diff --git a/chroot-overlay/etc/aide.conf b/chroot-overlay/etc/aide.conf new file mode 100644 index 0000000..f4bbc73 --- /dev/null +++ b/chroot-overlay/etc/aide.conf @@ -0,0 +1,155 @@ +# CIS Benchmark - AIDE Configuration +# File Integrity Monitoring for CMMC/FedRAMP compliance + +# Database location +database=file:/var/lib/aide/aide.db +database_out=file:/var/lib/aide/aide.db.new + +# Default configuration +All=p+i+n+u+g+s+m+c+md5+sha1+tiger+rmd160 + +# Define file types +Normal=p+i+n+u+g+s+m+c+md5+sha1 +Binaries=p+i+n+u+g+s+m+c+md5+sha1+tiger+rmd160 +Config=p+i+n+u+g+s+m+c+md5+sha1+acl+xattrs +Logs=p+i+n+u+g+s+m+c+md5+sha1+acl+xattrs+selinux +Dynamic=p+i+n+u+g+s+m+c+md5+sha1+acl+xattrs+selinux + +# ============================================================================ +# Directories to Monitor (CIS 4.2.2) +# ============================================================================ + +# System binaries +/bin All +/sbin All +/usr/bin All +/usr/sbin All +/usr/local/bin All +/usr/local/sbin All + +# System configuration +/etc Config + +# Libraries +/lib All +/lib64 All +/usr/lib All +/usr/lib64 All +/usr/local/lib All + +# Kernel modules +/lib/modules Binaries + +# Boot files +/boot Config + +# System services +/etc/systemd Config +/lib/systemd Binaries + +# Security configuration +/etc/pam.d Config +/etc/security Config + +# Network configuration +/etc/network Config +/etc/wireguard Config + +# Firewall rules +/etc/iptables Config + +# Audit configuration +/etc/audit Config + +# AppArmor profiles +/etc/apparmor Config + +# Sudo configuration +/etc/sudoers Config +/etc/sudoers.d Config + +# ============================================================================ +# Directories to Exclude (due to high volatility) +# ============================================================================ + +!/proc +!/sys +!/dev +!/tmp +!/var/tmp +!/run +!/var/run + +# Exclude logs (monitored separately) +!/var/log + +# Exclude spool directories +!/var/spool + +# Exclude cache +!/var/cache + +# Exclude lock files +!/var/lock + +# Exclude AIDE database +!/var/lib/aide/aide.db + +# Exclude volatile system files +!/etc/mtab +!/etc/fstab.backup + +# Exclude user-specific volatile files +!/home/user/.cache +!/home/user/.local/share/Trash + +# Exclude IceWM and Remmina cache +!/home/user/.icewm/.cache +!/home/user/.local/share/remmina/*.log + +# ============================================================================ +# Monitor critical system files for compliance +# ============================================================================ + +# Password and shadow files +/etc/passwd Normal +/etc/shadow Config +/etc/group Normal +/etc/gshadow Config + +# Login configuration +/etc/login.defs Config +/etc/securetty Config + +# Hosts configuration +/etc/hosts Config +/etc/hostname Config + +# Time configuration +/etc/localtime Config +/etc/timezone Config + +# Cron configuration +/etc/crontab Config + +# Startup scripts +/etc/init.d Config + +# Package management +/var/lib/dpkg Config + +# Kernel parameters +/etc/sysctl.d Config + +# ============================================================================ +# Additional Security Rules +# ============================================================================ + +# Monitor for SUID/SGID files ++s+a+xattr + +# Monitor for world-writable files ++dir+w+u+g+s + +# Monitor for SUID root files +All=p+i+n+u+g+s+m+c+md5+sha1+tiger+rmd160+xattrs diff --git a/chroot-overlay/etc/audit/rules.d/cis-audit.rules b/chroot-overlay/etc/audit/rules.d/cis-audit.rules new file mode 100644 index 0000000..6e9ddd4 --- /dev/null +++ b/chroot-overlay/etc/audit/rules.d/cis-audit.rules @@ -0,0 +1,113 @@ +# CIS Benchmark - System Audit Rules +# Implements CIS Debian Benchmark Section 4.1.2-4.1.17 + +# Delete all existing rules +-D + +# Set buffer size +-b 8192 + +# Set failure mode +-f 1 + +# ============================================================================ +# Monitor System Calls (CIS 4.1.10-4.1.17) +# ============================================================================ + +# Monitor for use of administration commands (CIS 4.1.10) +-a always,exit -F arch=b64 -S execve -C euid!=uid -F auid>=1000 -F auid!=4294967295 -k admin_cmd +-a always,exit -F arch=b32 -S execve -C euid!=uid -F auid>=1000 -F auid!=4294967295 -k admin_cmd + +# Monitor for unauthorized access attempts to files (CIS 4.1.11) +-a always,exit -F arch=b64 -S open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access + +# Monitor for use of privileged commands (CIS 4.1.12) +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged_cmd +-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged_cmd +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged_cmd +-a always,exit -F path=/usr/sbin/useradd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged_cmd +-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged_cmd + +# Monitor for changes to system network configuration (CIS 4.1.13) +-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale +-a always,exit -F arch=b64 -S /etc/issue -k system-locale +-a always,exit -F path=/etc/hosts -F perm=wa -k system-locale +-a always,exit -F path=/etc/network/ -F perm=wa -k system-locale + +# Monitor for changes to user/group information (CIS 4.1.14) +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +# Monitor for changes to sudoers files (CIS 4.1.15) +-w /etc/sudoers -p wa -k identity +-w /etc/sudoers.d/ -p wa -k identity + +# Monitor for changes to system scheduling (CIS 4.1.16) +-w /etc/crontab -p wa -k cron +-w /etc/cron.hourly/ -p wa -k cron +-w /etc/cron.daily/ -p wa -k cron +-w /etc/cron.weekly/ -p wa -k cron +-w /etc/cron.monthly/ -p wa -k cron +-w /var/spool/cron/ -p wa -k cron +-w /etc/cron.d/ -p wa -k cron + +# Monitor for changes to time settings (CIS 4.1.17) +-w /etc/localtime -p wa -k time-change +-w /etc/timezone -p wa -k time-change + +# ============================================================================ +# Monitor for File Deletion by User +# ============================================================================ + +-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -k delete + +# ============================================================================ +# Monitor for kernel module loading +# ============================================================================ + +-a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=4294967295 -k modules +-a always,exit -F arch=b32 -S init_module -F auid>=1000 -F auid!=4294967295 -k modules + +# ============================================================================ +# Monitor for changes to login configuration +# ============================================================================ + +-w /etc/login.defs -p wa -k logins +-w /etc/securetty -p wa -k logins +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +# ============================================================================ +# Monitor for system initialization +# ============================================================================ + +-w /etc/inittab -p wa -k init +-w /etc/init.d/ -p wa -k init +-w /etc/init/ -p wa -k init +-w /etc/systemd/ -p wa -k init + +# ============================================================================ +# Monitor for mandatory access control (MAC) events +# ============================================================================ + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +# ============================================================================ +# Audit Log Configuration +# ============================================================================ + +# Prevent auditd from being killed +-a never,exit -F arch=b64 -S kill -F auid>=1000 -F auid!=4294967295 -k auditd +-a never,exit -F arch=b32 -S kill -F auid>=1000 -F auid!=4294967295 -k auditd + +# Monitor for changes to audit configuration +-w /etc/audit/ -p wa -k audit_config +-w /etc/libaudit.conf -p wa -k audit_config +-w /etc/audisp/ -p wa -k audit_config diff --git a/chroot-overlay/etc/logrotate.d/cis-logs b/chroot-overlay/etc/logrotate.d/cis-logs new file mode 100644 index 0000000..8427741 --- /dev/null +++ b/chroot-overlay/etc/logrotate.d/cis-logs @@ -0,0 +1,177 @@ +# CIS Benchmark - Logrotate Configuration +# Implements CIS Debian Benchmark Section 4.2.1.3 + +# Rotate daily +daily + +# Keep logs for 365 days (CMMC/FedRAMP requirement) +rotate 365 + +# Create new log files +create + +# Compress old logs +compress + +# Use gzip compression +compresscmd /usr/bin/gzip + +# Uncompress with gunzip +uncompresscmd /usr/bin/gunzip + +# Compression options +compressoptions -9 + +# Don't compress if recent +delaycompress + +# Don't compress empty logs +notifempty + +# Don't rotate if missing +missingok + +# Rotate if size exceeds 100M +size 100M + +# ============================================================================ +# Specific Log Rotation Rules +# ============================================================================ + +# System logs +/var/log/auth.log +/var/log/kern.log +/var/log/syslog +/var/log/messages +/var/log/debug +/var/log/user.log +{ + rotate 90 + daily + compress + delaycompress + missingok + notifempty + create 0640 root adm + sharedscripts + postrotate + systemctl reload rsyslog > /dev/null 2>&1 || true + endscript +} + +# Security logs (keep longer for compliance) +/var/log/audit/audit.log +/var/log/security.log +/var/log/access.log +/var/log/change.log +/var/log/admin.log +{ + rotate 365 + daily + compress + delaycompress + missingok + notifempty + create 0640 root adm + sharedscripts + postrotate + systemctl reload auditd > /dev/null 2>&1 || true + systemctl reload rsyslog > /dev/null 2>&1 || true + endscript +} + +# Sudo logs +/var/log/sudo.log +{ + rotate 365 + monthly + compress + delaycompress + missingok + notifempty + create 0640 root adm +} + +# Firewall and network logs +/var/log/firewall.log +/var/log/wireguard.log +/var/log/network.log +{ + rotate 90 + daily + compress + delaycompress + missingok + notifempty + create 0640 root adm +} + +# Cron logs +/var/log/cron.log +{ + rotate 60 + weekly + compress + delaycompress + missingok + notifempty + create 0640 root adm +} + +# Boot logs +/var/log/boot.log +{ + rotate 30 + weekly + compress + delaycompress + missingok + notifempty + create 0640 root adm +} + +# Package manager logs +/var/log/dpkg.log +/var/log/apt/ +{ + rotate 90 + monthly + compress + delaycompress + missingok + notifempty + create 0640 root adm +} + +# System startup/shutdown logs +/var/log/wtmp +{ + rotate 30 + monthly + compress + missingok + notifempty + create 0644 root utmp +} + +# Failed login attempts +/var/log/btmp +{ + rotate 90 + monthly + compress + missingok + notifempty + create 0640 root utmp +} + +# Last login logs +/var/log/lastlog +{ + rotate 30 + monthly + compress + missingok + notifempty + create 0640 root utmp +} diff --git a/chroot-overlay/etc/rsyslog.d/50-cis-logging.conf b/chroot-overlay/etc/rsyslog.d/50-cis-logging.conf new file mode 100644 index 0000000..fd0484c --- /dev/null +++ b/chroot-overlay/etc/rsyslog.d/50-cis-logging.conf @@ -0,0 +1,119 @@ +# CIS Benchmark - Centralized Logging Configuration +# Implements CIS Debian Benchmark Section 4.2 + +# ============================================================================ +# Global Directives +# ============================================================================ + +# Use RFC 5424 format +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + +# Set file permissions +$FileOwner root +$FileGroup adm +$FileCreateMode 0640 +$DirCreateMode 0755 +$Umask 0022 + +# Rate limiting to prevent log flooding +$SystemLogRateLimitInterval 5 +$SystemLogRateLimitBurst 500 + +# ============================================================================ +# Modules +# ============================================================================ + +# Load kernel module +$ModLoad imklog + +# Load Mark module for periodic timestamps +$ModLoad immark + +# Load UDP module for remote logging (disabled for security) +# $ModLoad imudp + +# Load TCP module for remote logging (disabled for security) +# $ModLoad imtcp + +# ============================================================================ +# Log Destinations (Local Only - Remote Logging Disabled) +# ============================================================================ + +# Kernel messages +kern.* -/var/log/kern.log + +# Authentication logs (CIS 4.2.1) +auth,authpriv.* -/var/log/auth.log + +# System mail +mail.* -/var/log/mail.log + +# Cron logs +cron.* -/var/log/cron.log + +# User messages +*.=info;*.=notice;*.=warn -/var/log/messages + +# Emergency messages +*.emerg :omusrmsg:* + +# ============================================================================ +# Security-Specific Logging +# ============================================================================ + +# Sudo command logging +if $programname == 'sudo' then -/var/log/sudo.log +& stop + +# Audit logging +if $programname == 'auditd' then -/var/log/audit/audit.log +& stop + +# Security events +if $programname contains 'security' then -/var/log/security.log +& stop + +# Network events +if $programname contains 'network' then -/var/log/network.log +& stop + +# WireGuard logs +if $programname == 'wg-quick' or $programname == 'wireguard' then -/var/log/wireguard.log +& stop + +# Firewall logs +if $programname == 'iptables' then -/var/log/firewall.log +& stop + +# ============================================================================ +# Compliance Logging (CMMC/FedRAMP Requirements) +# ============================================================================ + +# All administrative actions +if $syslogseverity-text == 'info' and $msg contains 'user' then -/var/log/admin.log +& stop + +# Failed access attempts +if $msg contains 'failure' or $msg contains 'failed' or $msg contains 'denied' then -/var/log/access.log +& stop + +# System changes +if $msg contains 'changed' or $msg contains 'modified' then -/var/log/change.log +& stop + +# ============================================================================ +# Rate Limiting Per Facility +# ============================================================================ + +# Rate limit syslog messages +$Ruleset remote +$ActionQueueType LinkedList +$ActionQueueSize 100000 +*.* :omusrmsg:* + +# ============================================================================ +# Discard Messages +# ============================================================================ + +# Discard debug messages +*.=debug ~