Skip to content

Commit

Permalink
feat: implement rsyslog
Browse files Browse the repository at this point in the history 
- and small updates
  • Loading branch information
@MVladislav
MVladislav committed Sep 6, 2024
1 parent a1070a0 commit c328133
Show file tree
Hide file tree
Showing 7 changed files with 247 additions and 35 deletions.
35 changes: 21 additions & 14 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,14 +39,16 @@ Based on **[CIS Ubuntu Linux 24.04 LTS Benchmark v1.0.0](https://downloads.cisec

## Notes

- section :: 6.1.2.1 **Configure systemd-journal-remote**
- is configured, but not in deep tested _(default not setup with remote logging)_
- section :: 4.3 **Configure nftables**
- is configured, but not in deep tested _(default ufw is used from section 4.2)_
- section :: 4.4 **Configure iptables**
- is configured, but not in deep tested _(default ufw is used from section 4.2)_
- section :: 5.3 **Pluggable Authentication Modules** :: 5.4 **User Accounts and Environment**
- could be tested deeper, base tests are performed and for secure only used for fresh os install
- section :: 6.1.2.1 **Configure systemd-journal-remote**
- is configured, but not in deep tested _(default not setup with remote logging)_
- section :: 6.1.3.6 **Ensure rsyslog is configured to send logs to a remote log host**
- is configured, but not in deep tested _(default not setup with remote logging)_

## Requirements

Expand Down Expand Up @@ -119,10 +121,15 @@ cis_ubuntu2404_rule_1_4_1: false
cis_ubuntu2404_set_boot_pass: false
cis_ubuntu2404_disable_boot_pass: true

# active journal upload to remote log collection
# active journal send logs to a remote log host
# do not forget set related variables 'cis_ubuntu2404_set_journal_upload_*'
cis_ubuntu2404_set_journal_upload: false
cis_ubuntu2404_set_journal_upload_url: <SET_REMOTE_URL>

# active rsyslog upload to remote log collection
# do not forget set related variables 'cis_ubuntu2404_set_rsyslog_remote_*'
cis_ubuntu2404_set_rsyslog_remote: false
cis_ubuntu2404_set_rsyslog_remote_target: <SET_REMOTE_URL>
```
### variable special usable between server and client
Expand Down Expand Up @@ -661,8 +668,8 @@ For more specific description see the **CIS pdf** file on **page 18**.
| 5.4.3.1 | Ensure nologin is not listed in /etc/shells (Automated) | 🟢 | | |
| 5.4.3.2 | Ensure default user shell timeout is configured (Automated) | 🟢 | | |
| 5.4.3.3 | Ensure default user umask is configured (Automated) | 🟢 | | |
| 6 | **Logging and Auditing** | | 🟡 | |
| 6.1 | **System Logging** | | 🟡 | |
| 6 | **Logging and Auditing** | 🟢 | | |
| 6.1 | **System Logging** | 🟢 | | |
| 6.1.1 | **Configure systemd-journald service** | 🟢 | | |
| 6.1.1.1 | Ensure journald service is enabled and active (Automated) | 🟢 | | |
| 6.1.1.2 | Ensure journald log file access is configured (Manual) | 🟢 | | |
Expand All @@ -677,15 +684,15 @@ For more specific description see the **CIS pdf** file on **page 18**.
| 6.1.2.2 | Ensure journald ForwardToSyslog is disabled (Automated) | 🟢 | | |
| 6.1.2.3 | Ensure journald Compress is configured (Automated) | 🟢 | | |
| 6.1.2.4 | Ensure journald Storage is configured (Automated) | 🟢 | | |
| 6.1.3 | **Configure rsyslog** | | | 🔴 |
| 6.1.3.1 | Ensure rsyslog is installed (Automated) | | | 🔴 |
| 6.1.3.2 | Ensure rsyslog service is enabled and active (Automated) | | | 🔴 |
| 6.1.3.3 | Ensure journald is configured to send logs to rsyslog (Automated) | | | 🔴 |
| 6.1.3.4 | Ensure rsyslog log file creation mode is configured (Automated) | | | 🔴 |
| 6.1.3.5 | Ensure rsyslog logging is configured (Manual) | | | 🔴 |
| 6.1.3.6 | Ensure rsyslog is configured to send logs to a remote log host (Manual) | | | 🔴 |
| 6.1.3.7 | Ensure rsyslog is not configured to receive logs from a remote client (Automated) | | | 🔴 |
| 6.1.3.8 | Ensure logrotate is configured (Manual) | | | 🔴 |
| 6.1.3 | **Configure rsyslog** | 🟢 | | |
| 6.1.3.1 | Ensure rsyslog is installed (Automated) | 🟢 | | |
| 6.1.3.2 | Ensure rsyslog service is enabled and active (Automated) | 🟢 | | |
| 6.1.3.3 | Ensure journald is configured to send logs to rsyslog (Automated) | 🟢 | | |
| 6.1.3.4 | Ensure rsyslog log file creation mode is configured (Automated) | 🟢 | | |
| 6.1.3.5 | Ensure rsyslog logging is configured (Manual) | 🟢 | | |
| 6.1.3.6 | Ensure rsyslog is configured to send logs to a remote log host (Manual) | 🟢 | | |
| 6.1.3.7 | Ensure rsyslog is not configured to receive logs from a remote client (Automated) | 🟢 | | |
| 6.1.3.8 | Ensure logrotate is configured (Manual) | 🟢 | | |
| 6.1.4 | **Configure Logfiles** | 🟢 | | |
| 6.1.4.1 | Ensure access to all logfiles has been configured (Automated) | 🟢 | | |
| 6.2 | **System Auditing** | 🟢 | | |
Expand Down
42 changes: 26 additions & 16 deletions defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -265,23 +265,22 @@ cis_ubuntu2404_rule_6_1_1_1: true
cis_ubuntu2404_rule_6_1_1_2: true
cis_ubuntu2404_rule_6_1_1_3: true
# cis_ubuntu2404_rule_6_1_1_4: true # NOTE: not implemented
cis_ubuntu2404_rule_6_1_2_1_1: true # NOTE: depends also on 'cis_ubuntu2404_set_journal_upload'
cis_ubuntu2404_rule_6_1_2_1_2: true # NOTE: depends also on 'cis_ubuntu2404_set_journal_upload'
cis_ubuntu2404_rule_6_1_2_1_1: true # NOTE: depends also on 'cis_ubuntu2404_preferred_capturing_log_method' and 'cis_ubuntu2404_set_journal_upload'
cis_ubuntu2404_rule_6_1_2_1_2: true # NOTE: depends also on 'cis_ubuntu2404_preferred_capturing_log_method' and 'cis_ubuntu2404_set_journal_upload'
# cis_ubuntu2404_rule_6_1_2_1_3: true # NOTE: implicit in 'cis_ubuntu2404_rule_6_1_2_1_2'
cis_ubuntu2404_rule_6_1_2_1_4: true # NOTE: depends also on 'cis_ubuntu2404_set_journal_upload'
cis_ubuntu2404_rule_6_1_2_2: true
cis_ubuntu2404_rule_6_1_2_3: true
cis_ubuntu2404_rule_6_1_2_4: true
# cis_ubuntu2404_rule_6_1_3_1: true # NOTE: not implemented
# cis_ubuntu2404_rule_6_1_3_2: true # NOTE: not implemented
# cis_ubuntu2404_rule_6_1_3_3: true # NOTE: not implemented
# cis_ubuntu2404_rule_6_1_3_4: true # NOTE: not implemented
# cis_ubuntu2404_rule_6_1_3_5: true # NOTE: not implemented
# cis_ubuntu2404_rule_6_1_3_6: true # NOTE: not implemented
# cis_ubuntu2404_rule_6_1_3_7: true # NOTE: not implemented
# cis_ubuntu2404_rule_6_1_3_8: true # NOTE: not implemented
cis_ubuntu2404_rule_6_1_2_1_4: true # NOTE: depends also on 'cis_ubuntu2404_preferred_capturing_log_method' and 'cis_ubuntu2404_set_journal_upload'
cis_ubuntu2404_rule_6_1_2_2: true # NOTE: depends also on 'cis_ubuntu2404_preferred_capturing_log_method'
cis_ubuntu2404_rule_6_1_2_3: true # NOTE: depends also on 'cis_ubuntu2404_preferred_capturing_log_method'
cis_ubuntu2404_rule_6_1_2_4: true # NOTE: depends also on 'cis_ubuntu2404_preferred_capturing_log_method'
cis_ubuntu2404_rule_6_1_3_1: true # NOTE: rsyslog - depends also on 'cis_ubuntu2404_preferred_capturing_log_method'
cis_ubuntu2404_rule_6_1_3_2: true # NOTE: rsyslog - depends also on 'cis_ubuntu2404_preferred_capturing_log_method'
cis_ubuntu2404_rule_6_1_3_3: true # NOTE: rsyslog - depends also on 'cis_ubuntu2404_preferred_capturing_log_method'
cis_ubuntu2404_rule_6_1_3_4: true # NOTE: rsyslog - depends also on 'cis_ubuntu2404_preferred_capturing_log_method'
cis_ubuntu2404_rule_6_1_3_5: true # NOTE: rsyslog - depends also on 'cis_ubuntu2404_preferred_capturing_log_method'
cis_ubuntu2404_rule_6_1_3_6: true # NOTE: rsyslog - depends also on 'cis_ubuntu2404_preferred_capturing_log_method' and 'cis_ubuntu2404_set_rsyslog_remote'
cis_ubuntu2404_rule_6_1_3_7: true # NOTE: rsyslog - depends also on 'cis_ubuntu2404_preferred_capturing_log_method'
cis_ubuntu2404_rule_6_1_3_8: true # NOTE: rsyslog - depends also on 'cis_ubuntu2404_preferred_capturing_log_method'
cis_ubuntu2404_rule_6_1_4_1: true

cis_ubuntu2404_rule_6_2_1_1: true
cis_ubuntu2404_rule_6_2_1_2: true
cis_ubuntu2404_rule_6_2_1_3: true
Expand Down Expand Up @@ -372,6 +371,8 @@ cis_ubuntu2404_allow_cups: false
cis_ubuntu2404_required_ipv6: false
# cis_ubuntu2404_journal_upload_url (cis_ubuntu2404_rule_6_1_2_1_1-4)
cis_ubuntu2404_set_journal_upload: false
# cis_ubuntu2404_journal_upload_url (cis_ubuntu2404_rule_6_1_3_6)
cis_ubuntu2404_set_rsyslog_remote: false
# AIDE perform install/config (cis_ubuntu2404_rule_6_3_1-3)
cis_ubuntu2404_install_aide: true # NOTE: depends also on 'cis_ubuntu2404_config_aide'
cis_ubuntu2404_config_aide: true
Expand Down Expand Up @@ -545,12 +546,21 @@ cis_ubuntu2404_journald_system_keep_free: 8G
cis_ubuntu2404_journald_runtime_max_use: 256M
cis_ubuntu2404_journald_runtime_keep_free: 512M
cis_ubuntu2404_journald_max_file_sec: 1month
# systemd-journal-upload remote upload (cis_ubuntu2404_rule_6_1_2_2_3)

# preferred method for capturing logs (cis_ubuntu2404_rule_6_1_2_2, cis_ubuntu2404_rule_6_1_3_3)
cis_ubuntu2404_preferred_capturing_log_method: journald # journald | rsyslog

# systemd-journal-upload remote upload (cis_ubuntu2404_rule_6_1_2_1_1-4)
cis_ubuntu2404_set_journal_upload_url: "{{ omit }}"
cis_ubuntu2404_set_journal_upload_server_key_file: /etc/ssl/private/journal-upload.pem
cis_ubuntu2404_set_journal_upload_server_certificate_file: /etc/ssl/certs/journal-upload.pem
cis_ubuntu2404_set_journal_upload_trusted_certificate_file: /etc/ssl/ca/trusted.pem

# rsyslog remote log host (cis_ubuntu2404_rule_6_1_3_6)
cis_ubuntu2404_set_rsyslog_remote_target: "{{ omit }}"
cis_ubuntu2404_set_rsyslog_remote_port: 514
cis_ubuntu2404_set_rsyslog_remote_protocol: tcp

# audit backlog limit (cis_ubuntu2404_rule_6_2_1_4)
cis_ubuntu2404_audit_backlog_limit: 8192
# audit conf's (cis_ubuntu2404_rule_6_2_2_*)
Expand Down
11 changes: 11 additions & 0 deletions handlers/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,17 @@
listen: Restart systemd-journald
when: ansible_virtualization_type != "docker"

- name: "HANDLER | 6.1.3.4-8 | systemd restart and enable rsyslog"
become: true
ansible.builtin.systemd_service:
name: rsyslog
daemon_reload: true
enabled: true
masked: false
state: restarted
listen: Restart rsyslog
when: ansible_virtualization_type != "docker"

- name: "HANDLER | 6.1.2.1.2 | systemd restart and enable systemd-journal-upload"
become: true
ansible.builtin.systemd_service:
Expand Down
2 changes: 1 addition & 1 deletion tasks/section4.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@

# ------------------------------------------------------------------------------

# - name: "SECTION4 | 4.1.1 | Ensure a single firewall configuration utility is in use"
## NOTE: implicit in rules below
# - name: "SECTION4 | 4.1.1 | Ensure a single firewall configuration utility is in use"

# ------------------------------------------------------------------------------

Expand Down
151 changes: 147 additions & 4 deletions tasks/section6.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@
when:
- cis_ubuntu2404_rule_6_1_2_1_1
- cis_ubuntu2404_set_journal_upload | bool
- cis_ubuntu2404_preferred_capturing_log_method == "journald"
tags:
- rule_6_1_2_1
- server_l1
Expand Down Expand Up @@ -115,12 +116,13 @@
- cis_ubuntu2404_rule_6_1_2_1_2
- cis_ubuntu2404_set_journal_upload | bool
- cis_ubuntu2404_set_journal_upload_url is defined
- cis_ubuntu2404_preferred_capturing_log_method == "journald"
tags:
- rule_6_1_2_1
- server_l1
- workstation_l1

# NOTE: done in step before, by call notify
## NOTE: done in step before, by call notify
# - name: "SECTION6 | 6.1.2.1.3 | Ensure systemd-journal-upload is enabled and active"

- name: "SECTION6 | 6.1.2.1.4 | Ensure systemd-journal-remote service is not in use"
Expand All @@ -136,6 +138,7 @@
when:
- cis_ubuntu2404_rule_6_1_2_1_4
- cis_ubuntu2404_set_journal_upload | bool
- cis_ubuntu2404_preferred_capturing_log_method == "journald"
tags:
- rule_6_1_2_1
- server_l1
Expand All @@ -147,14 +150,15 @@
ansible.builtin.lineinfile:
dest: /etc/systemd/journald.conf
regexp: "{{ cis_ubuntu2404_regex_base_search }}ForwardToSyslog{{ cis_ubuntu2404_regex_base_search_equals }}"
line: "#ForwardToSyslog=no"
line: "ForwardToSyslog=no"
state: present
owner: root
group: root
mode: "0640"
notify: Restart systemd-journald
when:
- cis_ubuntu2404_rule_6_1_2_2
- cis_ubuntu2404_preferred_capturing_log_method == "journald"
tags:
- rule_6_1_2
- server_l1
Expand All @@ -173,6 +177,7 @@
notify: Restart systemd-journald
when:
- cis_ubuntu2404_rule_6_1_2_3
- cis_ubuntu2404_preferred_capturing_log_method == "journald"
tags:
- rule_6_1_2
- server_l1
Expand All @@ -191,14 +196,152 @@
notify: Restart systemd-journald
when:
- cis_ubuntu2404_rule_6_1_2_4
- cis_ubuntu2404_preferred_capturing_log_method == "journald"
tags:
- rule_6_1_2
- server_l1
- workstation_l1

# ------------------------------------------------------------------------------

# TODO: add section "6.1.3 Configure rsyslog"
- name: "SECTION6 | 6.1.3.1 | Ensure rsyslog is installed"
ansible.builtin.apt:
name: rsyslog
state: present
force_apt_get: true
when:
- cis_ubuntu2404_rule_6_1_3_1
- cis_ubuntu2404_preferred_capturing_log_method == "rsyslog"
tags:
- rule_6_1_3
- server_l1
- workstation_l1

- name: "SECTION6 | 6.1.3.2 | Ensure rsyslog service is enabled and active"
ansible.builtin.systemd:
name: rsyslog
daemon_reload: true
enabled: true
masked: false
state: started
when:
- cis_ubuntu2404_rule_6_1_3_2
- cis_ubuntu2404_preferred_capturing_log_method == "rsyslog"
tags:
- rule_6_1_3
- server_l1
- workstation_l1

- name: "SECTION6 | 6.1.3.3 | Ensure journald is configured to send logs to rsyslog"
ansible.builtin.lineinfile:
dest: /etc/systemd/journald.conf
regexp: "{{ cis_ubuntu2404_regex_base_search }}ForwardToSyslog{{ cis_ubuntu2404_regex_base_search_equals }}"
line: "ForwardToSyslog=yes"
state: present
create: true
owner: root
group: root
mode: "0644"
notify: Restart systemd-journald
when:
- cis_ubuntu2404_rule_6_1_3_3
- cis_ubuntu2404_preferred_capturing_log_method == "rsyslog"
tags:
- rule_6_1_3
- server_l1
- workstation_l1

- name: "SECTION6 | 6.1.3.4 | Ensure rsyslog log file creation mode is configured"
ansible.builtin.lineinfile:
dest: /etc/rsyslog.conf
regexp: "{{ cis_ubuntu2404_regex_base_search }}$FileCreateMode "
line: "$FileCreateMode 0640"
state: present
create: true
owner: root
group: root
mode: "0644"
notify: Restart rsyslog
when:
- cis_ubuntu2404_rule_6_1_3_4
- cis_ubuntu2404_preferred_capturing_log_method == "rsyslog"
tags:
- rule_6_1_3
- server_l1
- workstation_l1

- name: "SECTION6 | 6.1.3.5 | Ensure rsyslog logging is configured"
ansible.builtin.template:
src: 60-rsyslog.conf.j2
dest: /etc/rsyslog.d/60-rsyslog.conf
owner: root
group: root
mode: "0644"
notify: Restart rsyslog
when:
- cis_ubuntu2404_rule_6_1_3_5
- cis_ubuntu2404_preferred_capturing_log_method == "rsyslog"
tags:
- rule_6_1_3
- server_l1
- workstation_l1

- name: "SECTION6 | 6.1.3.6 | Ensure rsyslog is configured to send logs to a remote log host"
ansible.builtin.template:
src: 60-rsyslog.conf.j2
dest: /etc/rsyslog.d/60-rsyslog.conf
owner: root
group: root
mode: "0644"
notify: Restart rsyslog
when:
- cis_ubuntu2404_rule_6_1_3_6
- cis_ubuntu2404_set_rsyslog_remote | bool
- cis_ubuntu2404_preferred_capturing_log_method == "rsyslog"
tags:
- rule_6_1_3
- server_l1
- workstation_l1

- name: "SECTION6 | 6.1.3.7 | Ensure rsyslog is not configured to receive logs from a remote client"
ansible.builtin.lineinfile:
dest: /etc/rsyslog.conf
regexp: "{{ item.reg }}"
line: "{{ item.line }}"
state: present
create: true
owner: root
group: root
mode: "0644"
with_items:
- reg: '^module\(load="imtcp"\)'
line: '#module(load="imtcp")'
- reg: '^input\(type="imtcp" port="514"\)'
line: '#input(type="imtcp" port="514")'
notify: Restart rsyslog
when:
- cis_ubuntu2404_rule_6_1_3_7
- cis_ubuntu2404_preferred_capturing_log_method == "rsyslog"
tags:
- rule_6_1_3
- server_l1
- workstation_l1

- name: "SECTION6 | 6.1.3.8 | Ensure logrotate is configured"
ansible.builtin.template:
src: logrotate.conf.j2
dest: /etc/logrotate.conf
owner: root
group: root
mode: "0644"
notify: Restart rsyslog
when:
- cis_ubuntu2404_rule_6_1_3_8
- cis_ubuntu2404_preferred_capturing_log_method == "rsyslog"
tags:
- rule_6_1_3
- server_l1
- workstation_l1

# ------------------------------------------------------------------------------

Expand Down Expand Up @@ -705,7 +848,7 @@
- server_l2
- workstation_l2

# NOTE: done in steps before, by call notify
## NOTE: done in steps before, by call notify
# - name: "SECTION6 | 6.2.3.21 | Ensure the running and on disk configuration is the same"

# ------------------------------------------------------------------------------
Expand Down
Loading

0 comments on commit c328133

Please sign in to comment.