Version information
This version is compatible with:
- Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
- Puppet >= 7.0.0 < 9.0.0
- , , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-auditd', '8.14.4'
Learn more about managing modules with a PuppetfileDocumentation
Table of Contents
- Overview
- This is a SIMP module
- Module Description
- Setup
- Usage
- Development
Overview
This module manages the Audit daemon, kernel parameters, and related subsystems.
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they can be submitted to our JIRA.
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
- When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
- If used independently, all SIMP-managed security subsystems will be disabled by
default and must be explicitly opted into by administrators. Please review
simp_options
for details.
Module Description
You can use this module for the management of all components of auditd including configuration, service management, kernel parameters, and custom rule sets.
By default, a rule set is provided that should meet a reasonable set of operational goals for most environments.
The audit
kernel parameter may optionally be managed independently of the
rest of the module using the ::auditd::config::grub
class.
Setup
Setup Requirements
If auditd::syslog
is true
, you will need to install
simp/rsyslog as a dependency.
What Auditd Affects
- The
audit
kernel parameter- NOTE: This will be applied to all kernels in your standard grub configuration
- The auditd service
- The audid configuration in /etc/auditd.conf
- The auditd rules in /etc/audit/rules.d
- The audispd configuration in /etc/audisp/audispd.conf
- The audispd
syslog
configuration if manage_syslog_plugin is enabled. audit version 2 : /etc/audisp/plugins.d/syslog.conf audit version 3 : /etc/auditd/plugins.d/syslog.conf
Usage
Basic Usage
# Set up auditd with the default settings and SIMP default ruleset
# A message will be printed indicating that you need to reboot for this option
# to take full effect at each Puppet run until you reboot your system.
include 'auditd'
Disabling Auditd
To disable auditd at boot, set the following in hieradata:
auditd::at_boot: false
Enable/Disable sending audit event to syslog:
This capability is most useful for forwarding audit records to remote servers as syslog messages, since these records are already persisted locally in audit logs. For most sites, however, using this capability for all audit records can quickly overwhelm host and/or network resources, especially if the messages are forwarded to multiple remote syslog servers or persisted locally. Site-specific, rsyslog actions to implement filtering will likely be required to reduce this message traffic.
The setting auditd::syslog
, defaults to false
or
syslog_options::syslog
if you include simp_options
. If you set
auditd::syslog: false
, it will not necessarily disable auditd logging to
syslog, puppet will just no longer manage the syslog.conf
plugin file.
The settings needed for enabling/disabling sending audit log messages to syslog are shown below.
To enable:
auditd::syslog: true
auditd::config::audisp::syslog::enable: true
auditd::config::audisp::syslog::drop_audit_logs: false
# The setting for drop_audit_logs enabled for backwards compatability
# but should be set to false if you want auditd to log to syslog.
To disable:
auditd::syslog: true
auditd::config::audisp::syslog::enable: false
Changing Key Values
To override the default values included in the module, you can either include new values for the keys at the time that the classes are declared, or set the values in hieradata:
class { 'auditd':
ignore_failures => true,
log_group => 'root',
flush => 'INCREMENTAL'
}
auditd::ignore_failures: true
auditd::log_group: 'root'
auditd::flush: 'INCREMENTAL'
Understanding Auditd Profiles
This module supports various configurations both independently and simultaneously to meet varying end user requirements.
NOTE: The default behavior of this module is to ignore any invalid rules and apply as much of the rule set as possible. This is done so that you end up with an effective level of auditing regardless of a simply typo or conflicting rule. Please test your final rule sets to ensure that your system is auditing as expected.
The auditd::default_audit_profiles
parameter determines which profiles are
included, and in what order the rules are added to the system.
The auditd::default_audit_profiles
has a default setting of [ 'simp' ]
which applies the optimized SIMP auditing profile which is suitable for meeting
most generally available compliance requirements. It does not, however,
generally appease the scanning utilities since it optimizes the rules for
performance and most scanners cannot handle audit rule optimizations.
There are three other profiles available in the system by default:
stig
=> Applies the rules as defined in the latest covered DISA STIGcustom
=> Allows users to define their own rules easily via Hierabuilt_in
=> Allows usage of EL8+ included sample rulesets to configure system
There are a large number of parameters exposed for each profile that are meant to be set via Hiera and you should take a look at the REFERENCE.md file to understand the full capabilities of each profile.
Stacking Profiles
In some cases, you may want to combine profiles in different orders. This may either be done in order to pass a particular scanning engine or to ensure that items that are not caught by the first profile are caught by the second.
Profiles are included and ordered by passing an Array to the
auditd::default_audit_profiles
parameter and are added to auditd in the
order in which they are defined in the Array.
For example, this (the default) would only add the simp
profile:
auditd::default_audit_profiles:
- 'simp'
Likewise, this would add the stig
rules prior to the simp
profile:
auditd::default_audit_profiles:
- 'stig'
- 'simp'
The Custom Profile
Users may wish to either completely override the default profiles or prepend/append their own rules to the stack for compliance purposes.
You can easily do this via Hiera as shown in the following example:
auditd::config::audit_profiles::custom::rules:
- '-w /etc/passwd -wa -k passwd_files'
- '-w /etc/shadow -wa -k passwd_files'
To activate the custom profile, you will need to set the
auditd::default_audit_profiles
parameter as shown in the following
examples:
Override All Other Profiles
auditd::default_audit_profiles:
- 'custom'
Prepend Before the SIMP Profile
auditd::default_audit_profiles:
- 'custom'
- 'simp'
Append After the SIMP and STIG Profiles
auditd::default_audit_profiles:
- 'simp'
- 'stig'
- 'custom'
The Built-in Profile
Starting with release 3.0.0-17 on EL8 hosts, the audit package includes a number
of sample-rules
under /usr/share/audit/sample-rules
that can be used
to configure a system fairly completely. Within these rules are sets for STIG,
OSPP, etc. that can simply be moved to /etc/audit/rules.d
and compiled with
augenrules
to configure a system.
Disabling All SIMP-provided Profiles
Most likely, if using the sample rulesets from the built-in profile, you will want to disable included SIMP profiles (not necessary, but may include overlapping rules if not). To do this:
auditd::default_audit_profiles:
- 'built_in'
Enabling Sample Rulesets with Built-in Profile
To enable specific sample rulesets, simply include them in the built-in profile parameter:
auditd::config::audit_profiles::built_in::rulesets:
- 'base-config'
- 'stig'
- 'finalize'
where the ruleset names are found via the custom fact auditd_sample_rulesets
Configuring Complete Rulesets with Built-in Profile
If you are only planning to use the built_in
profile and the included sample
rulesets to configure the system, it will be worth noting that profile-specific
sample files include configuration information within comments in the files as well.
As an example, the STIG rules sample file will note that it relies on base-config
and finalize
rulesets to be feature-complete. Other rulesets will contain similar
information.
Adding One-Off Rules
Rules are alphanumerically ordered based on file-system globbing. It is
recommended that users use the auditd::rule
defined type for adding rules.
Other options are available with auditd::rule
but these are the most
commonly used.
Adding Regular Filter Rules
auditd::rule { 'failed_file_creation':
content => '-a always,exit -F arch=b64 -S creat -F exit=-EACCES -k failed_file_creation'
}
auditd::rule { 'passwd_file_watches':
content => [
'-w /etc/passwd -wa -k passwd_files',
'-w /etc/shadow -wa -k passwd_files'
]
}
Prepend and Drop Everything From a User
This will make your rule land in the 00
set of rules.
auditd::rule { 'pre_drop_user_5000':
content => '-a exit,never -F auid=5000',
prepend => true
}
Development
Please read our Contribution Guide
Acceptance tests
This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:
bundle exec rake beaker:suites
Some environment variables may be useful:
BEAKER_debug=true
BEAKER_provision=no
BEAKER_destroy=no
BEAKER_use_fixtures_dir_for_modules=yes
BEAKER_fips=yes
BEAKER_debug
: show the commands being run on the STU and their output.BEAKER_destroy=no
: prevent the machine destruction after the tests finish so you can inspect the state.BEAKER_provision=no
: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.BEAKER_use_fixtures_dir_for_modules=yes
: cause all module dependencies to be loaded from thespec/fixtures/modules
directory, based on the contents of.fixtures.yml
. The contents of this directory are usually populated bybundle exec rake spec_prep
. This can be used to run acceptance tests to run on isolated networks.BEAKER_fips=yes
: enable FIPS-mode on the virtual instances. This can take a very long time, because it must enable FIPS in the kernel command-line, rebuild the initramfs, then reboot.
Please refer to the SIMP Beaker Helpers documentation for more information.
Reference
Table of Contents
Classes
auditd
: Configure the audit daemon for use with a specified audit profile.auditd::config
: This class is called from auditd for service config.auditd::config::audisp
: Configures the audit dispatcher primarily for sending audit logs directly to syslog without intervention.auditd::config::audisp::syslog
: Utilizes rsyslog to send all audit records to syslog.auditd::config::audisp_service
: Notify auditd to restart to ensure the process for audisp is running.auditd::config::audit_profiles
: Provides global audit rule configuration and a base set of audit rules based on the built-in audit profile(s).auditd::config::audit_profiles::built_in
: An audit profile that allows the use of sample rulesets included with the audit package to be used to configure a system.auditd::config::audit_profiles::custom
: A set of user specified rules in a form that is easy to manipulate via Hieraauditd::config::audit_profiles::simp
: A set of general purpose audit rules that should meet most security policy requirementsauditd::config::audit_profiles::stig
: A set of audit rules that are configured to satisfy DISA STIG compliance checks for EL7.auditd::config::grub
: Enables/disables auditing at boot time.auditd::config::logging
: Ensures that plugin for syslog is installed so audit events can be sent to syslog in addition the audit partition.auditd::install
: Install the auditd packagesauditd::service
: Ensure that the auditd service is running
Defined types
auditd::rule
: Add rules to the audit daemon.
Functions
auditd::calculate_space_left
: Calculates the correct default value for 'space_left' based on the value of 'admin_space_left'.auditd::get_array_index
: Returns a string that represents the first index of the specified element within the Array.auditd::validate_init_params
: Validates selected params from the main auditd class.
Data types
Auditd::AuditProfile
: Matches the types of auditd profiles allowedAuditd::DiskErrorAction
: Matches disk error actions in auditd.confAuditd::DiskFullAction
: Matches actions to take when disk is full (see auditd.conf)Auditd::Flush
: Matches actions flush in auditd.confAuditd::LogFacility
: Matches log facility that can be used in syslog.conf pluginAuditd::LogFormat
: Matches log formats that can be used in auditd.confAuditd::LogPriority
: Matches log priorities that can be used in syslog.conf pluginAuditd::MaxLogFileAction
: Matches available matches for maxlogfileaction in auditd.confAuditd::NameFormat
: Matche s available name formats in audotd.confAuditd::OverflowAction
: Matches overflow_action settings in auditd.conf or audisp.confAuditd::RootAuditLevel
: Matches root audit level settings in auditd.confAuditd::SpaceLeftAction
: Matches spaceleftaction for auditd.conf
Classes
auditd
Any variable that is not described here can be found in auditd.conf(5) and auditctl(8).
- See also
- auditd.conf(5)
- auditctl(8)
Parameters
The following parameters are available in the auditd
class:
enable
default_audit_profile
default_audit_profiles
audit_auditd_config
lname
ignore_anonymous
ignore_crond
ignore_time_daemons
ignore_crypto_key_user
ignore_errors
ignore_failures
ignore_system_services
action_mail_acct
admin_space_left
admin_space_left_action
at_boot
buffer_size
backlog_wait_time
disk_error_action
disk_full_action
disp_qos
dispatcher
failure_mode
flush
freq
immutable
log_file
local_events
log_format
log_group
loginuid_immutable
max_log_file
max_log_file_action
max_restarts
name_format
num_logs
overflow_action
package_name
package_ensure
plugin_dir
priority_boost
q_depth
rate
root_audit_level
service_name
space_left
space_left_action
syslog
target_selinux_types
uid_min
verify_email
write_logs
purge_auditd_rules
enable
Data type: Boolean
If true, enable auditing.
Default value: true
default_audit_profile
Data type: Optional[Variant[Enum['simp'],Boolean]]
Deprecated by $default_audit_profiles
Default value: undef
default_audit_profiles
Data type: Array[Auditd::AuditProfile]
The built-in audit profile(s) to use to provide global audit rule configuration (error handling, buffer size, etc.) and a base set of audit rules.
- When more than one profile is specified, the profile rules are effectively concatenated in the order the profiles are listed.
- To add rules to the base set, use
auditd::rule
. - To manage the audit rules, yourself, set this parameter to
[]
. - @see
auditd::config::audit_profiles
for more details about this configuration.
Default value: [ 'simp' ]
audit_auditd_config
Data type: Boolean
Set up an audit rule to audit the auditd
configuration files.
Default value: true
lname
Data type: String
An alias for the name
variable in the configuration file. This is used
since $name
is a reserved keyword in Puppet.
Default value: $facts['networking']['fqdn']
ignore_anonymous
Data type: Boolean
For built-in audit profiles, whether to drop anonymous and daemon
events, i.e., events for which auid
is '-1' (aka 'unset').
Audit records from these events are prolific but not useful.
Default value: true
ignore_crond
Data type: Boolean
For built-in audit profiles, whether to drop events related to cron
jobs. cron
creates a lot of audit events that are not usually useful.
Default value: true
ignore_time_daemons
Data type: Boolean
Ignore time modifications by time daemons that are running on the system since this is valid activity.
Default value: true
ignore_crypto_key_user
Data type: Boolean
Ignore CRYPTO_KEY_USER logs since these are generally noise.
Default value: true
ignore_errors
Data type: Boolean
Whether to set the auditctl
'-i' option
Default value: true
ignore_failures
Data type: Boolean
Whether to set the auditctl
'-c' option
Default value: true
ignore_system_services
Data type: Boolean
For built-in audit profiles, whether to ignore system service events,
i.e., events for which the auid
is set but is less than the
minimum UID for human users on the system. In most security guides,
this filter is attached to every system call rule. So, by implementing
the filter in an upfront drop rule, this feature provides optimization
of that filtering.
Default value: true
action_mail_acct
Data type: String[1]
Default value: 'root'
admin_space_left
Data type: Variant[Integer[0],Pattern['^\d+%$']]
Default value: 50
admin_space_left_action
Data type: Auditd::SpaceLeftAction
Default value: 'rotate'
at_boot
Data type: Boolean
If true, modify the Grub settings to enable auditing at boot time.
Default value: true
buffer_size
Data type: Integer[0]
Value of the auditctl
'-b' option
Default value: 16384
backlog_wait_time
Data type: Optional[Integer[1,600000]]
Default value: undef
disk_error_action
Data type: Auditd::DiskErrorAction
Default value: 'syslog'
disk_full_action
Data type: Auditd::DiskFullAction
Default value: 'rotate'
disp_qos
Data type: Enum['lossy','lossless']
auditd
version 2 only
Default value: 'lossy'
dispatcher
Data type: Stdlib::Absolutepath
auditd
version 2 only
Default value: '/sbin/audispd'
failure_mode
Data type: Integer[0]
Value of the auditctl
'-f' option
Default value: 1
flush
Data type: Auditd::Flush
Default value: 'incremental'
freq
Data type: Integer[0]
Default value: 20
immutable
Data type: Boolean
Whether or not to make the configuration immutable when using built-in audit profiles. Be aware that, should you choose to make the configuration immutable, you will not be able to change your audit rules without a reboot.
Default value: false
log_file
Data type: Stdlib::Absolutepath
Default value: '/var/log/audit/audit.log'
local_events
Data type: Optional[Boolean]
auditd
version 3 only
Default value: undef
log_format
Data type: Auditd::LogFormat
The output log format
- 'NOLOG' is deprecated as of auditd 2.5.2
- 'ENRICHED' is only available in auditd >= 2.6.0
Default value: 'raw'
log_group
Data type: String
Default value: 'root'
loginuid_immutable
Data type: Boolean
Sets the --loginuid-immutable option
- This has been noted to potentially cause issues with some types of containers but a concrete explanation of what types has not yet been found.
Default value: true
max_log_file
Data type: Integer[0]
Default value: 24
max_log_file_action
Data type: Auditd::MaxLogFileAction
Default value: 'rotate'
max_restarts
Data type: Optional[Integer[1]]
sets the number of times a plugin will be restart.
Default value: undef
name_format
Data type: Auditd::NameFormat
Default value: 'user'
num_logs
Data type: Integer[0]
Default value: 5
overflow_action
Data type: Optional[Auditd::Overflowaction]
sets the overflow action.
Default value: undef
package_name
Data type: String[1]
The name of the auditd package.
Default value: 'audit'
package_ensure
Data type: Simplib::PackageEnsure
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
plugin_dir
Data type: Stdlib::Absolutepath
sets the directory for the plugin configuration files.
priority_boost
Data type: Integer[0]
Default value: 3
q_depth
Data type: Integer[0]
how big to make the internal queue of the audit event dispatcher
Default value: 400
rate
Data type: Integer[0]
Value of the auditctl
'-r' option
Default value: 0
root_audit_level
Data type: Auditd::RootAuditLevel
What level of auditing should be used for su-root activity in built-in audit profiles that provide su-root rules. Be aware that setting this to anything besides 'basic' may overwhelm your system and/or log server. Options can be, 'basic', 'aggressive', 'insane'. For the 'simp' audit profile, these options are as follows:
- Basic: Safe syscall rules, should not follow program execution outside of the base app
- Aggressive: Adds syscall rules for execve, rmdir and variants of rename and unlink
- Insane: Adds syscall rules for write, creat and variants of chown, fork, link and mkdir
Default value: 'basic'
service_name
Data type: String[1]
The name of the auditd service.
Default value: 'auditd'
space_left
Data type: Variant[Integer[0],Pattern['^\d+%$']]
Must be larger than $admin_space_left
.
- If
$admin_space_left
is anInteger
, will be set to30 + $admin_space_left
- If
$admin_space_left
is a percentage (auditd >= 2.8.5), will be set to1% + $admin_space_left
Default value: auditd::calculate_space_left($admin_space_left)
space_left_action
Data type: Auditd::SpaceLeftAction
Default value: 'syslog'
syslog
Data type: Boolean
If true, manage the settings for the syslog plugin It was left defaulted to simp_options::syslog value for backwards compatability. This does not activate/deactivate the plugin. That setting is in the auditd::config::audisp::syslog::enable setting. If syslog is set to true, by default it will enable the syslog plugin in order to be backwards compatable. If you want to ensure the plugin is disabled, set auditd::config::audisp::syslog::enable to false. If this is set to false the plugin settings are not managed by puppet.
Default value: simplib::lookup('simp_options::syslog', {'default_value' => false })
target_selinux_types
Data type: Optional[Array[Pattern['^.*_t$']]]
A list of SELinux types to target, all others will be dropped
For systems that require all users and processes to be in a confined namespace, you may find that only auditing unconfined types will be sufficient since all other invalid system actions are already audited.
Default value: undef
uid_min
Data type: Integer[0]
The minimum UID for human users on the system. For built-in audit profiles
when $ignore_system_services
is true, any audit events generated
by users below this number will be ignored, unless a corresponding rule
is inserted before the UID-limiting rule in the rules list. When using
auditd::rule
, you can create such a rule by setting the absolute
parameter to be 'first'.
Default value: Integer(pick(fact('uid_min'), 1000))
verify_email
Data type: Optional[Boolean]
auditd version 3 only
Default value: undef
write_logs
Data type: Boolean
Whether or not to write logs to disk.
- The
NOLOG
option onlog_format
has been deprecated in newer versions ofauditd
so this attempts to do "the right thing" whenlog_format
is set toNOLOG
for legacy support.
Default value: $log_format ? { /^(?i:nolog)$/ => false, default => true
purge_auditd_rules
Data type: Boolean
Whether or not to purge existing auditd rules under /etc/audit/rules.d
Default value: true
auditd::config
NOTE: THIS IS A PRIVATE CLASS**
auditd::config::audisp
The following parameters are documented in audispd.conf(5).
These settings are deprecated and will be removed in the next major release of auditd and are here for backwards compatability.
In auditd version 3 these settings were moved to auditd.conf and audisp.conf was deprecated. For this reason they are set in the init.pp module with the other auditd.conf values also. If you are trying to set these values for auditd version 3 then you must set them there. These settings are aliased in hiera to auditd settings so you can move your settings for these parameters to auditd::* now to ensure compatability with future major releases but settings in hiera that are already exist will still work. The following setting maps to the name variable in audisp.conf.
Parameters
The following parameters are available in the auditd::config::audisp
class:
q_depth
Data type: Integer
(deprecated)
overflow_action
Data type: Auditd::OverflowAction
(deprecated)
priority_boost
Data type: Integer
(deprecated)
max_restarts
Data type: Integer
(deprecated)
name_format
Data type: Auditd::NameFormat
(deprecated)
specific_name
Data type: String
Default value: $facts['networking']['fqdn']
auditd::config::audisp::syslog
This capability is most useful for forwarding audit records to remote servers as syslog messages, since these records are already persisted locally in audit logs. For most sites, however, using this capability for all audit records can quickly overwhelm host and/or network resources, especially if the messages are forwarded to multiple remote syslog servers or (inadvertently) persisted locally. Site-specific, rsyslog actions to implement filtering will likely be required to reduce this message traffic.
If you are using simp_rsyslog, it, by default, sets up a rsyslog rule to drop the audispd messages from being written locally to prevent duplication of logging audit events on the local system. See simp_rsyslog::local for more information.
It is also recommend you ensure any forwarded, audit messages are encrypted using the stunnel module, due to the nature of the information carried by these messages.
Parameters
The following parameters are available in the auditd::config::audisp::syslog
class:
rsyslog
Data type: Boolean
(deprecated)
If set, enable the SIMP rsyslog
module and set up the appropriate rules
for the auditd
services.
Default value: simplib::lookup('simp_options::syslog', { 'default_value' => false })
drop_audit_logs
Data type: Boolean
(deprecated) When set to false, auditd records will be forwarded to remote servers and/or written to local syslog files, as directed by the site rsyslog configuration. This setting is not needed any more. If you want to disable/enable sending audit records to syslog, set the 'enable' parameter in this module to false/true as appropriate. It is left here for backwards compatability but will not be in the next major release.
Default value: true
enable
Data type: Boolean
Enable or disable sending audit mesages to syslog.
Default value: true
priority
Data type: Auditd::LogPriority
The syslog priority for all audit record messages. This value is used in the /etc/audisp/plugins.d/syslog.conf file.
Default value: 'LOG_INFO'
facility
Data type: Auditd::LogFacility
The syslog facility for all audit record messages. This value is used in the /etc/audisp/plugins.d/syslog.conf file. For the older auditd versions used by CentOS6 and CentOS7, must be an empty string, LOG_LOCAL0, LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4, LOG_LOCAL5, LOG_LOCAL6, or LOG_LOCAL7. An empty string results in LOG_USER and is the ONLY mechanism to specify that facility. No other facilities are allowed.
Default value: 'LOG_LOCAL5'
syslog_path
Data type: String
The path to the syslog plugin executable.
type
Data type: String
The type of auditd plugin.
pkg_name
Data type: Optional[String]
The name of the plugin package to install. Only needed for auditd version 3 and later.
Default value: undef
package_ensure
Data type: String
The default ensure parmeter for packages.
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
auditd::config::audisp_service
NOTE: THIS IS A PRIVATE CLASS**
Should only be called from audisp processing services.
auditd::config::audit_profiles
NOTE: THIS IS A PRIVATE CLASS**
The configuration generated is contained in a set of files in
/etc/audit/rules.d
, which augenrules
parses for auditd
in
natural sort order, to create a single /etc/audit/auditd.rules
file. The generated files are as follows:
00_head.rules
: Containsauditctl
general configuration to remove existing rules when the rules are reloaded, ignore rule load errors/failures, and set the buffer size, failure mode, and rate limiting05_default_drop.rules
: Contains filtering rules for efficiency- Rules to drop prolific events of low-utility
- Rules to restrict events based on
auid
constraints that would normally be applied to all rules
50_*base.rules
:- Nominal base rules for one or more built-in profiles.
- One file will exist for each desired, built-in profile
- Files are named so that the ordering of profiles listed
in
$auditd::default_audit_profiles
is preserved - The corresponding class for each profile is
auditd::config::audit_profiles::<profile name>
60_custom.rules
: Custom rules as defined by theauditd::custom_rules
parameter if appending75.init.d_auditd.rules
:- A watch rule for
/etc/rc.d/init.d/auditd
permissions changes - A watch rule for permissions changes to the
auditd
log file
- A watch rule for
75.rotated_audit_logs.rules
- Watch rules for permissions changes to the rotated
auditd
log files
- Watch rules for permissions changes to the rotated
99_tail.rules
auditctl
immutable option, when$auditd::immutable
is 'true'
auditd::config::audit_profiles::built_in
An audit profile that allows the use of sample rulesets included with the audit package to be used to configure a system.
Parameters
The following parameters are available in the auditd::config::audit_profiles::built_in
class:
rulesets
Data type: Array[String[1]]
The list of system sample rulesets to be included on the system. This list
can be found in the auditd_sample_rulesets
fact.
Default value: []
auditd::config::audit_profiles::custom
NO SANITY CHECKING IS PERFORMED ON THE RESULTING RULES
Examples
Passing an Array of Rules
---
auditd::config::audit_profiles::custom::rules:
- "-a always,exit -F arch=b64 -S creat -F exit=-EACCES -k unsuccessful_file_operations"
- "-w /etc/passwd -p wa -k passwd_changes"
Passing an EPP Template
---
auditd::config::audit_profiles::custom::template: "my_templates_module/auditd/my_audit_rules.epp"
Passing an ERB Template
---
auditd::config::audit_profiles::custom::template: "my_templates_module/auditd/my_audit_rules.erb"
Parameters
The following parameters are available in the auditd::config::audit_profiles::custom
class:
rules
Data type: Optional[Array[String[1]]]
An Array of rules that will be joined with a \n
and inserted as the
complete audit rule set to be applied to the system.
Default value: undef
template
Data type: Optional[String[1]]
A template specification as you would pass to either the epp
or erb
function
- Specifying both
rules
andtemplate
will result in an error
Default value: undef
auditd::config::audit_profiles::simp
The defaults for this profile generate a set of audit rules that are both usable on most systems and conformant with standard auditing requirements. A few key usage/implementation details about this profile should be noted:
- This profile uses optimized audit rules. Specifically, it
- Combines system call rules as much as possible
- By default, uses initial drop rules for the
auid
filters that would be otherwise applied to all system call rules - By default, uses an initial drop rule for cron events that are prolific, but whose audit records are of very limited utility
- Although all security requirements allow optimization of audit rules, most of the automated security scanners do not yet understand audit rule optimizations. So, use of this profile may require explanation of these simple, yet effective, optimizations.
- You may overload your system and/or log server, if you enable the highly-prolific, but limited-utility audit capabilities that have been intentionally disabled, here, despite being required by specific security standards. 'chmod' auditing for all non-service users is an example of such a capability.
- In some cases, the more targeted set of rules for non-service users
that have su'd to root may provide a viable subset of required auditing.
This targeting filtering is enabled by
$audit_su_root_activity
and customized by$root_audit_level
,$basic_root_audit_syscalls
,$aggressive_root_audit_syscalls, and
$insane_root_audit_syscalls`.
Parameters
The following parameters are available in the auditd::config::audit_profiles::simp
class:
root_audit_level
audit_32bit_operations
audit_32bit_operations_tag
audit_auditd_cmds
audit_auditd_cmds_tag
audit_auditd_cmds_list
basic_root_audit_syscalls
aggressive_root_audit_syscalls
insane_root_audit_syscalls
audit_unsuccessful_file_operations
audit_unsuccessful_file_operations_tag
audit_chown
audit_chown_tag
audit_chmod
audit_chmod_tag
audit_attr
audit_attr_tag
audit_rename_remove
audit_rename_remove_tag
audit_su_root_activity
audit_su_root_activity_tag
audit_suid_sgid
audit_suid_sgid_tag
audit_kernel_modules
audit_kernel_modules_tag
audit_time
audit_time_tag
audit_locale
audit_locale_tag
audit_network_ipv4_accept
audit_network_ipv4_accept_tag
audit_network_ipv6_accept
audit_network_ipv6_accept_tag
audit_network_ipv4_connect
audit_network_ipv4_connect_tag
audit_network_ipv6_connect
audit_network_ipv6_connect_tag
audit_mount
audit_mount_tag
audit_umask
audit_umask_tag
audit_local_account
audit_local_account_tag
audit_selinux_policy
audit_selinux_policy_tag
audit_selinux_cmds
audit_selinux_cmds_tag
audit_login_files
audit_login_files_tag
audit_session_files
audit_session_files_tag
audit_sudoers
audit_sudoers_tag
audit_cfg_sudoers
audit_cfg_sudoers_tag
audit_grub
audit_grub_tag
audit_cfg_grub
audit_cfg_grub_tag
audit_cfg_sys
audit_cfg_sys_tag
audit_cfg_cron
audit_cfg_cron_tag
audit_cfg_shell
audit_cfg_shell_tag
audit_cfg_pam
audit_cfg_pam_tag
audit_cfg_security
audit_cfg_security_tag
audit_cfg_services
audit_cfg_services_tag
audit_cfg_xinetd
audit_cfg_xinetd_tag
audit_yum
audit_yum_tag
audit_cfg_yum
audit_cfg_yum_tag
audit_yum_cmd
audit_yum_cmd_tag
audit_rpm_cmd
audit_rpm_cmd_tag
audit_ptrace
audit_ptrace_tag
audit_personality
audit_personality_tag
audit_passwd_cmds
audit_passwd_cmds_tag
audit_priv_cmds
audit_priv_cmds_tag
audit_postfix_cmds
audit_postfix_cmds_tag
audit_ssh_keysign_cmd
audit_ssh_keysign_cmd_tag
audit_suspicious_apps
audit_suspicious_apps_tag
audit_suspicious_apps_list
audit_systemd
audit_systemd_tag
audit_crontab_cmd
audit_crontab_cmd_tag
audit_pam_timestamp_check_cmd
audit_pam_timestamp_check_cmd_tag
root_audit_level
Data type: Auditd::RootAuditLevel
What level of auditing should be used for su-root activity. Be aware that setting this to anything besides 'basic' may overwhelm your system and/or log server. Options can be, 'basic', 'aggressive', 'insane'
- Basic: Safe syscall rules, should not follow program execution outside of the base app
- Aggressive: Adds syscall rules for execve, rmdir and variants of rename and unlink
- Insane: Adds syscall rules for write, creat and variants of chown, fork, link and mkdir
Default value: $::auditd::root_audit_level
audit_32bit_operations
Data type: Boolean
In general, any 32bit system calls on a 64bit systems should be seen as suspicious.
Default value: $facts['os']['hardware'] ? { 'x86_64' => true, default => false
audit_32bit_operations_tag
Data type: String[1]
Tag to be added to entries triggered by audit_32bit_operations
Default value: '32bit-api'
audit_auditd_cmds
Data type: Boolean
Audit calls to the auditd management CLI commands
Default value: true
audit_auditd_cmds_tag
Data type: String[1]
Tag to be added to entries triggered by audit_auditd_cmds
Default value: 'access-audit-trail'
audit_auditd_cmds_list
Data type: Array[String[1]]
Commands to be audited if enabled by audit_auditd_cmds
basic_root_audit_syscalls
Data type: Array[String[1]]
Basic syscalls to audit for su-root activity
aggressive_root_audit_syscalls
Data type: Array[String[1]]
Aggressive syscalls to audit for su-root activity
insane_root_audit_syscalls
Data type: Array[String[1]]
Insane syscalls to audit for su-root activity
audit_unsuccessful_file_operations
Data type: Boolean
Whether to audit unsuccessful file operations. These are file operations that fail with EACCES or EPERM error codes
Default value: true
audit_unsuccessful_file_operations_tag
Data type: String[1]
The tag to identify the unsuccessful file operations in an audit record
Default value: 'access'
audit_chown
Data type: Boolean
Whether to audit chown
operations for all non-service users.
These operations are provided by chown
, fchown
, fchownat
,
and lchown
system calls.
Default value: true
audit_chown_tag
Data type: String[1]
The tag to identify chown
operations in an audit record.
You should change this to 'perm_mod' to match automated DISA STIG
compliance checks for RHEL7.
Default value: 'chown'
audit_chmod
Data type: Boolean
Whether to audit chmod
operations for all non-service users.
These operations are provided by chmod
, fchmod
, and fchmodat
system calls.
Default value: false
audit_chmod_tag
Data type: String[1]
The tag to identify chmod
operations in an audit record.
You should change this to 'perm_mod' to match automated DISA STIG
compliance checks for RHEL7.
Default value: 'chmod'
audit_attr
Data type: Boolean
Whether to audit xattr
operations for all non-service users.
These operations are provided by setxattr
, lsetxattr
, fsetxattr
,
removexattr
, lremovexattr
and fremovexattr
system calls.
Default value: true
audit_attr_tag
Data type: String[1]
The tag to identify xattr
operations in an audit record.
You should change this to 'perm_mod' to match automated DISA STIG
compliance checks for RHEL7.
Default value: 'attr'
audit_rename_remove
Data type: Boolean
Whether to audit rename/remove operations for all non-service users.
These operations are provided by rename
, renameat
, rmdir
,
unlink
, and unlinkat
system calls.
Default value: false
audit_rename_remove_tag
Data type: String[1]
The tag to identify rename/remove operations in an audit record
Default value: 'delete'
audit_su_root_activity
Data type: Boolean
Whether to audit other useful actions someone does when su'ing to root.
The list of system calls audited is controlled by $root_audit_level
.
Default value: true
audit_su_root_activity_tag
Data type: String[1]
The tag to identify su
operations in an audit record
Default value: 'su-root-activity'
audit_suid_sgid
Data type: Boolean
Whether to audit setuid
/setgid
commands.
setuid
/setgid
command execution is audited by a single system call
rule.
Default value: true
audit_suid_sgid_tag
Data type: String[1]
The tag to identify setuid
/setgid
command execution in an audit
record. You should change this to 'setuid/setgid' to match automated
DISA STIG compliance checks for RHEL7.
Default value: 'suid-exec'
audit_kernel_modules
Data type: Boolean
Whether to audit kernel module operations
Default value: true
audit_kernel_modules_tag
Data type: String[1]
The tag to identify kernel module operations in an audit record. You should change this to 'module-change' to match automated DISA STIG compliance checks for RHEL7.
Default value: 'modules'
audit_time
Data type: Boolean
Whether to audit operations that affect system time
Default value: true
audit_time_tag
Data type: String[1]
The tag to identify system time operations in an audit record
Default value: 'audit_time_rules'
audit_locale
Data type: Boolean
Whether to audit operations that affect system locale
Default value: true
audit_locale_tag
Data type: String[1]
The tag to identify system locale operations in an audit record
Default value: 'audit_network_modifications'
audit_network_ipv4_accept
Data type: Boolean
Audit incoming IPv4 connections
Default value: true
audit_network_ipv4_accept_tag
Data type: String[1]
Tag to be added to entries triggered by audit_network_ipv4_accept
Default value: 'ipv4_in'
audit_network_ipv6_accept
Data type: Boolean
Audit incoming IPv6 connections
Default value: true
audit_network_ipv6_accept_tag
Data type: String[1]
Tag to be added to entries triggered by audit_network_ipv6_accept
Default value: 'ipv6_in'
audit_network_ipv4_connect
Data type: Boolean
Audit outgoing IPv4 connections
Default value: false
audit_network_ipv4_connect_tag
Data type: String[1]
Tag to be added to entries triggered by audit_network_ipv4_connect
Default value: 'ipv4_in'
audit_network_ipv6_connect
Data type: Boolean
Audit outgoing IPv6 connections
Default value: false
audit_network_ipv6_connect_tag
Data type: String[1]
Tag to be added to entries triggered by audit_network_ipv6_connect
Default value: 'ipv6_in'
audit_mount
Data type: Boolean
Whether to audit mount operations
Default value: true
audit_mount_tag
Data type: String[1]
The tag to identify mount operations in an audit record. You should change this to 'privileged-mount' to match automated DISA STIG compliance checks for RHEL7.
Default value: 'mount'
audit_umask
Data type: Boolean
Whether to audit umask changes
Default value: false
audit_umask_tag
Data type: String[1]
The tag to identify umask changes in an audit record
Default value: 'umask'
audit_local_account
Data type: Boolean
Whether to audit local account changes
Default value: true
audit_local_account_tag
Data type: String[1]
The tag to identify local account changes in an audit record. You should change this to 'identity' to match the automated DISA STIG compliance checks for RHEL7.
Default value: 'audit_account_changes'
audit_selinux_policy
Data type: Boolean
Whether to audit selinux policy changes
Default value: true
audit_selinux_policy_tag
Data type: String[1]
The tag to identify selinux policy changes in an audit record
Default value: 'MAC-policy'
audit_selinux_cmds
Data type: Boolean
Whether to audit chcon
, semanage
, setsebool
, and setfiles
commands
Default value: false
audit_selinux_cmds_tag
Data type: String[1]
The tag to identify selinux command execution in an audit record
Default value: 'privileged-priv_change'
audit_login_files
Data type: Boolean
Whether to audit changes to login files
Default value: true
audit_login_files_tag
Data type: String[1]
The tag to identify login file changes in an audit record
Default value: 'logins'
audit_session_files
Data type: Boolean
Whether to audit changes to session files
Default value: true
audit_session_files_tag
Data type: String[1]
The tag to identify session file changes in an audit record
Default value: 'session'
audit_sudoers
Data type: Optional[Boolean]
Deprecated by $audit_cfg_sudoers
Default value: undef
audit_sudoers_tag
Data type: Optional[String[1]]
Deprecated by $audit_cfg_sudoers_tag
Default value: undef
audit_cfg_sudoers
Data type: Boolean
Whether to audit changes to sudoers configuration files
Default value: true
audit_cfg_sudoers_tag
Data type: String[1]
The tag to identify sudoers configuration file changes in an audit record. You should change this to 'privileged-actions' to match the automated DISA STIG compliance checks for RHEL7.
Default value: 'CFG_sys'
audit_grub
Data type: Optional[Boolean]
Deprecated by $audit_cfg_grub
Default value: undef
audit_grub_tag
Data type: Optional[String[1]]
Deprecated by $audit_cfg_grub_tag
Default value: undef
audit_cfg_grub
Data type: Boolean
Whether to audit changes to grub configuration files
Default value: true
audit_cfg_grub_tag
Data type: String[1]
The tag to identify grub configuration file changes in an audit record
Default value: 'CFG_grub'
audit_cfg_sys
Data type: Boolean
Whether to audit changes to key system configuration files not otherwise audited
Default value: true
audit_cfg_sys_tag
Data type: String[1]
The tag to identify changes to key system configuration files not otherwise audited
Default value: 'CFG_sys'
audit_cfg_cron
Data type: Boolean
Whether to audit changes to cron configuration files
Default value: true
audit_cfg_cron_tag
Data type: String[1]
The tag to identify cron configuration file changes in an audit record
Default value: 'CFG_cron'
audit_cfg_shell
Data type: Boolean
Whether to audit changes to global shell configuration files
Default value: true
audit_cfg_shell_tag
Data type: String[1]
The tag to identify global shell configuration file changes in an audit record
Default value: 'CFG_shell'
audit_cfg_pam
Data type: Boolean
Whether to audit changes to PAM configuration files
Default value: true
audit_cfg_pam_tag
Data type: String[1]
The tag to identify PAM configuration file changes in an audit record
Default value: 'CFG_pam'
audit_cfg_security
Data type: Boolean
Whether to audit changes to /etc/security
Default value: true
audit_cfg_security_tag
Data type: String[1]
The tag to identify /etc/security
file changes in an audit record
Default value: 'CFG_security'
audit_cfg_services
Data type: Boolean
Whether to audit changes to /etc/services
Default value: true
audit_cfg_services_tag
Data type: String[1]
The tag to identify /etc/services
file changes in an audit record
Default value: 'CFG_services'
audit_cfg_xinetd
Data type: Boolean
Whether to audit changes to xinetd configuration files
Default value: true
audit_cfg_xinetd_tag
Data type: String[1]
The tag to identify xinetd configuration file changes in an audit record
Default value: 'CFG_xinetd'
audit_yum
Data type: Optional[Boolean]
Deprecated by $audit_cfg_yum
Default value: undef
audit_yum_tag
Data type: Optional[String[1]]
Deprecated by $audit_cfg_yum_tag
Default value: undef
audit_cfg_yum
Data type: Boolean
Whether to audit changes to yum configuration files
Default value: true
audit_cfg_yum_tag
Data type: String[1]
The tag to identify yum configuration file changes in an audit record
Default value: 'yum-config'
audit_yum_cmd
Data type: Boolean
Whether to audit yum
command execution
Default value: false
audit_yum_cmd_tag
Data type: String[1]
The tag to identify yum
command execution in an audit record
Default value: 'package_changes'
audit_rpm_cmd
Data type: Boolean
Whether to audit rpm
command execution
Default value: false
audit_rpm_cmd_tag
Data type: String[1]
The tag to identify rpm
command execution in an audit record
Default value: 'package_changes'
audit_ptrace
Data type: Boolean
Whether to audit ptrace
system calls
Default value: true
audit_ptrace_tag
Data type: String[1]
The tag to identify ptrace
system calls in an audit record
Default value: 'paranoid'
audit_personality
Data type: Boolean
Whether to audit personality
system calls
Default value: true
audit_personality_tag
Data type: String[1]
The tag to identify personality
system calls in an audit record
Default value: 'paranoid'
audit_passwd_cmds
Data type: Boolean
Whether to audit the execution of password commands, i.e., passwd
,
unix_chkpwd
, gpasswd
, chage
, userhelper
Default value: true
audit_passwd_cmds_tag
Data type: String[1]
The tag to identify password command execution in an audit record
Default value: 'privileged-passwd'
audit_priv_cmds
Data type: Boolean
Whether to audit the execution of privilege-related commands, i.e.,
su
, sudo
, newgrp
, chsh
, and sudoedit
Default value: true
audit_priv_cmds_tag
Data type: String[1]
The tag to identify privilege-related command execution in an audit record
Default value: 'privileged-priv_change'
audit_postfix_cmds
Data type: Boolean
Whether to audit the execution of postfix-related commands, i.e.
postdrop
and postqueue
Default value: true
audit_postfix_cmds_tag
Data type: String[1]
The tag to identify postfix-related command execution in an audit record
Default value: 'privileged-postfix'
audit_ssh_keysign_cmd
Data type: Boolean
Whether to audit the execution of the ssh-keysign
command
Default value: true
audit_ssh_keysign_cmd_tag
Data type: String[1]
The tag to identify ssh-keysign
command execution in an audit record
Default value: 'privileged-ssh'
audit_suspicious_apps
Data type: Boolean
Audit various applications that generally represent suspicious host activity
Default value: true
audit_suspicious_apps_tag
Data type: String[1]
Tag to be added to entries triggered by audit_suspicious_apps
Default value: 'suspicious_apps'
audit_suspicious_apps_list
Data type: Array[Stdlib::Absolutepath]
List of applications to be audited when audit_suspicious_apps
is enabled
audit_systemd
Data type: Boolean
Audit systemd components
- Only takes effect on systems with systemd present
Default value: true
audit_systemd_tag
Data type: String[1]
Tag to be added to entries triggered by audit_systemd
Default value: 'systemd'
audit_crontab_cmd
Data type: Boolean
Whether to audit the execution of the crontab
command
Default value: true
audit_crontab_cmd_tag
Data type: String[1]
The tag to identify crontab
command execution in an audit record
Default value: 'privileged-cron'
audit_pam_timestamp_check_cmd
Data type: Boolean
Whether to audit the execution of the pam_timestamp_check
command
Default value: true
audit_pam_timestamp_check_cmd_tag
Data type: String[1]
The tag to identify pam_timestamp_check
command execution in an audit
record
Default value: 'privileged-pam'
auditd::config::audit_profiles::stig
The defaults for this profile generate a set of audit rules that conform to automated DISA STIG compliance checks for RHEL7. Satisfying the checks, instead of the intent of the security requirements, necessitates unoptimized rules. These unoptimized rules, in turn, negatively impact system performance.
WARNING: These rules may overload your system and/or log server!
When auditd performance is an issue, you may wish to
-
Disable capabilities that, despite being required by DISA STIG for RHEL7, produce large amounts audit records of limited utility.
chmod
auditing for all non-service users falls in this category. -
Use the optimized 'auditd::config::audit_profiles::simp' profile, instead. That profile is more comprehensive and performant.
Parameters
The following parameters are available in the auditd::config::audit_profiles::stig
class:
uid_min
audit_unsuccessful_file_operations
audit_unsuccessful_file_operations_tag
audit_chown
audit_chown_tag
audit_chmod
audit_chmod_tag
audit_attr
audit_attr_tag
audit_rename_remove
audit_rename_remove_tag
audit_suid_sgid
default_suid_sgid_cmds
suid_sgid_cmds
audit_suid_tag
audit_sgid_tag
audit_suid_sgid_tag
audit_kernel_modules
audit_kernel_modules_tag
audit_mount
audit_mount_tag
audit_local_account
audit_local_account_tag
audit_selinux_cmds
audit_selinux_cmds_tag
audit_login_files
audit_login_files_tag
audit_cfg_sudoers
audit_cfg_sudoers_tag
audit_passwd_cmds
audit_passwd_cmds_tag
audit_priv_cmds
audit_priv_cmds_tag
audit_postfix_cmds
audit_postfix_cmds_tag
audit_ssh_keysign_cmd
audit_ssh_keysign_cmd_tag
audit_crontab_cmd
audit_crontab_cmd_tag
audit_pam_timestamp_check_cmd
audit_pam_timestamp_check_cmd_tag
uid_min
Data type: Integer[0]
The minimum UID for human users on the system. Any audit events generated
by users below this number will be ignored unless a corresponding rule
is inserted before the UID-limiting rule in the rules list. When using
auditd::rule
, you can create such a rule by setting the absolute
parameter to be 'first'.
Default value: $::auditd::uid_min
audit_unsuccessful_file_operations
Data type: Boolean
Whether to audit unsuccessful file operations. These are file operations that fail with EACCES or EPERM error codes
Default value: true
audit_unsuccessful_file_operations_tag
Data type: String[1]
The tag to identify the unsuccessful file operations in an audit record
Default value: 'access'
audit_chown
Data type: Boolean
Whether to audit chown
operations for all non-service users.
These operations are provided by chown
, fchown
, fchownat
,
and lchown
system calls.
Default value: true
audit_chown_tag
Data type: String[1]
The tag to identify chown
operations in an audit record
Default value: 'perm_mod'
audit_chmod
Data type: Boolean
Whether to audit chmod
operations for all non-service users.
These operations are provided by chmod
, fchmod
, and fchmodat
system calls.
Default value: true
audit_chmod_tag
Data type: String[1]
The tag to identify chmod
operations in an audit record
Default value: 'perm_mod'
audit_attr
Data type: Boolean
Whether to audit xattr
operations for all non-service users.
These operations are provided by setxattr
, lsetxattr
, fsetxattr
,
removexattr
, lremovexattr
and fremovexattr
system calls.
Default value: true
audit_attr_tag
Data type: String[1]
The tag to identify xattr
operations in an audit record
Default value: 'perm_mod'
audit_rename_remove
Data type: Boolean
Whether to audit rename/remove operations for all non-service users.
These operations are provided by rename
, renameat
, rmdir
,
unlink
, and unlinkat
system calls.
Default value: true
audit_rename_remove_tag
Data type: String[1]
The tag to identify rename/remove operations in an audit record
Default value: 'delete'
audit_suid_sgid
Data type: Boolean
Whether to audit setuid
/setgid
commands
Default value: true
default_suid_sgid_cmds
Data type: Array[String[1]]
The default list of setuid
/setgid
commands to be audited.
- Should not include commands audited by other rules.
suid_sgid_cmds
Data type: Array[String[1]]
Additional list of setuid
/setgid
commands to be audited.
You can use this to augment the $default_suid_sgid_cmds
per your site's needs.
Default value: []
audit_suid_tag
Data type: String[1]
The tag to identify setuid
command execution in an audit record
Default value: 'setuid'
audit_sgid_tag
Data type: String[1]
The tag to identify setgid
command execution in an audit record
Default value: 'setgid'
audit_suid_sgid_tag
Data type: String[1]
The tag to identify setuid
/setgid
command execution in an audit record
Default value: "${audit_suid_tag}/${audit_sgid_tag}"
audit_kernel_modules
Data type: Boolean
Whether to audit kernel module operations
Default value: true
audit_kernel_modules_tag
Data type: String[1]
The tag to identify kernel module operations in an audit record
Default value: 'module-change'
audit_mount
Data type: Boolean
Whether to audit mount operations
Default value: true
audit_mount_tag
Data type: String[1]
The tag to identify mount operations in an audit record
Default value: 'privileged-mount'
audit_local_account
Data type: Boolean
Whether to audit local account changes
Default value: true
audit_local_account_tag
Data type: String[1]
The tag to identify local account changes in an audit record
Default value: 'identity'
audit_selinux_cmds
Data type: Boolean
Whether to audit chcon
, semanage
, setsebool
, and setfiles
commands
Default value: true
audit_selinux_cmds_tag
Data type: String[1]
The tag to identify selinux command execution in an audit record
Default value: 'privileged-priv_change'
audit_login_files
Data type: Boolean
Whether to audit changes to login files
Default value: true
audit_login_files_tag
Data type: String[1]
The tag to identify login file changes in an audit record
Default value: 'logins'
audit_cfg_sudoers
Data type: Boolean
Whether to audit changes to sudoers configuration files
Default value: true
audit_cfg_sudoers_tag
Data type: String[1]
The tag to identify sudoers configuration file changes in an audit record
Default value: 'privileged-actions'
audit_passwd_cmds
Data type: Boolean
Whether to audit the execution of password commands, i.e., passwd
,
unix_chkpwd
, gpasswd
, chage
, userhelper
Default value: true
audit_passwd_cmds_tag
Data type: String[1]
The tag to identify password command execution in an audit record
Default value: 'privileged-passwd'
audit_priv_cmds
Data type: Boolean
Whether to audit the execution of privilege-related commands, i.e.,
su
, sudo
, newgrp
, chsh
, and sudoedit
Default value: true
audit_priv_cmds_tag
Data type: String[1]
The tag to identify privilege-related command execution in an audit record
Default value: 'privileged-priv_change'
audit_postfix_cmds
Data type: Boolean
Whether to audit the execution of postfix-related commands, i.e.
postdrop
and postqueue
Default value: true
audit_postfix_cmds_tag
Data type: String[1]
The tag to identify postfix-related command execution in an audit record
Default value: 'privileged-postfix'
audit_ssh_keysign_cmd
Data type: Boolean
Whether to audit the execution of the ssh-keysign
command
Default value: true
audit_ssh_keysign_cmd_tag
Data type: String[1]
The tag to identify ssh-keysign
command execution in an audit record
Default value: 'privileged-ssh'
audit_crontab_cmd
Data type: Boolean
Whether to audit the execution of the crontab
command
Default value: true
audit_crontab_cmd_tag
Data type: String[1]
The tag to identify crontab
command execution in an audit record
Default value: 'privileged-cron'
audit_pam_timestamp_check_cmd
Data type: Boolean
Whether to audit the execution of the pam_timestamp_check
command
Default value: true
audit_pam_timestamp_check_cmd_tag
Data type: String[1]
The tag to identify pam_timestamp_check
command execution in an audit
record
Default value: 'privileged-pam'
auditd::config::grub
Enables/disables auditing at boot time.
Parameters
The following parameters are available in the auditd::config::grub
class:
enable
Data type: Boolean
Enable auditing in the kernel at boot time.
Default value: true
auditd::config::logging
NOTE: THIS IS A PRIVATE CLASS**
auditd::install
NOTE: THIS IS A PRIVATE CLASS**
auditd::service
NOTE: THIS IS A PRIVATE CLASS**
Parameters
The following parameters are available in the auditd::service
class:
ensure
Data type: Variant[String[1],Boolean]
ensure
state from the service resource
Default value: pick(getvar('auditd::enable'), 'running')
enable
Data type: Boolean
enable
state from the service resource
Default value: pick(getvar('auditd::enable'), true)
bypass_kernel_check
Data type: Boolean
Do not check to see if the kernel is enforcing auditing before trying to manage the service.
- This may be required if auditing is not being actively managed in the kernel and someone has stopped the auditd service by hand.
Default value: false
warn_if_reboot_required
Data type: Boolean
Add a reboot_notify
warning if the system requires a reboot before the
service can be managed.
Default value: true
Defined types
auditd::rule
All rules must be uniquely named. See auditctl(8)
for more information
on how to write the content for these rules.
- Overrides all other ordering parameters
Parameters
The following parameters are available in the auditd::rule
defined type:
name
A unique identifier for the audit rules.
content
Data type: Variant[Array[String[1]],String[1]]
The content of the rules that should be added.
- Arrays will be joined with a newline
order
Data type: Optional[String[1]]
An alphanumeric (file system ordering) order string
Default value: undef
first
Data type: Boolean
Set this to 'true' if you want to prepend your custom rules (numeric 10)
Default value: false
absolute
Data type: Boolean
Set this to true
if you want the added rules to be absolutely first or
last depending on the setting of $first
.
Default value: false
prepend
Data type: Boolean
Prepend this rule to all other rules (numeric 00).
Default value: false
Functions
auditd::calculate_space_left
Type: Puppet Language
Calculates the correct default value for 'space_left' based on the value of 'admin_space_left'.
auditd::calculate_space_left(Variant[Integer[0],Pattern['^\d+%$']] $admin_space_left)
The auditd::calculate_space_left function.
Returns: Variant[Integer[0],Pattern['^\d+%$']]
admin_space_left
Data type: Variant[Integer[0],Pattern['^\d+%$']]
auditd::get_array_index
Type: Ruby 4.x API
Terminates catalog compilation if the element is not found within the array.
auditd::get_array_index(String $element, Array $array, Optional[Integer] $min_digits)
Terminates catalog compilation if the element is not found within the array.
Returns: String
Index of element
in array
represented as
a string
Raises:
RuntimeError
ifelement
is not found withinarray
element
Data type: String
The element
array
Data type: Array
The array
min_digits
Data type: Optional[Integer]
The minimum number of digits the index should be. It will be '0'-padded to meet this number.
auditd::validate_init_params
Type: Puppet Language
Moved into a function to reduce class clutter.
Fails on discovered errors.
auditd::validate_init_params()
Moved into a function to reduce class clutter.
Fails on discovered errors.
Returns: None
Data types
Auditd::AuditProfile
Matches the types of auditd profiles allowed
Alias of Enum['built_in', 'simp', 'stig', 'custom']
Auditd::DiskErrorAction
Matches disk error actions in auditd.conf
Alias of Enum['IGNORE', 'SYSLOG', 'EXEC', 'SUSPEND', 'SINGLE', 'HALT', 'ignore', 'syslog', 'exec', 'suspend', 'single', 'halt']
Auditd::DiskFullAction
Matches actions to take when disk is full (see auditd.conf)
Alias of Enum['IGNORE', 'SYSLOG', 'ROTATE', 'EXEC', 'SUSPEND', 'SINGLE', 'HALT', 'ignore', 'syslog', 'rotate', 'exec', 'suspend', 'single', 'halt']
Auditd::Flush
Matches actions flush in auditd.conf
Alias of Enum['NONE', 'INCREMENTAL', 'DATA', 'SYNC', 'INCREMENTAL_ASYNC', 'none', 'incremental', 'data', 'sync', 'incremental_async']
Auditd::LogFacility
Matches log facility that can be used in syslog.conf plugin
Alias of Enum['', 'LOG_LOCAL0', 'LOG_LOCAL1', 'LOG_LOCAL2', 'LOG_LOCAL3', 'LOG_LOCAL4', 'LOG_LOCAL5', 'LOG_LOCAL6', 'LOG_LOCAL7']
Auditd::LogFormat
Matches log formats that can be used in auditd.conf
Alias of Enum['RAW', 'ENRICHED', 'NOLOG', 'raw', 'enriched', 'nolog']
Auditd::LogPriority
Matches log priorities that can be used in syslog.conf plugin
Alias of Enum['LOG_DEBUG', 'LOG_INFO', 'LOG_NOTICE', 'LOG_WARNING', 'LOG_ERR', 'LOG_CRIT', 'LOG_ALERT', 'LOG_EMERG', 'LOG_AUTHPRIV']
Auditd::MaxLogFileAction
Matches available matches for maxlogfileaction in auditd.conf
Alias of Enum['IGNORE', 'SYSLOG', 'SUSPEND', 'ROTATE', 'KEEP_LOGS', 'ignore', 'syslog', 'suspend', 'rotate', 'keep_logs']
Auditd::NameFormat
Matche s available name formats in audotd.conf
Alias of Enum['NONE', 'HOSTNAME', 'FQD', 'NUMERIC', 'USER', 'none', 'hostname', 'fqd', 'numeric', 'user']
Auditd::OverflowAction
Matches overflow_action settings in auditd.conf or audisp.conf
Alias of Enum['IGNORE', 'SYSLOG', 'SUSPEND', 'SINGLE', 'HALT', 'ignore', 'syslog', 'suspend', 'single', 'halt']
Auditd::RootAuditLevel
Matches root audit level settings in auditd.conf
Alias of Enum['basic', 'aggressive', 'insane']
Auditd::SpaceLeftAction
Matches spaceleftaction for auditd.conf
Alias of Enum['IGNORE', 'SYSLOG', 'ROTATE', 'EMAIL', 'EXEC', 'SUSPEND', 'SINGLE', 'HALT', 'ignore', 'syslog', 'rotate', 'email', 'exec', 'suspend', 'single', 'halt']
- Mon Nov 25 2024 Steven Pritchard steve@sicura-us - 8.14.4
- Fix more use of legacy facts
- Tue Jul 16 2024 Steven Pritchard steve@sicura.us - 8.14.3
- Fix comparison of space_left and admin_space_left as percentages
- Mon Jul 08 2024 Steven Pritchard steve@sicura.us - 8.14.2
- Remove calls to deprecated parameters (for Puppet 8 compatibility)
- Wed Jul 03 2024 Steven Pritchard steve@sicura.us - 8.14.1
- Clean up legacy fact usage for Puppet 8 compatibility
- Wed Nov 22 2023 ben benrobertson9876@gmail.com - 8.14.0
- (SIMP-10744) Add purge behaviour for auditd rules
- Tue Oct 24 2023 Joshua Hoblitt josh@hoblitt.com - 8.13.0
- Add EL9 support
- Wed Oct 11 2023 Steven Pritchard steve@sicura.us - 8.12.0
- [puppetsync] Updates for Puppet 8
- These updates may include the following:
- Update Gemfile
- Add support for Puppet 8
- Drop support for Puppet 6
- Update module dependencies
- These updates may include the following:
- Wed Aug 23 2023 Steven Pritchard steve@sicura.us - 8.11.0
- Add AlmaLinux 8 support
- Thu Aug 17 2023 Mike Riddle mike@sicura.us - 8.10.1
- Add RHEL 9 hieradata
- Wed Jul 12 2023 Chris Tessmer chris.tessmer@onyxpoint.com - 8.10.0
- Add RockyLinux 8 support
- Tue Jun 13 2023 Mike Riddle mike@sicura.us - 8.9.1
- All of the rule files will now have the same mode defined for /etc/audit/rules.d
- Tue Nov 15 2022 Joshua Hoblitt josh@hoblitt.com - 8.9.0
- do not include auditd::config::grub on hosts without grub
- fix simp base profile to work when grub_version fact is not set
- Fri Jul 29 2022 Benedikt Fischer benedikt.fischer@noris.de - 8.8.0
- Make parameter backlog_wait_time optional because there are auditd versions not supporting it
- Fri Jun 24 2022 Trevor Vaughan trevor@sicura.us - 8.8.0
- Add support for Amazon Linux 2
- Sat Jun 11 2022 Trevor Vaughan trevor@sicura.us - 8.7.5
- Actually fix flapping on rotated audit log files
- Fri Jun 03 2022 Trevor Vaughan trevor@sicura.us - 8.7.4
- Ensure that permissions do not flap on rotated audit log files
- Fri May 27 2022 Zach Schulte zschulte@broadinstitute.org - 8.7.3
- Fix the permissions on
/var/log/audit
- Fri May 13 2022 Mike Riddle mike@sicura.us - 8.7.2
- Changed the auditd_sample_rulesets fact to look in both /usr/share/audit/sample-rules and /usr/share/doc/audit*/rules for sample rulesets.
- Thu Mar 24 2022 Mike Riddle mike@sicura.us - 8.7.1
- Fixed a bug preventing overflow_action from being set properly
- Mon Jun 14 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 8.7.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
- Wed May 19 2021 Trevor Vaughan tvaughan@onyxpoint.com - 8.6.5
- Fixed
- Align EL8 STIG settings
- Changed
- Bump supported puppet version to include 7
- Always add the 'head' rules (global auditd config) settings when applying rule sets. These do not interfere with user-defined rules and are required for proper functionality of the system.
- Thu Apr 08 2021 Liz Nemsick lnemsick.simp@gmail.com - 8.6.4
- Use
-F key=
in lieu of-k
in the STIG profile, to match scanner updates.
- Sun Mar 07 2021 Trevor Vaughan tvaughan@onyxpoint.com - 8.6.3
- Switch auditd rules to be 'always,exit' instead of 'exit,always' to match the man pages and general scanner updates.
- Tue Feb 02 2021 Liz Nemsick lnemsick.simp@gmail.com - 8.6.3
- Expanded simp/rsyslog dependendency range to < 9.0.0.
- Thu Jan 07 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 8.6.3
- Removed EL6 support
- Mon Nov 23 2020 Liz Nemsick lnemsick.simp@gmail.com - 8.6.2-0
- Fixed a bug in which the module could not enable auditing in a system
with auditing already disabled in the kernel, when replication of the
audit logs to syslog was required.
- Manifest would fail to compile because of a nil
auditd_version
fact.
- Manifest would fail to compile because of a nil
- Wed Sep 23 2020 Trevor Vaughan tvaughan@onyxpoint.com - 8.6.1-0
- Allow auditd space_left and admin_space_left to accept percentages on supported versions
- Wed Aug 12 2020 Trevor Vaughan tvaughan@onyxpoint.com - 8.6.0-0
- Ensure that the auditd service is not managed if the kernel is not enforcing auditing
- Add an acceptance test for toggling disabling auditing without modifying the kernel parameter
- Fri Aug 07 2020 Marcel Fischer marcel@fury.home.loc - 8.5.3-0
- Add
INCREMENTAL_ASYNC
to possible values for$::auditd::flush
- Tue Aug 04 2020 Trevor Vaughan tvaughan@onyxpoint.com - 8.5.2-0
- Ensure that facts are properly confined
- Utilize the new simplib__auditd fact
- Mon Jul 13 2020 Adam Yohrling adam.yohrling@onyxpoint.com - 8.5.1-0
- Add
built_in
audit profile to the subsystem that provides ability to include and manage sample rulesets to be compiled into active rules
- Wed Jun 24 2020 Trevor Vaughan tvaughan@onyxpoint.com - 8.5.1-0
- Added a File statement for /etc/audit/audit.rules.prev to prevent unnecessary flapping
- Ensure that the inspec tests don't run if there isn't a profile available
- Ensure that kmod is audited in all STIG modes on EL7+
- Mon Jun 15 2020 Jan Fickler jan.fickler@webfleet.com - 8.5.1-0
- Fix regex substitution for bad path characters
- Thu Oct 31 2019 Trevor Vaughan tvaughan@onyxpoint.com - 8.5.0-0
- Allow users to knockout entries from arrays specified in Hiera
- Multiple rules added based on best practices mostly pulled from
/usr/share/doc/auditd:
- Audit 32 bit operations on 64 bit systems
- Audit calls to the auditd CLI commands
- Audit IPv4 and IPv6 inbound connections
- Optionally audit IPv4 and IPv6 outbound connections
- Audit suspicious applications
- Audit systemd
- Audit the auditd configuration space
- Ignore time daemon logs (clutter)
- Ignore CRYPTO_KEY_USER logs (clutter)
- Add ability to set the backlog_wait_time
- Set loginuid_immutable
- Thu Oct 24 2019 Jeanne Greulich jeanne.greulich@onyxpoint.com - 8.5.0-0
-
Set defaults for syslog parameters if auditd version is unknown.
-
Added support for auditd v3.0 which is used by RedHat 8.
-
A fact that determines the major version of auditd that is running on the system was added, auditd_major_version. This is used in hiera.yaml hierarchy to add module data specific to the versions.
-
Most of the changes in auditd v3.0 were related to how the plugins are handled but there are a few new parameters added to auditd.conf. They were set to their defaults according to man of auditd.conf.
-
Auditd V3.0 moved the handling of plugins into auditd from audispd. The following changes were made to accommodate that:
- To make sure the parameters used to handle plugins where defined in one place no matter what version of auditd was used, they were moved to init.pp and referenced from there by the audisp manifest. For backwards compatibility, they remain in audisp.conf and are aliased in the hiera module data.
- For backwards compatibility auditd::syslog remains defaulting to the
value of simp_options::syslog although the two are not really the same thing.
You might want to review this setting and set auditd::syslog to a setting that
is appropriate for your system.
- To enable auditd logging to syslog set the following in hiera:
auditd::syslog: true
auditd::config::audisp::syslog::enable: true.
The drop_audit_logs is still there for backwards compatibility and
needs to be disabled.
auditd::config::audisp::syslog::drop_audit_logs: false - To stop auditd logging to syslog set the following in hiera: auditd::syslog: true auditd::config::plugins::syslog::enable: false. Setting auditd::syslog to false will stop Puppet from managing the syslog.conf, it will not disable auditd logging to syslog. been removed. Disable the syslog plugin as described above.
- To enable auditd logging to syslog set the following in hiera:
auditd::syslog: true
auditd::config::audisp::syslog::enable: true.
- The settings for syslog.conf were updated and to work for new and old versions of auditd.
- Added installation of audisp-syslog package when using auditd v3.
Mon Aug 19 2019 Robert Vincent pillarsdotnet@gmail.com - 8.4.1-0
-
Add rules to monitor /usr/share/selinux
- Fri Jul 05 2019 Steven Pritchard steven.pritchard@onyxpoint.com - 8.4.0-0
- Add v2 compliance_markup data
- Tue Jun 25 2019 Trevor Vaughan tvaughan@onyxpoint.com - 8.3.2-0
- Fix an issue where trailing newlines may not be present on custom rule profiles, particularly with rules defined in an Array.
- Thu May 02 2019 Liz Nemsick lnemsick.simp@gmail.com - 8.3.1-0
- Fix a breaking change inadvertantly introduced into auditd::rule in which the auditd class was no longer included when an auditd::rule was defined in a manifest.
- Thu Apr 25 2019 Trevor Vaughan tvaughan@onyxpoint.com - 8.3.0-0
- Added a
custom
audit profile that accepts either an Array of rules or a template path for ease of setting full rulesets via Hiera. - Updated all module components for
puppet strings
- Fixed the README
- Added a REFERENCE.md
- Refactored the filename logic in the base profiles to be simpler
- Converted the rule template to EPP
- Converted the rotated_audit_logs template to EPP
- Converted STIG audit profile template to EPP
- Converted SIMP audit profile template to EPP
- Wed Apr 10 2019 Joseph Sharkey shark.bruhaha@gmail.com - 8.2.1-0
- Ensure that space_left is always larger than admin_space_left
- Updated tests in support of puppet6, and removed puppet4 support
- Updated puppet template scope API from 3 to newer
- Sat Apr 06 2019 Jim Anderson thesemicolons@protonmail.com - 8.2.1-0
- config.pp now managed /etc/audit in addition to /etc/audit/rules.d. The permissions and ownership of the two directories should be the same. Both directories use purge and recurse.
- Tue Mar 19 2019 Liz Nemsick lnemsick.simp@gmail.com - 8.2.1-0
- Use Puppet Integer in lieu of simplib's deprecated Puppet 3 to_integer
- Expanded the upper limit of the stdlib Puppet module version
- Updated a URL in the README.md
- Tue Jan 15 2019 Trevor Vaughan tvaughan@onyxpoint.com - 8.2.0-0
- Allow users to optimize their audit processing by only collecting on specific SELinux types
- Fri Jan 11 2019 Adam Yohrling adam.yohrling@onyxpoint.com - 8.2.0-0
- Add restorecon audit for STIG profile
- Fri Nov 16 2018 Trevor Vaughan tvaughan@onyxpoint.com - 8.2.0-0
- Update to remove potentially redundant test code and use the updated simp-beaker-helpers
- Thu Nov 15 2018 Mark Leary leary.mark@gmail.com - 8.1.1-0
- Revert back to using the native service provider for the auditd service since puppet fixed the service handling.
- Wed Oct 31 2018 Trevor Vaughan tvaughan@onyxpoint.com - 8.1.0-0
- Allow users to opt-out of hooking the audit dispatchers into the SIMP rsyslog
module using
auditd::config::audisp::syslog::rsyslog = false
or, alternatively, settingsimp_options::syslog = false
. - Add a
write_logs
opttion to theauditd_class
and multiplex between thelog_format = NOLOG
setting andwrite_logs = false
since there were breaking changes in these settings afterauditd
version2.6.0
. - Add support for
log_format = ENHANCED
forauditd
version >=2.6.0
. Older versions will simply fall back toRAW
.
- Tue Oct 16 2018 Nick Markowski nicholas.markowski@onyxpoint.com - 8.1.0-0
- Removed unnecessary dependencies from metadata.json. Now, when users install
auditd stand-alone i.e.
puppet module install
, they will not have extraneous modules clutter their environment.- herculesteam/augeasproviders_grub
- simp/rsyslog
- Fri Oct 12 2018 Nick Miller nick.miller@onyxpoint.com - 8.1.0-0
- Changed the $package_ensure parameter from 'latest' to 'installed'
- It will also respect
simp_options::package_ensure
- Fri Sep 07 2018 Liz Nemsick lnemsick.simp@gmail.com - 8.1.0-0
- Update Hiera 4 to Hiera 5
- Fri Jul 27 2018 Brandon Ess brandon.ess@gmail.com - 8.1.0-0
- Align group ownership of the auditd log directories with the setting for auditd itself so that the designated group can access the log files.
- Fri Jul 13 2018 Trevor Vaughan tvaughan@onyxpoint.com - 8.1.0-0
- Updated to work with Puppet 5 and OEL
- Fri Jul 06 2018 Trey Dockendorf tdockendorf@osc.edu - 8.0.1-0
- Allow lowercase values for several parameters in accordance with the man pages and SCAP expectations.
- Thu Jun 21 2018 Liz Nemsick lnemsick.simp@gmail.com - 8.0.0-0
- Added ability to select one or more audit profiles. When multiple profiles are selected, their rules are effectively concatenated in the order in which the profiles are listed in auditd::default_audit_profiles.
- The following API Changes were made in support of multiple audit
profiles:
- $::auditd::$default_audit_profile has been deprecated by $::auditd::$default_audit_profiles
- auditd::config and auditd::config::audit_profiles::simp classes are now private. In the unlikely event that you included just these classes in your manifest, you must now include auditd instead.
- The following auditctl global configuration options that were in auditd::config::audit_profiles::simp are now in the auditd class, instead: $ignore_errors, $ignore_anonymous, $ignore_system_services, and $ignore_crond. They were moved because they are now applied to the set of audit profiles selected, not just the 'simp' audit profile.
- The following auditd::config::audit_profiles::simp class parameters
have been deprecated for clarity:
- $audit_sudoers has been deprecated by $audit_cfg_sudoers
- $audit_sudoers_tag has been deprecated by $audit_cfg_sudoers
- $audit_grub has been deprecated by $audit_cfg_grub
- $audit_grub_tag has been deprecated by $audit_cfg_grub_tag
- $audit_yum has been deprecated by $audit_cfg_yum
- $audit_yum_tag has been deprecated by $audit_cfg_yum_tag
- Some previously hard-coded, internal configuration is now exposed as data-in-modules.
- Added 'stig' audit profile which manages rules that match DISA STIG
checks, exactly.
- For executables explicitly listed in the RHEL7 STIG, includes watchs for binaries in the real paths (/usr/bin, /usr/sbin) and linked paths (/bin, /sbin). This is to address inconsistencies among the STIG and the Inspec and OSCAP scans. (All should use the real paths, but don't.)
- Fixed bugs in 'simp' audit profile
- Fixed umask syscall rules. These rules require arch filters.
- Fixed clock_settime syscall rules. Per the sample STIG audit rules packaged in the auditd RPM, these rules require an 'a0' filter.
- Fixed bug in which /var/log/tallylog was grouped with session instead of logins.
- Fixed bug in which the /etc/pam.d watch rule had the wrong tag
- Updated 'simp' audit profile settings for DISA STIG.
- Expanded the list of successful syscall operations audited.
- Expanded the list of module syscall operations audited
- Added an option to monitor selinux commands, (i.e., chcon, semanage, setfiles, setsebool)
- Added an option to audit the execution of password commands ('passwd', 'unix_chkpwd', 'gpasswd', 'chage', 'userhelper')
- Added an option to audit the execution of privilege-related commands ('su', 'sudo', 'newgrp', 'chsh', 'sudoedit')
- Added an option to audit the execution of postfix-related commands ('postdrop', 'postqueue')
- Added an option to audit the execution of the 'ssh-keysign' command
- Added an option to audit the execution of the 'crontab' command
- Added an option to audit the execution of the 'pam_timestamp_check' command
- Added an option to audit the execution of rename/remove operations for non-service users (rename', 'renameat', rmdir', 'unlink', and 'unlinkat')
- Added watch rules for /etc/hostname and /etc/NetworkManager (for centos7) pulled from the sample STIG audit rules packaged in the auditd RPM.
- For executables explicitly listed in the RHEL7 STIG, includes watchs for binaries in the real paths (/usr/bin, /usr/sbin) and linked paths (/bin, /sbin). This is to address inconsistencies among the STIG and the Inspec and OSCAP scans. (All should use the real paths, but don't.)
- Mon Mar 26 2018 Liz Nemsick lnemsick.simp@gmail.com - 7.1.3-0
- Work around RPM upgrade issue with nodeset link in compliance acceptance test suite.
- Tue Jan 09 2018 Nick Markowski nicholas.markowski@onyxpoint.com - 7.1.3-0
- Updated compliance suite to use new inspec profile, https://github.com/simp/inspec-profile-disa_stig-el7
- Removed the el6 nodeset from the compliance suite; there are no simp-supported el6 inspec profiles at this time.
- Ensured git installed as it's a dependency of our inspec profiles
- Mon Nov 13 2017 Nick Miller nick.miller@onyxpoint.com - 7.1.2-0
- /var/run/faillock should be tagged under 'login'
- Thu Aug 31 2017 Trevor Vaughan tvaughan@onyxpoint.com - 7.1.1-0
- Adjust audit.rules mode per inspec testing
- Mon Aug 21 2017 Trevor Vaughan tvaughan@onyxpoint.com - 7.1.0-0
- Updated to use augeasproviders_grub 3
- Added the ability to log calls to the 'rpm' and 'yum' commands
- Mon May 22 2017 Liz Nemsick lnemsick.simp@gmail.com - 7.0.2-0
- Fix bug whereby audit.rules file was not being regenerated prior to auditd service start in CentOS/RedHat 6.
- Update puppet version in metadata.json
- Mon Mar 27 2017 Nicholas Hughes nicholasmhughes@github.com - 7.0.1-0
- Audit kernel module tools from /usr/bin as well as /bin and /sbin
- Correct auditing /var/log/tallylock, it should have been /var/log/tallylog
- Thu Feb 22 2017 Trevor Vaughan tvaughan@onyxpoint.com - 7.0.1-0
- Changed auditd::failure_mode to '1' by default since the compliant audit rules were causing routine system restarts. The new value will default to sending printk messages when the buffer is full.
- Changed all rules that were exit,always to be always,exit
- Tue Jan 12 2017 Trevor Vaughan tvaughan@onyxpoint.com - 7.0.0-0
- In response to the DISA STIG Requirements
- Added 'open_by_handle_at' to the 'access' key
- Added watches on /varlog/faillock and /var/log/tallylock
- Added watches on /usr/sbin/insmod and /bin/kmod
- Added permissions modification notification for 'chmod'
- Renamed auditd::add_rules to auditd::rule
- Split the audit permissions rules into separate lines
- Disabled chmod auditing by default
- Mon Dec 26 2016 Ralph Wright rwright@onyxpoint.com - 7.0.0-0
- Mon Dec 26 2016 Trevor Vaughan tvaughan@onyxpoint.com - 7.0.0-0
- Refactor to work in Puppet 4 Changes
- Updated acceptance tests
- Mon Dec 12 2016 Liz Nemsick lnemsick.simp@gmail.com - 7.0.0-0
- Update version to reflect SIMP6 dependencies
- Fri Dec 09 2016 Nick Markowski nmarkowski@keywcorp.com - 7.0.0-0
- Updated global catalysts
- Changed default log facility to local5.
- Added a drop rule for crond events
- Tue Nov 22 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 5.1.2-0
- Minor cleanup
- Mon Sep 26 2016 Jeanne Greulich, Liz Nemsick - 5.1.0-0
- Allow user to specify syslog facility and priority for audit record messages.
- Allow user to enable/disable audit record syslog messaging independent of the presence of forwarding logging servers.
- Added a file resource to detect and fix incorrect permissions on the /var/log/audit/audit.log file.
- Mon Aug 29 2016 Ralph Wright ralph.wright@onyxpoint.com - 5.0.4-0
- Added booleans to toggle sections of audit rules.
- Tue Jul 26 2016 Lucas Yamanishi lucas.yamanishi@onyxpoint.com - 5.0.3-0
- Fix for strict_variables failure
- Wed Jul 06 2016 Nick Markowski nmarkowski@keywcorp.com - 5.0.2-0
- Added a default audit rule for 'renameat', per CCE-26651-0.
- Added an auditd_version fact.
- Updated validation for *_action lists to differentiate between auditd versions.
- Updated module to use new rake helper to auto-gen .spec file.
- Thu May 19 2016 nicholasmhughes nicholasmhughes@gmail.com - 5.0.1-0
- Change
btmp
andwtmp
locations to/var/log
- Support dynamic audit log locations
- Thu Feb 18 2016 Ralph Wright ralph.wright@onyxpoint.com - 5.0.0-4
- Added compliance function support
- Thu Dec 24 2015 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-3
- Ensure that the ::auditd::add_rules define does not run if $::auditd::enable_auditing is false.
- Thu Nov 19 2015 Chris Tessmer chris.tessmer@onyxpoint.com - 5.0.0-2
- Full migration to
simplib
, removedcommon
andfunctions
.
- Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 5.0.0-1
- migration to simplib and simpcat (lib/ only)
- Tue Oct 20 2015 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-0
- Module refactor to the new SIMP standard
- Fixes for the audit dispatcher and syslog connections
- Mon Sep 07 2015 Chris Tessmer chris.tessmer@onyxpoint.com - 4.1.0-13
- Updated facts from $::lsbmajdistrelease to $::operatingsystemmajrelease.
- Tue Jul 21 2015 Kendall Moore kmoore@keywcorp.com - 4.1.0-12
- Updated to use the new rsyslog module.
- Thu Feb 19 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-11
- Migrated to the new 'simp' environment.
- Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-10
- Changed puppet-server requirement to puppet
- Wed Nov 19 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-9
- Updated auditd::to_syslog to support multiple log servers and support for native TLS.
- Sat Sep 06 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-8
- Fixed a missing rule for RHEL<7 that did not properly drop all of the useless audit data.
- Sat Aug 23 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-7
- Updated to use the new reboot_notify native type.
- Sun Jul 13 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-6
- Updated to support both grub and grub2
- Fixed a bug in the audit ruleset where the initial drop rule was set to drop everything that was not anonymous.
- Added support for /etc/audit/rules.d for RHEL7 systems.
- Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-5
- Removed MD5 file checksums for FIPS compliance.
- Fri Jun 20 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-5
- Pointed concat fragment auditd+head at the correct template!
- Updated to support RHEL7
- Wed May 21 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-4
- Added the ability to put rules before the default rule body in audit.rules.
- Added validation to add_rules.pp.
- Fri Mar 28 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-3
- The template for auditing the rotated audit logs had a one-off error preventing the audit of the last rotated log.
- Spec tests were added.
- Fri Mar 14 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-2
- Added class for auditing grub.
- Thu Feb 13 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-1
- Converted all string booleans to native booleans.
- Mon Nov 04 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-0
- Added support for audispd based on patches provided by Raymond Page raymond.page@icat.us.
- Removed the old rsyslog file tap on audit.log.
- Folded the auditd::conf define into the auditd main class since
parameterized classes eliminate the need for the define.
- Breaking Change
- Mon Oct 28 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-11
- Updated the audit base rules to compress and reorder many of the rules to allow for greater processing efficiency.
- Added checks for kernel module manipulation in accordance with CCE-26610-6.
- Mapped all audit rules to their associated SSG rules in the file template.
- Thu Oct 03 2013 Nick Markowski nmarkowski@keywcorp.com - 4.0.0-11
- Updated templates to reference instance variables with @
- Wed Jul 17 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-10
- Removed the sgid binary check in the audit rules because it doesn't actually make any sense.
- Thu Jun 27 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-9
- Added audit rules to catch the execution of sgid and suid binaries.
- Added the ability to rate limit the auditd messages. If you use this, you probably want to change the failure mode to 1.
- Added the ability to ignore failures in the audit configuration and continue and set it to true by default. Since the rules are automatically managed, the likelihood of one being wrong is fairly high. Also, rules will fail if a file doesn't exist which isn't all that helpful.
- Removed the watch on /proc/kcore since it wasn't really helpful and was throwing SELinux AVC's on startup.
- Added default auditing to /etc/yum.conf and /etc/yum.repos.d
- Tue Apr 09 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-8
- Skip any rule that does not load properly so that we have as much of the configuration active as possible.
- Thu Dec 13 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-7
- Updated to require pupmod-common >= 2.1.1-2 so that upgrading an old system works properly.
- Fri Nov 30 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-6
- Added a cucumber test to ensure that the auditd daemon starts when including audit in the puppet server manifest.
- Tue Sep 18 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-5
- Updated all references of /etc/modprobe.conf to /etc/modprobe.d/00_simp_blacklist.conf as modprobe.conf is now deprecated.
- Thu Jun 07 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-4
- Ensure that Arrays in templates are flattened.
- Call facts as instance variables.
- Moved mit-tests to /usr/share/simp...
- Moved rsyslog module inclusion from init.pp to to_syslog.pp where it is used.
- Updated pp files to better meet Puppet's recommended style guide.
- Fri Mar 02 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-3
- Improved test stubs.
- Mon Jan 30 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-2
- Removed all references to 'entry' rules since they are deprecated.
- Removed the watch rule for /etc/firmware since it was removed in RHEL6 and pretty much useless anyway.
- Added test stubs
- Mon Dec 26 2011 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-1
- Scoped all of the top level variables.
- Fri Oct 28 2011 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-0
- Removed the base audit of /etc/ldap.conf since it was redundant.
- Mon Oct 10 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-3
- Updated to put quotes around everything that need it in a comparison statement so that puppet > 2.5 doesn't explode with an undef error.
- Thu Mar 17 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-2
- Modified several audit rules to be a bit more complete and to conform to some of the Red Hat syntax standards.
- Fri Feb 11 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-1
- Updated to use concat_build and concat_fragment types.
- Tue Jan 11 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-0
- Refactored for SIMP-2.0.0-alpha release
- Tue Oct 26 2010 Trevor Vaughan tvaughan@onyxpoint.com - 1-2
- Converting all spec files to check for directories prior to copy.
- Wed Jul 28 2010 Trevor Vaughan tvaughan@onyxpoint.com - 1.0-1
- More code refactoring
- Made log_file configurable in to_syslog define.
- Wed May 19 2010 Trevor Vaughan tvaughan@onyxpoint.com - 1.0-0
- Code + doc refactor
- Wed May 12 2010 Trevor Vaughan tvaughan@onyxpoint.com - 0.1-12
- Added the option $root_audit_level to auditd::conf
- The allowed strings are basic(default), aggressive, insane
- Basic(default): Safe, should not follow program execution outside of the base app
- Aggressive: Adds execve
- Insane: Adds fork, vfork, write, chown, creat, link, mkdir, rmdir
- The allowed strings are basic(default), aggressive, insane
- Fri Feb 19 2010 Trevor Vaughan tvaughan@onyxpoint.com - 0.1-11
- Removed watch on /etc. That was a very bad rule.
- Tue Dec 15 2009 Trevor Vaughan tvaughan@onyxpoint.com - 0.1-10
- Audit rules now properly handle 64 and 32 bit architectures (for now). Previously, the 64 bit calls were not handled properly.
Dependencies
- puppetlabs/stdlib (>= 8.0.0 < 10.0.0)
- simp/simplib (>= 4.9.0 < 5.0.0)
- puppet/augeasproviders_grub (>= 3.1.0 < 6.0.0)
auditd - A module to manage the Audit Daemon, Kernel Parameters, and related subsystems. Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.