diff --git a/ansible/host_vars/prod-01.alexpires.me.yml b/ansible/host_vars/prod-01.alexpires.me.yml index 40cc881..17ea99e 100644 --- a/ansible/host_vars/prod-01.alexpires.me.yml +++ b/ansible/host_vars/prod-01.alexpires.me.yml @@ -143,6 +143,10 @@ encryption_aws_secret_access_key: "{{ lookup('env', 'KMS_SECRET_KEY') }}" encryption_kms_arn: "arn:aws:kms:eu-west-1:001604727293:key/977d08fd-8230-40bf-8a4f-d8a3264c5990" encryption_kms_socket: /var/run/kmsplugin/socket.sock +#audit encryption socker +auditd_encryption_kms_socket: /var/run/kmsplugin/socket.sock +auditd_max_log_file_action: rotate + # Kubernetes specific settings microk8s_version: 1.29 microk8s_allowed_hosts: diff --git a/ansible/roles/cis/defaults/main/auditd.yml b/ansible/roles/cis/defaults/main/auditd.yml index 19a9d84..6dd22e6 100644 --- a/ansible/roles/cis/defaults/main/auditd.yml +++ b/ansible/roles/cis/defaults/main/auditd.yml @@ -10,6 +10,6 @@ auditd_mode: 1 auditd_num_logs: 5 auditd_space_left: 75 auditd_space_left_action: email +auditd_encryption_kms_socket: grub_audit_backlog_cmdline: audit_backlog_limit=8192 grub_audit_cmdline: audit=1 -... diff --git a/ansible/roles/cis/templates/etc/audit/rules.d/hardening.rules.j2 b/ansible/roles/cis/templates/etc/audit/rules.d/hardening.rules.j2 index df67d7e..2591d20 100644 --- a/ansible/roles/cis/templates/etc/audit/rules.d/hardening.rules.j2 +++ b/ansible/roles/cis/templates/etc/audit/rules.d/hardening.rules.j2 @@ -150,6 +150,11 @@ -w /usr/sbin/runc -p rwxa -k docker -w /var/run/docker.sock -p rwxa -k docker +{% if auditd_encryption_kms_socket is defined %} +# AWS encryption provider +-w {{ auditd_encryption_kms_socket | dirname }} -p rwxa -k aws-encryption-provider +{% endif %} + # Group modifications -w /etc/group -p wa -k group-modification -w /etc/gshadow -p wa -k group-modification diff --git a/ansible/roles/encryption/templates/start-encryption-provider.sh.j2 b/ansible/roles/encryption/templates/start-encryption-provider.sh.j2 index 44e10a4..13cafff 100644 --- a/ansible/roles/encryption/templates/start-encryption-provider.sh.j2 +++ b/ansible/roles/encryption/templates/start-encryption-provider.sh.j2 @@ -3,4 +3,6 @@ # Managed by Ansible. export AWS_ACCESS_KEY_ID={{ encryption_aws_access_key_id }} export AWS_SECRET_ACCESS_KEY={{ encryption_aws_secret_access_key }} +mkdir {{ encryption_kms_socket_dir | dirname }} }} 2>/dev/null || true +chmod 700 {{ encryption_kms_socket_dir | dirname }} 2>/dev/null /usr/local/bin/aws-encryption-provider --key={{ encryption_kms_arn }} --region={{ encryption_kms_region }} --listen={{ encryption_kms_socket }}