Adding auditd rules to hardening machine-image

Install auditd and add auditd rules to hardening machine-image.
Also add kernel boot parameters to audit.

This will apply following CIS compliance rules:
- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_insmod
- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_modprobe
- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_rmmod
- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
- xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
- xccdf_org.ssgproject.content_rule_audit_rules_session_events
- xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
- xccdf_org.ssgproject.content_rule_grub2_audit_argument
- xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument
- xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action
- xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action
- xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action

Fixes #71
Related scylladb/scylla-pkg#2953

(cherry picked from commit e85b15f)

packer/apply_cis_rules

@@ -0,0 +1,92 @@
+#!/usr/bin/python3
+# -*- coding: utf-8 -*-
+#
+# Copyright 2020 ScyllaDB
+#
+# SPDX-License-Identifier: Apache-2.0
+
+import os
+import sys
+import re
+import argparse
+from subprocess import run
+
+if __name__ == '__main__':
+    if os.getuid() > 0:
+        print('Requires root permission.')
+        sys.exit(1)
+
+    parser = argparse.ArgumentParser()
+    parser.add_argument('--target-cloud', choices=['aws', 'gce', 'azure'], help='specify target cloud')
+    args = parser.parse_args()
+
+    # xccdf_org.ssgproject.content_rule_grub2_audit_argument
+    kernel_opt = 'audit=1'
+    # xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument
+    kernel_opt += ' audit_backlog_limit=8192'
+    if args.target_cloud == 'aws' or args.target_cloud == 'gce':
+        grub_variable = 'GRUB_CMDLINE_LINUX_DEFAULT'
+    elif args.target_cloud == 'azure':
+        grub_variable = 'GRUB_CMDLINE_LINUX'
+    with open('/etc/default/grub.d/50-cloudimg-settings.cfg') as f:
+        grub = f.read()
+    grub = re.sub(fr'^{grub_variable}="(.+)"$',
+                  fr'{grub_variable}="\1 {kernel_opt}"', grub,
+                  flags=re.MULTILINE)
+    with open('/etc/default/grub.d/50-cloudimg-settings.cfg', 'w') as f:
+        f.write(grub)
+    run('update-grub2', shell=True, check=True)
+
+
+    run('apt-get install -y auditd', shell=True, check=True)
+
+    auditd_rules = '''
+## xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_insmod
+-w /sbin/insmod -p x -k modules
+
+## xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_modprobe
+-w /sbin/modprobe -p x -k modules
+
+## xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_rmmod
+-w /sbin/rmmod -p x -k modules
+
+## xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
+-w /etc/selinux/ -p wa -k MAC-policy
+
+## xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
+-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
+-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
+-w /etc/issue -p wa -k audit_rules_networkconfig_modification
+-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
+-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
+-w /etc/networks -p wa -k audit_rules_networkconfig_modification
+-w /etc/network/ -p wa -k audit_rules_networkconfig_modification
+
+## xccdf_org.ssgproject.content_rule_audit_rules_session_events
+-w /var/run/utmp -p wa -k session
+-w /var/log/btmp -p wa -k session
+-w /var/log/wtmp -p wa -k session
+
+## xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
+-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
+-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
+-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
+-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
+
+'''[1:-1]
+    with open('/etc/audit/rules.d/70-cis-rules.rules', 'w') as f:
+        f.write(auditd_rules)
+    os.chmod('/etc/audit/rules.d/70-cis-rules.rules', 0o640)
+    run('augenrules --load', shell=True, check=True)
+
+    with open('/etc/audit/auditd.conf') as f:
+        auditd = f.read()
+    # xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action
+    auditd = re.sub(r'^max_log_file_action = .+$', 'max_log_file_action = KEEP_LOGS', auditd, flags=re.MULTILINE)
+    # xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action
+    auditd = re.sub(r'^space_left_action = .+$', 'space_left_action = EMAIL', auditd, flags=re.MULTILINE)
+    # xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action
+    auditd = re.sub(r'^admin_space_left_action = .+$', 'admin_space_left_action = suspend', auditd, flags=re.MULTILINE)
+    with open('/etc/audit/auditd.conf', 'w') as f:
+        f.write(auditd)
+

packer/scylla.json

@@ -182,13 +182,24 @@
       "source": "scylla_install_image",
       "type": "file"
     },
+    {
+      "destination": "/tmp/",
+      "source": "apply_cis_rules",
+      "type": "file"
+    },
     {
       "inline": [
         "sudo /usr/bin/cloud-init status --wait",
         "sudo /home/{{user `ssh_username`}}/scylla_install_image --target-cloud {{build_name}} --scylla-version {{user `scylla_full_version`}} {{user `install_args`}}"
       ],
       "type": "shell"
     },
+    {
+      "inline": [
+        "sudo /tmp/apply_cis_rules --target-cloud {{build_name}}"
+      ],
+      "type": "shell"
+    },
     {
       "source": "/home/{{user `ssh_username`}}/{{user `product`}}-{{build_name}}-kernel-{{user `scylla_full_version`}}-{{user `arch`}}.txt",
       "destination": "build/",