From ffcc05dae16a91344cc8a4f7ac7556a68435ae68 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 14 Oct 2020 11:41:21 +0200 Subject: [PATCH 1/4] ignore remote file systems when remediating audit_rules_privileged_commands update remediations and test --- .../audit_rules_privileged_commands/ansible/shared.yml | 2 +- .../tests/generate_privileged_commands_rule.sh | 2 +- .../perform_audit_rules_privileged_commands_remediation.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml index 2433073a05dc..b9f3b5ccde26 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml @@ -5,7 +5,7 @@ # disruption = low - name: Search for privileged commands - shell: find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null + shell: find / -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs -type f -perm -4000 -o -type f -perm -2000 2>/dev/null args: warn: False executable: /bin/bash diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/generate_privileged_commands_rule.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/generate_privileged_commands_rule.sh index ee4b678d6ce6..4c30b6017c41 100755 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/generate_privileged_commands_rule.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/generate_privileged_commands_rule.sh @@ -3,6 +3,6 @@ AUID=$1 KEY=$2 RULEPATH=$3 -for file in $(find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null); do +for file in $(find / -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs -type f -perm -4000 -o -type f -perm -2000 2>/dev/null); do echo "-a always,exit -F path=$file -F auid>=$AUID -F auid!=unset -k $KEY" >> $RULEPATH done diff --git a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh index 532faeacef35..64b8e3ea872d 100644 --- a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh +++ b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh @@ -57,7 +57,7 @@ fi # Obtain the list of SUID/SGID binaries on the particular system (split by newline) # into privileged_binaries array privileged_binaries=() -readarray -t privileged_binaries < <(find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null) +readarray -t privileged_binaries < <(find / -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs -type f -perm -4000 -o -type f -perm -2000 2>/dev/null) # Keep list of SUID/SGID binaries that have been already handled within some previous iteration declare -a sbinaries_to_skip=() From 9d5b30dc95930a07858d8f0acf70e841b2188c36 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 27 Jan 2021 12:22:10 +0100 Subject: [PATCH 2/4] update bash remediation and test script to include sshfs --- .../tests/generate_privileged_commands_rule.sh | 2 +- .../perform_audit_rules_privileged_commands_remediation.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/generate_privileged_commands_rule.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/generate_privileged_commands_rule.sh index 4c30b6017c41..6a8d84148946 100755 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/generate_privileged_commands_rule.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/generate_privileged_commands_rule.sh @@ -3,6 +3,6 @@ AUID=$1 KEY=$2 RULEPATH=$3 -for file in $(find / -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs -type f -perm -4000 -o -type f -perm -2000 2>/dev/null); do +for file in $(find / -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs -not -fstype fuse.sshfs -type f -perm -4000 -o -type f -perm -2000 2>/dev/null); do echo "-a always,exit -F path=$file -F auid>=$AUID -F auid!=unset -k $KEY" >> $RULEPATH done diff --git a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh index 64b8e3ea872d..a072471f1392 100644 --- a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh +++ b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh @@ -57,7 +57,7 @@ fi # Obtain the list of SUID/SGID binaries on the particular system (split by newline) # into privileged_binaries array privileged_binaries=() -readarray -t privileged_binaries < <(find / -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs -type f -perm -4000 -o -type f -perm -2000 2>/dev/null) +readarray -t privileged_binaries < <(find / -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs -not -fstype fuse.sshfs -type f -perm -4000 -o -type f -perm -2000 2>/dev/null) # Keep list of SUID/SGID binaries that have been already handled within some previous iteration declare -a sbinaries_to_skip=() From 3932c3e7b797b8142b658e46921da02aed13fb08 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 27 Jan 2021 17:25:43 +0100 Subject: [PATCH 3/4] rewrite ansible remediation --- .../ansible/shared.yml | 62 ++++++++++++++++--- 1 file changed, 52 insertions(+), 10 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml index b9f3b5ccde26..6e125397be63 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml @@ -4,14 +4,57 @@ # complexity = low # disruption = low -- name: Search for privileged commands - shell: find / -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs -type f -perm -4000 -o -type f -perm -2000 2>/dev/null - args: - warn: False - executable: /bin/bash - check_mode: no - register: find_result - changed_when: false +- name: "Configure excluded (non local) file systems" + set_fact: + excluded_fstypes: + - afs + - ceph + - cifs + - smb3 + - smbfs + - sshfs + - ncpfs + - ncp + - nfs + - nfs4 + - gfs + - gfs2 + - glusterfs + - gpfs + - pvfs2 + - ocfs2 + - lustre + - davfs + - fuse.sshfs + +- name: "Create empty list of excluded paths" + set_fact: + excluded_paths: [] + +- name: "Create empty list of suid / sgid binaries" + set_fact: + suid_sgid_binaries: [] + +- name: "Detect nonlocal file systems and add them to excluded paths" + set_fact: + excluded_paths: "{{ excluded_paths | union([item.mount]) }}" + loop: "{{ ansible_mounts }}" + when: item.fstype in excluded_fstypes + +- name: "Find all files excluding non-local partitions" + find: + paths: "/" + excludes: excluded_paths + file_type: file + hidden: yes + recurse: yes + register: found_files + +- name: "construct list of suid or sgid binaries" + set_fact: + suid_sgid_binaries: "{{ suid_sgid_binaries | union([item.path]) }}" + when: item.mode is match("2.*") + loop: '{{ found_files.files }}' # Inserts/replaces the rule in /etc/audit/rules.d @@ -21,8 +64,7 @@ recurse: no contains: "^.*path={{ item }} .*$" patterns: "*.rules" - with_items: - - "{{ find_result.stdout_lines }}" + loop: "{{ suid_sgid_binaries }}" register: files_result - name: Overwrites the rule in rules.d From a82e4e5940d458f32a37bcb3eaf67ee8916863be Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 28 Jan 2021 09:07:40 +0100 Subject: [PATCH 4/4] make remediation also check for sgids --- .../audit_rules_privileged_commands/ansible/shared.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml index 6e125397be63..190351af363e 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml @@ -53,7 +53,7 @@ - name: "construct list of suid or sgid binaries" set_fact: suid_sgid_binaries: "{{ suid_sgid_binaries | union([item.path]) }}" - when: item.mode is match("2.*") + when: item.mode is match("2.*") or item.mode is match("4.*") loop: '{{ found_files.files }}' # Inserts/replaces the rule in /etc/audit/rules.d