,exit -F arch=b64 -S mount -F auid>={{ min_int_uid }} -F auid!=unset -k mounts
 {% endif %}
 {% if rhel8cis_rule_5_2_3_11 %}
 -w /var/run/utmp -p wa -k session
@@ -66,29 +66,29 @@
 -w /var/run/faillock -p wa -k logins
 {% endif %}
 {% if rhel8cis_rule_5_2_3_13 %}
--a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -F key=delete
--a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -F key=delete
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>={{ min_int_uid }} -F auid!=unset -F key=delete
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>={{ min_int_uid }} -F auid!=unset -F key=delete
 {% endif %}
 {% if rhel8cis_rule_5_2_3_14 %}
 -w /etc/selinux/ -p wa -k MAC-policy
 -w /usr/share/selinux/ -p wa -k MAC-policy
 {% endif %}
 {% if rhel8cis_rule_5_2_3_15 %}
--a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -k perm_chng
+-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k perm_chng
 {% endif %}
 {% if rhel8cis_rule_5_2_3_16 %}
--a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -k perm_chng
+-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k perm_chng
 {% endif %}
 {% if rhel8cis_rule_5_2_3_17 %}
--a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -k perm_chng
+-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k perm_chng
 {% endif %}
 {% if rhel8cis_rule_5_2_3_18 %}
--a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -k usermod
+-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k usermod
 {% endif %}
 {% if rhel8cis_rule_5_2_3_19 %}
--a always,exit -F arch=b32 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -k kernel_modules
--a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -k kernel_modules
--a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ rhel8uid_uid_start }} -F auid!=unset -k kernel_modules
+-a always,exit -F arch=b32 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ min_int_uid }} -F auid!=unset -k kernel_modules
+-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ min_int_uid }} -F auid!=unset -k kernel_modules
+-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k kernel_modules
 {% endif %}
 {% if rhel8cis_rule_5_2_3_20 %}
 -e 2