Version information
released Oct 26th 2017
This version is compatible with:
- Puppet Enterprise 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
- Puppet >= 3.8.0
- , , , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'eyp-audit', '0.1.14'
Learn more about managing modules with a PuppetfileDocumentation
eyp/audit — version 0.1.14 Oct 26th 2017
audit
Table of Contents
Overview
Basic auditd support
Module Description
basic support for auditd
Setup
What audit affects
manages:
- audit package
- audit service
- /etc/audit/audit.rules
Setup Requirements
This module requires pluginsync enabled
To be able to manage logrotate files it needs eyp-logrotate
Beginning with audit
should work out of the box:
class { 'audit': }
Usage
Add default rules:
class { 'audit': }
tty audit:
class { 'audit': }
class { 'audit::tty': }
Reference
classes
audit
- buffers: buffers to survive stress events (default: 320)
- add_default_rules: add the following default rules - it will apply b64 only if is applicable, same for /etc/sysconfig/network (default: true)
- manage_logrotate: add logrotate config file (default: true)
- logrotate_rotate = '4',
- logrotate_compress = true,
- logrotate_missingok = true,
- logrotate_notifempty = true,
- logrotate_frequency = 'weekly',
-w /var/tmp -p x
-w /tmp -p x
-w /home -p x
#Record Events That Modify Date and Time Information
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
#Record Events That Modify User/Group Information
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
#Record Events That Modify the System\'s Network Environment
-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
#Collect Login and Logout Events
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/btmp -p wa -k session
#Collect Session Initiation Information
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
#Collect Discretionary Access Control Permission Modification Events
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
#Collect Unsuccessful Unauthorized Access Attempts to Files
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
#Collect mount system call by non-privileged user
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
#Collect File Deletion Events by User
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
#Collect Changes to System Administration Scope
-w /etc/sudoers -p wa -k scope
#Collect Kernel Module Loading and Unloading
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
audit::tty
- disable: For each user matching one of comma-separated glob patterns, disable TTY auditing (default: *)
- enable: For each user matching one of comma-separated glob patterns, disable TTY auditing This overrides any previous disable option matching the same user name on the command line. (default: *)
Limitations
Tested on:
- CentOS 5
- CentOS 6
- CentOS 7
- Ubuntu 14.04
- SLES11SP3
Development
We are pushing to have acceptance testing in place, so any new feature should have some test to check both presence and absence of any feature
Contributing
- Fork it
- Create your feature branch (
git checkout -b my-new-feature
) - Commit your changes (
git commit -am 'Added some feature'
) - Push to the branch (
git push origin my-new-feature
) - Create new Pull Request
CHANGELOG
0.1.14
- added flag to enable logging changes of login logs
0.1.13
- added default security rules using flags to be able to enable a subset:
- log_alter_time
- log_dac
- log_netconf_changes
- log_file_deletions
- log_export_media
- log_kmod_load_unload
- log_priv_commands
0.1.12
- bugfix audit::fsrule and audit::syscallrule
0.1.11
- rules management:
- audit::syscallrule
- audit::fsrule
0.1.10
- added Ubuntu 16.04 support
0.1.9
- removed audit::tty (moved to pam::ttyaudit)
0.1.8
- added ::logrotate as a dependency
0.1.7
- fixed typo
0.1.6
- logrotate configuration file using eyp-logrotate (manage_logrotate=>false to disable)
Dependencies
- puppetlabs/stdlib (>= 1.0.0 < 9.9.9)
- puppetlabs/concat (>= 1.2.3 < 9.9.9)
- eyp/logrotate (>= 0.1.26 < 0.2.0)