Implement configuring eBPF firewalling via systemd for auditd.service in network mode

3 years ago · eba28b1d28
parent 4157af8a9b
commit eba28b1d28
3 changed files with 106 additions and 4 deletions
--- a/common.sh
+++ b/common.sh
@ -1,12 +1,13 @@
 # prefix for testing
 DESTDIR="${DESTDIR:-}"
-PWQUALITY_CONF_FILE="${DESTDIR}etc/security/pwquality.conf"
-INTERNAL_DIR="${DESTDIR}var/lib/linux-infosec-setupper"
+PWQUALITY_CONF_FILE="${DESTDIR}/etc/security/pwquality.conf"
+INTERNAL_DIR="${DESTDIR}/var/lib/linux-infosec-setupper"
 # /etc/audit/audit.rules is generated automatically from /etc/audit/rules.d/*,
 # do not edit it; also do not edit any other files, work only with ours,
 # assume that there are no other configs or they have lower priority
-AUDIT_RULES_FILE=${DESTDIR}etc/audit/rules.d/90-linux-infosec-setupper.rules
-AUDIT_DAEMON_CONFIG=${DESTDIR}etc/audit/auditd.conf
+AUDIT_RULES_FILE="${DESTDIR}/etc/audit/rules.d/90-linux-infosec-setupper.rules"
+AUDIT_DAEMON_CONFIG="${DESTDIR}/etc/audit/auditd.conf"
+AUDIT_DAEMON_SYSTEMD_OVERRIDE="${DESTDIR}/etc/systemd/system/auditd.service.d/90-linux-infosec-setupper-auditd-firewall.conf"
 # validate email, https://stackoverflow.com/a/2138832, https://stackoverflow.com/a/41192733
 REGEX_EMAIL="^[a-z0-9!#\$%&'*+/=?^_\`{|}~-]+(\.[a-z0-9!#$%&'*+/=?^_\`{|}~-]+)*@([a-z0-9]([a-z0-9-]*[a-z0-9])?\.)+[a-z0-9]([a-z0-9-]*[a-z0-9])?\$"

--- a/mikhailnov.sh
+++ b/mikhailnov.sh
@ -42,6 +42,68 @@ _audit_action_config(){
 	return "$l_failed"
 }

+_mk_systemd_auditd_override(){
+	local do_verify=1
+	if [ -z "$DESTDIR" ]; then do_verify=0; fi
+	# --IPAddressAllow=xxx --IPAddressDeny=xxx may be specified multiple times
+	local IPAddressAllow=""
+	local IPAddressDeny=""
+	while [ -n "$1" ]
+	do
+		case "$1" in
+			"--verify-disable" )
+				do_verify=0
+			;;
+			"--IPAddressAllow" )
+				shift
+				IPAddressAllow="${IPAddressAllow} $1"
+			;;
+			"--IPAddressDeny" )
+				shift
+				IPAddressDeny="${IPAddressDeny} $1"
+			;;
+		esac
+		shift
+	done
+	local systemd_override_dir="$(dirname "$AUDIT_DAEMON_SYSTEMD_OVERRIDE")"
+	if ! mkdir -p "$systemd_override_dir" ; then
+		error $"Error creating directory %s" "$systemd_override_dir"
+		return 1
+	fi
+	cat > "$AUDIT_DAEMON_SYSTEMD_OVERRIDE" << EOF
+[Service]
+$(for i in $IPAddressAllow
+do
+	echo "IPAddressAllow=$i"
+done)
+$(for i in $IPAddressDeny
+do
+	echo "IPAddressDeny=$i"
+done)
+EOF
+	# Make it work inside e.g. Anaconda module where $DESTDIR is not empty
+	# probably by copying the file to the root of the LiveCD.
+	# Detection of being run from Anaconda here is a prototype.
+	if [ "${I_AM_ANACONDA:-0}" != 0 ]; then
+		local cp_dst="$(echo "$AUDIT_DAEMON_SYSTEMD_OVERRIDE" | sed -e "s,^${DESTDIR},,")"
+		if cp "$AUDIT_DAEMON_SYSTEMD_OVERRIDE" "$cp_dst"
+		then
+			do_verify=1
+		else
+			error $"Error copying systemd override file %s to %s" "$AUDIT_DAEMON_SYSTEMD_OVERRIDE" "$cp_dst"
+			return 1
+		fi
+	fi
+	if [ "$do_verify" = 1 ]; then
+		local systemd_analyze_result="$(systemd-analyze verify "$AUDIT_DAEMON_SYSTEMD_OVERRIDE" 2>&1)"
+		if [ $? != 0 ]; then
+			error $"Systemd unit file auditd.service with setted up packet filtering has not passed verification!"
+			error $"The error was:"
+			error "$systemd_analyze_result"
+		fi
+	fi
+}
+
 # can be used to reset variables to default values after loading previously setted up ones
 _audit_variables(){
 	failed=0
@ -341,7 +403,13 @@ _mk_auditd_config(){
 			# TODO: tcp_client_max_idle
 			# TODO: kerberos authentication against a Kerberos/Samba/FreeIPA server
 			# https://listman.redhat.com/archives/linux-audit/2019-April/msg00110.html
+
+			"--systemd-firewalling-params" )
+				shift
+				_mk_systemd_auditd_override "$1"
+			;;
 		esac
+		shift
 		if [ "$failed" != 0 ]; then
 			error $"Errors occured when trying to understand how to configure auditd"
 			return 1
--- a/mikhailnov_test.sh
+++ b/mikhailnov_test.sh
@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -x
+set -e
+
+failed=0
+tmpdir="$(mktemp -d)"
+DESTDIR="$tmpdir"
+echo "TMP DIR: $tmpdir"
+. ./mikhailnov.sh
+
+_exit(){
+	# Catch exit != 0 from functions (fatal errors)
+	if [ $? != 0 ]; then
+		failed=$((++failed))
+	fi
+	if [ "$failed" -gt 0 ]; then
+		echo "FAILED TESTS: $failed"
+		exit 1
+	fi
+}
+trap _exit EXIT ERR
+
+_main(){
+	{ _mk_systemd_auditd_override --verify-disable --IPAddressDeny "any" --IPAddressAllow "192.168.10.1/24" && \
+	  [ "$(md5sum "${DESTDIR}"/etc/systemd/system/auditd.service.d/90-linux-infosec-setupper-auditd-firewall.conf | awk '{print $1}')" = 4088ff9965f0a09f97656646e2f8487a ] ;} || \
+    { echo failed test 1; failed="$((++failed))"; }
+	{ _mk_systemd_auditd_override --verify-disable --IPAddressDeny "any" --IPAddressAllow "192.168.10.1/24" --IPAddressAllow "192.168.20.1"  && \
+	  [ "$(md5sum "${DESTDIR}"/etc/systemd/system/auditd.service.d/90-linux-infosec-setupper-auditd-firewall.conf | awk '{print $1}')" = 328a21120354f2d2ab8888ebffb54fac ] ;} || \
+    { echo failed test 1; failed="$((++failed))"; }
+}
+
+_main