Update ansible in audit_rules_kernel_module rules

Update the auid filters in ansible for audit_rules_kernel_module_loading_delete, audit_rules_kernel_module_loading_finit and audit_rules_kernel_module_loading_init Signed-off-by: Edgar Aguilar <[email protected]>
alanmcanonical · Apr 4, 2022 · c0ae24e · c0ae24e
1 parent de702fb
commit c0ae24e
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 12 deletions.
diff --git a/...s/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml b/...s/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml
@@ -4,6 +4,12 @@
 # disruption = low
 # strategy = configure
 
+{{% if product in ["ol8", "rhel8"] %}}
+{{% set auid_filters = "-F auid>=" ~ auid ~ " -F auid!=unset" %}}
+{{% else %}}
+{{% set auid_filters = "" %}}
+{{% endif %}}
+
 # What architecture are we on?
 
 - name: Set architecture for audit delete_module tasks
@@ -15,15 +21,15 @@
     {{{ ansible_audit_augenrules_add_syscall_rule(
       action_arch_filters="-a always,exit -F arch=b32",
       other_filters="",
-      auid_filters="",
+      auid_filters=auid_filters,
       syscalls=["delete_module"],
       key="module-change",
       syscall_grouping=[],
       )|indent(4) }}}
     {{{ ansible_audit_auditctl_add_syscall_rule(
       action_arch_filters="-a always,exit -F arch=b32",
       other_filters="",
-      auid_filters="",
+      auid_filters=auid_filters,
       syscalls=["delete_module"],
       key="module-change",
       syscall_grouping=[],
@@ -34,15 +40,15 @@
     {{{ ansible_audit_augenrules_add_syscall_rule(
       action_arch_filters="-a always,exit -F arch=b64",
       other_filters="",
-      auid_filters="",
+      auid_filters=auid_filters,
       syscalls=["delete_module"],
       key="module-change",
       syscall_grouping=[],
       )|indent(4) }}}
     {{{ ansible_audit_auditctl_add_syscall_rule(
       action_arch_filters="-a always,exit -F arch=b64",
       other_filters="",
-      auid_filters="",
+      auid_filters=auid_filters,
       syscalls=["delete_module"],
       key="module-change",
       syscall_grouping=[],

diff --git a/...es/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml b/...es/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml
@@ -4,6 +4,12 @@
 # disruption = low
 # strategy = configure
 
+{{% if product in ["ol8", "rhel8"] %}}
+{{% set auid_filters = "-F auid>=" ~ auid ~ " -F auid!=unset" %}}
+{{% else %}}
+{{% set auid_filters = "" %}}
+{{% endif %}}
+
 # What architecture are we on?
 
 - name: Set architecture for audit finit_module tasks
@@ -15,15 +21,15 @@
     {{{ ansible_audit_augenrules_add_syscall_rule(
       action_arch_filters="-a always,exit -F arch=b32",
       other_filters="",
-      auid_filters="",
+      auid_filters=auid_filters,
       syscalls=["finit_module"],
       key="module-change",
       syscall_grouping=["init_module","finit_module"],
       )|indent(4) }}}
     {{{ ansible_audit_auditctl_add_syscall_rule(
       action_arch_filters="-a always,exit -F arch=b32",
       other_filters="",
-      auid_filters="",
+      auid_filters=auid_filters,
       syscalls=["finit_module"],
       key="module-change",
       syscall_grouping=["init_module","finit_module"],
@@ -34,15 +40,15 @@
     {{{ ansible_audit_augenrules_add_syscall_rule(
       action_arch_filters="-a always,exit -F arch=b64",
       other_filters="",
-      auid_filters="",
+      auid_filters=auid_filters,
       syscalls=["finit_module"],
       key="module-change",
       syscall_grouping=["init_module","finit_module"],
       )|indent(4) }}}
     {{{ ansible_audit_auditctl_add_syscall_rule(
       action_arch_filters="-a always,exit -F arch=b64",
       other_filters="",
-      auid_filters="",
+      auid_filters=auid_filters,
       syscalls=["finit_module"],
       key="module-change",
       syscall_grouping=["init_module","finit_module"],

diff --git a/...les/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml b/...les/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml
@@ -4,6 +4,12 @@
 # disruption = low
 # strategy = configure
 
+{{% if product in ["ol8", "rhel8"] %}}
+{{% set auid_filters = "-F auid>=" ~ auid ~ " -F auid!=unset" %}}
+{{% else %}}
+{{% set auid_filters = "" %}}
+{{% endif %}}
+
 # What architecture are we on?
 
 - name: Set architecture for audit init_module tasks
@@ -15,15 +21,15 @@
     {{{ ansible_audit_augenrules_add_syscall_rule(
       action_arch_filters="-a always,exit -F arch=b32",
       other_filters="",
-      auid_filters="",
+      auid_filters=auid_filters,
       syscalls=["init_module"],
       key="module-change",
       syscall_grouping=["init_module","finit_module"],
       )|indent(4) }}}
     {{{ ansible_audit_auditctl_add_syscall_rule(
       action_arch_filters="-a always,exit -F arch=b32",
       other_filters="",
-      auid_filters="",
+      auid_filters=auid_filters,
       syscalls=["init_module"],
       key="module-change",
       syscall_grouping=["init_module","finit_module"],
@@ -34,15 +40,15 @@
     {{{ ansible_audit_augenrules_add_syscall_rule(
       action_arch_filters="-a always,exit -F arch=b64",
       other_filters="",
-      auid_filters="",
+      auid_filters=auid_filters,
       syscalls=["init_module"],
       key="module-change",
       syscall_grouping=["init_module","finit_module"],
       )|indent(4) }}}
     {{{ ansible_audit_auditctl_add_syscall_rule(
       action_arch_filters="-a always,exit -F arch=b64",
       other_filters="",
-      auid_filters="",
+      auid_filters=auid_filters,
       syscalls=["init_module"],
       key="module-change",
       syscall_grouping=["init_module","finit_module"],