From 6dd766bc330804bef01f9c178a6cde20cb49fa9c Mon Sep 17 00:00:00 2001
From: Ryan Crichton <ryan@jembi.org>
Date: Tue, 9 May 2023 09:57:26 +0200
Subject: [PATCH 1/5] WIP add auditd to monitoring package

---
 .../ansible/playbooks/provision_servers.yml   |   1 +
 .../ansible/roles/auditd/tasks/main.yml       |  15 ++
 monitoring/docker-compose.yml                 |   7 +
 .../dashboards/security/auditlogs.json        | 163 ++++++++++++++++++
 monitoring/promtail/promtail-config.yml       |  92 ++++++----
 5 files changed, 243 insertions(+), 35 deletions(-)
 create mode 100644 infrastructure/ansible/roles/auditd/tasks/main.yml
 create mode 100644 monitoring/grafana/dashboards/security/auditlogs.json

diff --git a/infrastructure/ansible/playbooks/provision_servers.yml b/infrastructure/ansible/playbooks/provision_servers.yml
index 070a93a2..9d6692e5 100644
--- a/infrastructure/ansible/playbooks/provision_servers.yml
+++ b/infrastructure/ansible/playbooks/provision_servers.yml
@@ -4,3 +4,4 @@
     - common
     - docker
     - ufw
+    - auditd
diff --git a/infrastructure/ansible/roles/auditd/tasks/main.yml b/infrastructure/ansible/roles/auditd/tasks/main.yml
new file mode 100644
index 00000000..c01e59a8
--- /dev/null
+++ b/infrastructure/ansible/roles/auditd/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+- name: "install auditd"
+  apt:
+    name: auditd
+    state: latest
+
+- name: "fetch best practice Auditd config"
+  get_url:
+    url: https://raw.githubusercontent.com/Neo23x0/auditd/master/audit.rules
+    dest: /etc/audit/rules.d/audit.rules
+
+- name: "restart auditd service"
+  ansible.builtin.service:
+    name: auditd
+    state: restarted
diff --git a/monitoring/docker-compose.yml b/monitoring/docker-compose.yml
index 36c40226..e673a56c 100644
--- a/monitoring/docker-compose.yml
+++ b/monitoring/docker-compose.yml
@@ -51,6 +51,8 @@ services:
         source: kminion-topic_rev1.json
       - target: /etc/grafana/provisioning/dashboards/containers/logging-universal-dashboard_rev1.json
         source: logging-universal-dashboard_rev1.json
+      - target: /etc/grafana/provisioning/dashboards/security/auditlogs.json
+        source: auditlogs.json
 
   prometheus:
     image: prom/prometheus:v2.38.0
@@ -189,6 +191,11 @@ configs:
     name: logging-universal-dashboard_rev1.json-${logging_universal_dashboard_rev1_json_DIGEST:?err}
     labels:
       name: grafana
+  auditlogs.json:
+    file: ./grafana/dashboards/security/auditlogs.json
+    name: auditlogs.json-${auditlogs_json_DIGEST:?err}
+    labels:
+      name: grafana
   prometheus.yml:
     file: ./prometheus/prometheus.yml
     name: prometheus.yml-${prometheus_yml_DIGEST:?err}
diff --git a/monitoring/grafana/dashboards/security/auditlogs.json b/monitoring/grafana/dashboards/security/auditlogs.json
new file mode 100644
index 00000000..6e6e6ec3
--- /dev/null
+++ b/monitoring/grafana/dashboards/security/auditlogs.json
@@ -0,0 +1,163 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "grafana",
+          "uid": "-- Grafana --"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "target": {
+          "limit": 100,
+          "matchAny": false,
+          "tags": [],
+          "type": "dashboard"
+        },
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "links": [],
+  "liveNow": false,
+  "panels": [
+    {
+      "datasource": {
+        "type": "loki",
+        "uid": "P00201832B18B88C3"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "custom": {
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "scaleDistribution": {
+              "type": "linear"
+            }
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 6,
+        "w": 24,
+        "x": 0,
+        "y": 0
+      },
+      "id": 3,
+      "options": {
+        "calculate": false,
+        "cellGap": 1,
+        "color": {
+          "exponent": 0.5,
+          "fill": "dark-orange",
+          "mode": "scheme",
+          "reverse": true,
+          "scale": "exponential",
+          "scheme": "Oranges",
+          "steps": 64
+        },
+        "exemplars": {
+          "color": "rgba(255,0,255,0.7)"
+        },
+        "filterValues": {
+          "le": 1e-9
+        },
+        "legend": {
+          "show": true
+        },
+        "rowsFrame": {
+          "layout": "auto"
+        },
+        "tooltip": {
+          "show": true,
+          "yHistogram": false
+        },
+        "yAxis": {
+          "axisPlacement": "left",
+          "reverse": false
+        }
+      },
+      "pluginVersion": "9.2.3",
+      "targets": [
+        {
+          "datasource": {
+            "type": "loki",
+            "uid": "P00201832B18B88C3"
+          },
+          "editorMode": "code",
+          "expr": "sum(count_over_time({label=~\"T1219.*|recon|.*susp.*\"} [$__interval]))",
+          "queryType": "range",
+          "refId": "A"
+        }
+      ],
+      "title": "Suspicious activity",
+      "type": "heatmap"
+    },
+    {
+      "datasource": {
+        "type": "loki",
+        "uid": "P00201832B18B88C3"
+      },
+      "description": "Filter for security auditlogs that that are potentially suspicious.",
+      "gridPos": {
+        "h": 17,
+        "w": 24,
+        "x": 0,
+        "y": 6
+      },
+      "id": 1,
+      "options": {
+        "dedupStrategy": "none",
+        "enableLogDetails": true,
+        "prettifyLogMessage": false,
+        "showCommonLabels": false,
+        "showLabels": false,
+        "showTime": true,
+        "sortOrder": "Descending",
+        "wrapLogMessage": true
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "loki",
+            "uid": "P00201832B18B88C3"
+          },
+          "editorMode": "builder",
+          "expr": "{job=\"auditlogs\", label=~\"T1219.*|recon|.*susp.*\"}",
+          "key": "Q-9181c263-cf75-42fe-bf50-036eeff7207a-0",
+          "queryType": "range",
+          "refId": "A"
+        }
+      ],
+      "title": "Suspicious activity",
+      "type": "logs"
+    }
+  ],
+  "refresh": false,
+  "schemaVersion": 37,
+  "style": "dark",
+  "tags": [],
+  "templating": {
+    "list": []
+  },
+  "time": {
+    "from": "now-6h",
+    "to": "now"
+  },
+  "timepicker": {},
+  "timezone": "",
+  "title": "Audit logs",
+  "uid": "1KG6epL4z",
+  "version": 1,
+  "weekStart": ""
+}
diff --git a/monitoring/promtail/promtail-config.yml b/monitoring/promtail/promtail-config.yml
index 1cce8fe2..c9614c60 100644
--- a/monitoring/promtail/promtail-config.yml
+++ b/monitoring/promtail/promtail-config.yml
@@ -6,42 +6,64 @@ positions:
   filename: /tmp/positions.yaml
 
 clients:
-- url: http://loki:3100/loki/api/v1/push
+  - url: http://loki:3100/loki/api/v1/push
 
 scrape_configs:
+  - job_name: containers
+    static_configs:
+      - targets:
+          - localhost
+        labels:
+          job: containerlogs
+          __path__: /host/containers/*/*log
 
-- job_name: containers
-  static_configs:
-  - targets:
-      - localhost
-    labels:
-      job: containerlogs
-      __path__: /host/containers/*/*log
+    pipeline_stages:
+      - json:
+          expressions:
+            log: log
+            stream: stream
+            time: time
+            tag: attrs.tag
+            stack_name: attrs."com.docker.stack.namespace"
+            swarm_service_name: attrs."com.docker.swarm.service.name"
+            swarm_task_name: attrs."com.docker.swarm.task.name"
+            swarm_node_id: attrs."com.docker.swarm.node.id"
+      - regex:
+          expression: "^/host/containers/(?P<container_id>.{12}).+/.+-json.log$"
+          source: filename
+      - timestamp:
+          format: RFC3339Nano
+          source: time
+      - labels:
+          stream:
+          container_id:
+          tag:
+          stack_name:
+          swarm_service_name:
+          swarm_task_name:
+          swarm_node_id:
+      - output:
+          source: log
 
-  pipeline_stages:
-  - json:
-      expressions:
-        log: log
-        stream: stream
-        time: time
-        tag: attrs.tag
-        stack_name: attrs."com.docker.stack.namespace"
-        swarm_service_name: attrs."com.docker.swarm.service.name"
-        swarm_task_name: attrs."com.docker.swarm.task.name"
-        swarm_node_id: attrs."com.docker.swarm.node.id"
-  - regex:
-      expression: "^/host/containers/(?P<container_id>.{12}).+/.+-json.log$"
-      source: filename
-  - timestamp:
-      format: RFC3339Nano
-      source: time
-  - labels:
-      stream:
-      container_id:
-      tag:
-      stack_name:
-      swarm_service_name:
-      swarm_task_name:
-      swarm_node_id:
-  - output:
-      source: log
+  - job_name: auditd
+    static_configs:
+      - targets:
+          - localhost # Auditd logs are collected from the local host
+        labels:
+          job: auditlogs
+          __path__: /var/log/audit/audit.log
+
+    pipeline_stages:
+      - regex:
+          expression: 'type=(?P<type>\S*)'
+      - regex:
+          expression: 'key="(?P<label>\S*)"'
+      - regex:
+          expression: 'proctitle=(?P<proctitle>\S*)'
+      - template:
+          source: proctitle
+          template: '{{ printf "%s" .Value }}' # Use template formatting to decode the hexadecimal value
+      - labels:
+          label:
+          type:
+          proctitle:

From 443df2f70994788344ef7c29a44ad7048962d4b7 Mon Sep 17 00:00:00 2001
From: Ryan Crichton <ryan@jembi.org>
Date: Fri, 19 Jul 2024 14:42:14 +0200
Subject: [PATCH 2/5] Improve audit dashboard, add ability to filter by node

---
 .../ansible/roles/auditd/tasks/main.yml       |   7 +
 .../dashboards/security/auditlogs.json        | 128 +++++++++++++++++-
 monitoring/promtail/promtail-config.yml       |   6 +-
 3 files changed, 131 insertions(+), 10 deletions(-)

diff --git a/infrastructure/ansible/roles/auditd/tasks/main.yml b/infrastructure/ansible/roles/auditd/tasks/main.yml
index c01e59a8..45b130f3 100644
--- a/infrastructure/ansible/roles/auditd/tasks/main.yml
+++ b/infrastructure/ansible/roles/auditd/tasks/main.yml
@@ -9,6 +9,13 @@
     url: https://raw.githubusercontent.com/Neo23x0/auditd/master/audit.rules
     dest: /etc/audit/rules.d/audit.rules
 
+- name: Ensure name_format is set to HOSTNAME
+  lineinfile:
+    path: /etc/audit/auditd.conf
+    regexp: '^name_format\s*='
+    line: "name_format = HOSTNAME"
+    state: present
+
 - name: "restart auditd service"
   ansible.builtin.service:
     name: auditd
diff --git a/monitoring/grafana/dashboards/security/auditlogs.json b/monitoring/grafana/dashboards/security/auditlogs.json
index 6e6e6ec3..2594edb4 100644
--- a/monitoring/grafana/dashboards/security/auditlogs.json
+++ b/monitoring/grafana/dashboards/security/auditlogs.json
@@ -27,6 +27,31 @@
   "links": [],
   "liveNow": false,
   "panels": [
+    {
+      "datasource": {
+        "type": "datasource",
+        "uid": "grafana"
+      },
+      "gridPos": {
+        "h": 4,
+        "w": 24,
+        "x": 0,
+        "y": 0
+      },
+      "id": 6,
+      "options": {
+        "code": {
+          "language": "plaintext",
+          "showLineNumbers": false,
+          "showMiniMap": false
+        },
+        "content": "# Notes\n\n* Some `proctitles` are hex encoded due to the posibility of special chars. Use a hex to ascii decoder to view these.\n* Multiple lines might refer to the same event, in that case the audit identifier (i.e. `msg=audit(...:...)`) will be the same. Use the find input to easily see all line for an event by searching for this audit identifier.",
+        "mode": "markdown"
+      },
+      "pluginVersion": "9.2.3",
+      "title": "Notes",
+      "type": "text"
+    },
     {
       "datasource": {
         "type": "loki",
@@ -51,7 +76,7 @@
         "h": 6,
         "w": 24,
         "x": 0,
-        "y": 0
+        "y": 4
       },
       "id": 3,
       "options": {
@@ -94,8 +119,8 @@
             "type": "loki",
             "uid": "P00201832B18B88C3"
           },
-          "editorMode": "code",
-          "expr": "sum(count_over_time({label=~\"T1219.*|recon|.*susp.*\"} [$__interval]))",
+          "editorMode": "builder",
+          "expr": "sum(count_over_time({label=~\"T1219.*|recon|.*susp.*\", node=\"$node\"} |= `$query` [$__interval]))",
           "queryType": "range",
           "refId": "A"
         }
@@ -113,7 +138,7 @@
         "h": 17,
         "w": 24,
         "x": 0,
-        "y": 6
+        "y": 10
       },
       "id": 1,
       "options": {
@@ -133,7 +158,7 @@
             "uid": "P00201832B18B88C3"
           },
           "editorMode": "builder",
-          "expr": "{job=\"auditlogs\", label=~\"T1219.*|recon|.*susp.*\"}",
+          "expr": "{job=\"auditlogs\", label=~\"T1219.*|recon|.*susp.*\", node=\"$node\"} |= `$query`",
           "key": "Q-9181c263-cf75-42fe-bf50-036eeff7207a-0",
           "queryType": "range",
           "refId": "A"
@@ -141,6 +166,45 @@
       ],
       "title": "Suspicious activity",
       "type": "logs"
+    },
+    {
+      "datasource": {
+        "type": "loki",
+        "uid": "P00201832B18B88C3"
+      },
+      "description": "All captured logs from auditd",
+      "gridPos": {
+        "h": 17,
+        "w": 24,
+        "x": 0,
+        "y": 27
+      },
+      "id": 4,
+      "options": {
+        "dedupStrategy": "none",
+        "enableLogDetails": true,
+        "prettifyLogMessage": false,
+        "showCommonLabels": false,
+        "showLabels": false,
+        "showTime": true,
+        "sortOrder": "Descending",
+        "wrapLogMessage": true
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "loki",
+            "uid": "P00201832B18B88C3"
+          },
+          "editorMode": "builder",
+          "expr": "{job=\"auditlogs\", node=\"$node\"} |= `$query`",
+          "key": "Q-9181c263-cf75-42fe-bf50-036eeff7207a-0",
+          "queryType": "range",
+          "refId": "A"
+        }
+      ],
+      "title": "All audit logs",
+      "type": "logs"
     }
   ],
   "refresh": false,
@@ -148,10 +212,60 @@
   "style": "dark",
   "tags": [],
   "templating": {
-    "list": []
+    "list": [
+      {
+        "current": {
+          "selected": false,
+          "text": "",
+          "value": ""
+        },
+        "hide": 0,
+        "label": "Find",
+        "name": "query",
+        "options": [
+          {
+            "selected": true,
+            "text": "",
+            "value": ""
+          }
+        ],
+        "query": "",
+        "skipUrlSync": false,
+        "type": "textbox"
+      },
+      {
+        "current": {
+          "selected": true,
+          "text": ["All"],
+          "value": ["$__all"]
+        },
+        "datasource": {
+          "type": "loki",
+          "uid": "P00201832B18B88C3"
+        },
+        "definition": "",
+        "hide": 0,
+        "includeAll": true,
+        "label": "Hostname",
+        "multi": true,
+        "name": "node",
+        "options": [],
+        "query": {
+          "label": "node",
+          "refId": "LokiVariableQueryEditor-VariableQuery",
+          "stream": "",
+          "type": 1
+        },
+        "refresh": 1,
+        "regex": "",
+        "skipUrlSync": false,
+        "sort": 0,
+        "type": "query"
+      }
+    ]
   },
   "time": {
-    "from": "now-6h",
+    "from": "now-5m",
     "to": "now"
   },
   "timepicker": {},
diff --git a/monitoring/promtail/promtail-config.yml b/monitoring/promtail/promtail-config.yml
index c9614c60..29b4904e 100644
--- a/monitoring/promtail/promtail-config.yml
+++ b/monitoring/promtail/promtail-config.yml
@@ -60,10 +60,10 @@ scrape_configs:
           expression: 'key="(?P<label>\S*)"'
       - regex:
           expression: 'proctitle=(?P<proctitle>\S*)'
-      - template:
-          source: proctitle
-          template: '{{ printf "%s" .Value }}' # Use template formatting to decode the hexadecimal value
+      - regex:
+          expression: 'node=(?P<node>\S*)'
       - labels:
           label:
           type:
           proctitle:
+          node:

From 5cdaae090152a3c056b8719bb9687d4700f30bef Mon Sep 17 00:00:00 2001
From: Ryan Crichton <ryan@jembi.org>
Date: Fri, 26 Jul 2024 12:08:50 +0200
Subject: [PATCH 3/5] Fix audit dashboard to display data from multiple nodes

---
 monitoring/grafana/dashboards/security/auditlogs.json | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/monitoring/grafana/dashboards/security/auditlogs.json b/monitoring/grafana/dashboards/security/auditlogs.json
index 2594edb4..97f0f6db 100644
--- a/monitoring/grafana/dashboards/security/auditlogs.json
+++ b/monitoring/grafana/dashboards/security/auditlogs.json
@@ -120,7 +120,7 @@
             "uid": "P00201832B18B88C3"
           },
           "editorMode": "builder",
-          "expr": "sum(count_over_time({label=~\"T1219.*|recon|.*susp.*\", node=\"$node\"} |= `$query` [$__interval]))",
+          "expr": "sum(count_over_time({label=~\"T1219.*|recon|.*susp.*\", node=~\"$node\"} |= `$query` [$__interval]))",
           "queryType": "range",
           "refId": "A"
         }
@@ -158,7 +158,7 @@
             "uid": "P00201832B18B88C3"
           },
           "editorMode": "builder",
-          "expr": "{job=\"auditlogs\", label=~\"T1219.*|recon|.*susp.*\", node=\"$node\"} |= `$query`",
+          "expr": "{job=\"auditlogs\", label=~\"T1219.*|recon|.*susp.*\", node=~\"$node\"} |= `$query`",
           "key": "Q-9181c263-cf75-42fe-bf50-036eeff7207a-0",
           "queryType": "range",
           "refId": "A"
@@ -197,7 +197,7 @@
             "uid": "P00201832B18B88C3"
           },
           "editorMode": "builder",
-          "expr": "{job=\"auditlogs\", node=\"$node\"} |= `$query`",
+          "expr": "{job=\"auditlogs\", node=~\"$node\"} |= `$query`",
           "key": "Q-9181c263-cf75-42fe-bf50-036eeff7207a-0",
           "queryType": "range",
           "refId": "A"
@@ -265,7 +265,7 @@
     ]
   },
   "time": {
-    "from": "now-5m",
+    "from": "now-15m",
     "to": "now"
   },
   "timepicker": {},

From 2bbc9bd46c347efb69606c892f8188c3a94730ca Mon Sep 17 00:00:00 2001
From: Ryan Crichton <ryan@jembi.org>
Date: Fri, 26 Jul 2024 12:10:48 +0200
Subject: [PATCH 4/5] Fix deprecated ansible functions

---
 infrastructure/ansible/roles/docker/handlers/main.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/infrastructure/ansible/roles/docker/handlers/main.yml b/infrastructure/ansible/roles/docker/handlers/main.yml
index 5b9fafc1..02dfb759 100644
--- a/infrastructure/ansible/roles/docker/handlers/main.yml
+++ b/infrastructure/ansible/roles/docker/handlers/main.yml
@@ -1,4 +1,4 @@
 ---
-- include: reload_ufw.yml
-- include: reload_docker.yml
-- include: restart_docker.yml
+- import_tasks: reload_ufw.yml
+- import_tasks: reload_docker.yml
+- import_tasks: restart_docker.yml

From 4d63774330d088afe8d517149648a824ba2d4e1f Mon Sep 17 00:00:00 2001
From: Ryan Crichton <ryan@jembi.org>
Date: Fri, 26 Jul 2024 15:08:39 +0200
Subject: [PATCH 5/5] Update ansible readme with important missing details

---
 infrastructure/ansible/README.md | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/infrastructure/ansible/README.md b/infrastructure/ansible/README.md
index 8383910b..f2f8f091 100644
--- a/infrastructure/ansible/README.md
+++ b/infrastructure/ansible/README.md
@@ -12,17 +12,19 @@
 
 ## Infrastructure and Servers
 
-Please see the `/inventories/{ENVIRONMENT}/hosts` file for IP details of the designated services. Set these to the server that you created via terraform.
+Please see the `/inventories/{ENVIRONMENT}/hosts` file for IP details of the designated services. Set these to the server's domain name/s that you created via terraform.
 
 ## Ansible
 
 ### SSH Access
 
-To authenticate yourself on the remote servers your ssh key will need to be added to the `sudoers` var in the _/inventories/{ENVIRONMENT}/group_vars/all.yml_.
+To authenticate users and to allow them to have sudo access on the remote servers your ssh key will need to be added to the `sudoers` var in the _/inventories/{ENVIRONMENT}/group_vars/all.yml_.
 
-To have docker access you need to add your ssh key to the  `docker_users` var in the _/inventories/{ENVIRONMENT}/group_vars/all.yml_.
+To authenticate users and to allow them to have docker access you need to add your ssh key to the  `docker_users` var in the _/inventories/{ENVIRONMENT}/group_vars/all.yml_.
 
-An authorised user will need to run the `provision_servers.yml` playbook to add your ssh key to the servers.
+Ensure that you remove all users that you don't want to have access. The default development files have a bunch of Jembi staff's user credentials.
+
+An pre-authorised user will need to run the `provision_servers.yml` playbook the first time to add your ssh key to the servers.
 
 ### Configuration
 
@@ -32,6 +34,8 @@ Before running the ansible script add the server to your known hosts file else a
 ssh-keyscan -H <host> >> ~/.ssh/known_hosts
 ```
 
+Next, ensure that you configure the `firewall_subnet_restriction` property of the _/inventories/{ENVIRONMENT}/group_vars/all.yml_ file if you are setting up multiple nodes in a Docker swarm. Docker swarm nodes need to communicate with each other, this property adds a restriction on the software firewall on each node (UFW) which only allow that communication to happen on the particular subset specified by this property.
+
 To run a playbook you should do:
 
 ```bash