Table of Contents

• Overview
• This is a SIMP module
• Module Description
• Setup
  • Setup Requirements
  • What Auditd Affects
• Usage
  • Basic Usage
  • Disabling Auditd
  • Changing Key Values
  • Understanding Auditd Profiles
    • Stacking Profiles
    • The Custom Profile
      • Override All Other Profiles
      • Prepend Before the SIMP Profile
      • Append After the SIMP and STIG Profiles
  • Adding One-Off Rules
    • Adding Regular Filter Rules
    • Prepend and Drop Everything From a User
• Development
  • Acceptance tests

Overview

This module manages the Audit daemon, kernel parameters, and related subsystems.

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they can be submitted to our JIRA.

This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:

• When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
• If used independently, all SIMP-managed security subsystems will be disabled by default and must be explicitly opted into by administrators. Please review simp_options for details.

Module Description

You can use this module for the management of all components of auditd including configuration, service management, kernel parameters, and custom rule sets.

By default, a rule set is provided that should meet a reasonable set of operational goals for most environments.

The audit kernel parameter may optionally be managed independently of the rest of the module using the ::auditd::config::grub class.

Setup

Setup Requirements

If auditd::syslog is true, you will need to install simp/rsyslog as a dependency.

What Auditd Affects

• The audit kernel parameter
  • NOTE: This will be applied to all kernels in your standard grub configuration
• The auditd service
• The audid configuration in /etc/auditd.conf
• The auditd rules in /etc/audit/rules.d
• The audispd configuration in /etc/audisp/audispd.conf
• The audispd syslog configuration in /etc/audisp/plugins.d/syslog.conf

Usage

Basic Usage

# Set up auditd with the default settings and SIMP default ruleset
# A message will be printed indicating that you need to reboot for this option
# to take full effect at each Puppet run until you reboot your system.

include 'auditd'

Disabling Auditd

To disable auditd at boot, set the following in hieradata:

auditd::at_boot: false

Changing Key Values

To override the default values included in the module, you can either include new values for the keys at the time that the classes are declared, or set the values in hieradata:

class { 'auditd':
  ignore_failures => true,
  log_group       => 'root',
  flush           => 'INCREMENTAL'
}

auditd::ignore_failures: true
auditd::log_group: 'root'
auditd::flush: 'INCREMENTAL'

Understanding Auditd Profiles

This module supports various configurations both independently and simultaneously to meet varying end user requirements.

NOTE: The default behavior of this module is to ignore any invalid rules and apply as much of the rule set as possible. This is done so that you end up with an effective level of auditing regardless of a simply typo or conflicting rule. Please test your final rule sets to ensure that your system is auditing as expected.

The auditd::default_audit_profiles parameter determines which profiles are included, and in what order the rules are added to the system.

The auditd::default_audit_profiles has a default setting of [ 'simp' ] which applies the optimized SIMP auditing profile which is suitable for meeting most generally available compliance requirements. It does not, however, generally appease the scanning utilities since it optimizes the rules for performance and most scanners cannot handle audit rule optimizations.

There are two other profiles available in the system by default:

• stig => Applies the rules as defined in the latest covered DISA STIG
• custom => Allows users to define their own rules easily via Hiera

There are a large number of parameters exposed for each profile that are meant to be set via Hiera and you should take a look at the REFERENCE.md file to understand the full capabilities of each profile.

Stacking Profiles

In some cases, you may want to combine profiles in different orders. This may either be done in order to pass a particular scanning engine or to ensure that items that are not caught by the first profile are caught by the second.

Profiles are included and ordered by passing an Array to the auditd::default_audit_profiles parameter and are added to auditd in the order in which they are defined in the Array.

For example, this (the default) would only add the simp profile:

auditd::default_audit_profiles:
  - "simp"

Likewise, this would add the stig rules prior to the simp profile:

auditd::default_audit_profiles:
  - "stig"
  - "simp"

The Custom Profile

Users may wish to either completely override the default profiles or prepend/append their own rules to the stack for compliance purposes.

You can easily do this via Hiera as shown in the following example:

auditd::config::audit_profiles::custom::rules:
  - '-w /etc/passwd -wa -k passwd_files'
  - '-w /etc/shadow -wa -k passwd_files'

To activate the custom profile, you will need to set the auditd::default_audit_profiles parameter as shown in the following examples:

Override All Other Profiles

auditd::default_audit_profiles:
  - "custom"

Prepend Before the SIMP Profile

auditd::default_audit_profiles:
  - "custom"
  - "simp"

Append After the SIMP and STIG Profiles

auditd::default_audit_profiles:
  - "simp"
  - "stig"
  - "custom"

Adding One-Off Rules

Rules are alphanumerically ordered based on file-system globbing. It is recommended that users use the auditd::rule defined type for adding rules.

Other options are available with auditd::rule but these are the most commonly used.

Adding Regular Filter Rules

auditd::rule { 'failed_file_creation':
  content => '-a always,exit -F arch=b64 -S creat -F exit=-EACCES -k failed_file_creation'
}

auditd::rule { 'passwd_file_watches':
  content => [
    '-w /etc/passwd -wa -k passwd_files',
    '-w /etc/shadow -wa -k passwd_files'
  ]
}

Prepend and Drop Everything From a User

This will make your rule land in the 00 set of rules.

auditd::rule { 'pre_drop_user_5000':
  content => '-a exit,never -F auid=5000',
  prepend => true
}

Development

Please read our Contribution Guide

Acceptance tests

This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:

bundle exec rake beaker:suites

Some environment variables may be useful:

BEAKER_debug=true
BEAKER_provision=no
BEAKER_destroy=no
BEAKER_use_fixtures_dir_for_modules=yes
BEAKER_fips=yes

• BEAKER_debug: show the commands being run on the STU and their output.
• BEAKER_destroy=no: prevent the machine destruction after the tests finish so you can inspect the state.
• BEAKER_provision=no: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.
• BEAKER_use_fixtures_dir_for_modules=yes: cause all module dependencies to be loaded from the spec/fixtures/modules directory, based on the contents of .fixtures.yml. The contents of this directory are usually populated by bundle exec rake spec_prep. This can be used to run acceptance tests to run on isolated networks.
• BEAKER_fips=yes: enable FIPS-mode on the virtual instances. This can take a very long time, because it must enable FIPS in the kernel command-line, rebuild the initramfs, then reboot.

Please refer to the SIMP Beaker Helpers documentation for more information.

Reference

Table of Contents

Classes

• auditd: Configure the audit daemon for use with a specified audit profile.
• auditd::config: This class is called from auditd for service config.
• auditd::config::audisp: Configures the audit dispatcher primarily for sending audit logs directly to syslog without intervention.
• auditd::config::audisp::syslog: Utilizes rsyslog to send all audit records to syslog.
• auditd::config::audisp_service: Make sure the audispd process keeps running.
• auditd::config::audit_profiles: Provides global audit rule configuration and a base set of audit rules based on the built-in audit profile(s).
• auditd::config::audit_profiles::custom: A set of user specified rules in a form that is easy to manipulate via Hiera
• auditd::config::audit_profiles::simp: A set of general purpose audit rules that should meet most security policy requirements
• auditd::config::audit_profiles::stig: A set of audit rules that are configured to satisfy DISA STIG compliance checks for EL7.
• auditd::config::grub: Enables/disables auditing at boot time.
• auditd::config::logging: Ensures that logging rules are defined.
• auditd::install: Install the auditd packages
• auditd::service: Ensure that the auditd service is running

Defined types

• auditd::rule: Add rules to the audit daemon.

Functions

• auditd::get_array_index: Returns a string that represents the first index of the specified element within the Array.

Classes

auditd

Any variable that is not described here can be found in auditd.conf(5) and auditctl(8).

• See also auditd.conf(5) auditctl(8)

Parameters

The following parameters are available in the auditd class.

lname

Data type: String

An alias for the name variable in the configuration file. This is used since $name is a reserved keyword in Puppet.

Default value: $facts['fqdn']

immutable

Data type: Boolean

Whether or not to make the configuration immutable when using built-in audit profiles. Be aware that, should you choose to make the configuration immutable, you will not be able to change your audit rules without a reboot.

Default value: false

root_audit_level

Data type: Auditd::RootAuditLevel

What level of auditing should be used for su-root activity in built-in audit profiles that provide su-root rules. Be aware that setting this to anything besides 'basic' may overwhelm your system and/or log server. Options can be, 'basic', 'aggressive', 'insane'. For the 'simp' audit profile, these options are as follows:

• Basic: Safe syscall rules, should not follow program execution outside of the base app
• Aggressive: Adds syscall rules for execve, rmdir and variants of rename and unlink
• Insane: Adds syscall rules for write, creat and variants of chown, fork, link and mkdir

Default value: 'basic'

uid_min

Data type: Integer[0]

The minimum UID for human users on the system. For built-in audit profiles when $ignore_system_services is true, any audit events generated by users below this number will be ignored, unless a corresponding rule is inserted before the UID-limiting rule in the rules list. When using auditd::rule, you can create such a rule by setting the absolute parameter to be 'first'.

Default value: Integer(pick(fact('uid_min'), 1000))

at_boot

Data type: Boolean

If true, modify the Grub settings to enable auditing at boot time. Meets CCE-26785-6

Default value: true

syslog

Data type: Boolean

If true, set up audispd to send logs to syslog. Meets CCE-26933-2

Default value: simplib::lookup('simp_options::syslog', {'default_value' => false })

default_audit_profile

Data type: Optional[Variant[Enum['simp'],Boolean]]

Deprecated by $default_audit_profiles

Default value: undef

default_audit_profiles

Data type: Array[Auditd::AuditProfile]

The built-in audit profile(s) to use to provide global audit rule configuration (error handling, buffer size, etc.) and a base set of audit rules.

• When more than one profile is specified, the profile rules are effectively concatenated in the order the profiles are listed.
• To add rules to the base set, use auditd::rule.
• To manage the audit rules, yourself, set this parameter to [].
• @see auditd::config::audit_profiles for more details about this configuration.

Default value: [ 'simp' ]

service_name

Data type: String[1]

The name of the auditd service.

Default value: 'auditd'

package_name

Data type: String[1]

The name of the auditd package.

Default value: 'audit'

package_ensure

Data type: Simplib::PackageEnsure

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

enable

Data type: Boolean

If true, enable auditing.

Default value: true

log_file

Data type: Stdlib::Absolutepath

Default value: '/var/log/audit/audit.log'

log_format

Data type: Enum['RAW','ENRICHED','NOLOG']

The output log format

• 'NOLOG' is deprecated as of auditd 2.5.2
• 'ENRICHED' is only available in auditd >= 2.6.0

Default value: 'RAW'

log_group

Data type: String

Default value: 'root'

priority_boost

Data type: Integer[0]

Default value: 3

flush

Data type: Auditd::Flush

Default value: 'INCREMENTAL'

freq

Data type: Integer[0]

Default value: 20

num_logs

Data type: Integer[0]

Default value: 5

disp_qos

Data type: Enum['lossy','lossless']

Default value: 'lossy'

dispatcher

Data type: Stdlib::Absolutepath

Default value: '/sbin/audispd'

name_format

Data type: Auditd::NameFormat

Default value: 'USER'

max_log_file

Data type: Integer[0]

Default value: 24

max_log_file_action

Data type: Auditd::MaxLogFileAction

Default value: 'ROTATE'

space_left

Data type: Integer[0]

Default value: +

space_left_action

Data type: Auditd::SpaceLeftAction

Default value: 'SYSLOG'

action_mail_acct

Data type: String[1]

Default value: 'root'

admin_space_left

Data type: Integer[0]

Default value: 50

admin_space_left_action

Data type: Auditd::SpaceLeftAction

Default value: 'SUSPEND'

disk_full_action

Data type: Auditd::DiskFullAction

Default value: 'SUSPEND'

disk_error_action

Data type: Auditd::DiskErrorAction

Default value: 'SUSPEND'

write_logs

Data type: Boolean

Whether or not to write logs to disk.

• The NOLOG option on log_format has been deprecated in newer versions of auditd so this attempts to do "the right thing" when log_format is set to NOLOG for legacy support.

Default value: $log_format

ignore_errors

Data type: Boolean

Whether to set the auditctl '-i' option

Default value: true

ignore_failures

Data type: Boolean

Whether to set the auditctl '-c' option

Default value: true

buffer_size

Data type: Integer[0]

Value of the auditctl '-b' option

Default value: 16384

failure_mode

Data type: Integer[0]

Value of the auditctl '-f' option

Default value: 1

rate

Data type: Integer[0]

Value of the auditctl '-r' option

Default value: 0

ignore_anonymous

Data type: Boolean

For built-in audit profiles, whether to drop anonymous and daemon events, i.e., events for which auid is '-1' (aka '4294967295'). Audit records from these events are prolific but not useful.

Default value: true

ignore_system_services

Data type: Boolean

For built-in audit profiles, whether to ignore system service events, i.e., events for which the auid is set but is less than the minimum UID for human users on the system. In most security guides, this filter is attached to every system call rule. So, by implementing the filter in an upfront drop rule, this feature provides optimization of that filtering.

Default value: true

ignore_crond

Data type: Boolean

For built-in audit profiles, whether to drop events related to cron jobs. cron creates a lot of audit events that are not usually useful.

Default value: true

target_selinux_types

Data type: Optional[Array[Pattern['^.*_t$']]]

A list of SELinux types to target, all others will be dropped

For systems that require all users and processes to be in a confined namespace, you may find that only auditing unconfined types will be sufficient since all other invalid system actions are already audited.

Default value: undef

auditd::config

NOTE: THIS IS A PRIVATE CLASS**

auditd::config::audisp

All parameters are documented in audispd.conf(5) with the exception of $specific_name which maps to the audispd.conf 'name' variable.

Parameters

The following parameters are available in the auditd::config::audisp class.

q_depth

Data type: Integer

Default value: 160

overflow_action

Data type: Auditd::OverflowAction

Default value: 'SYSLOG'

priority_boost

Data type: Integer

Default value: 4

max_restarts

Data type: Integer

Default value: 10

name_format

Data type: Auditd::NameFormat

Default value: 'USER'

specific_name

Data type: String

Default value: $facts['fqdn']

auditd::config::audisp::syslog

This capability is most useful for forwarding audit records to remote servers as syslog messages, since these records are already persisted locally in audit logs. For most sites, however, using this capability for all audit records can quickly overwhelm host and/or network resources, especially if the messages are forwarded to multiple remote syslog servers or (inadvertently) persisted locally. Site-specific, rsyslog actions to implement filtering will likely be required to reduce this message traffic.

As a precaution, to prevent the above overload scenario, this class, by default, inserts a rsyslog action to drop these messages, prior to forwarding to remote syslog servers or writing to local syslog files. You can disable this drop behavior via configuration, but are strongly advised to apply appropriate syslog message filtering before doing so. We also recommend you ensure any forwarded, audit messages are encrypted using the stunnel module, due to the nature of the information carried by these messages.

Parameters

The following parameters are available in the auditd::config::audisp::syslog class.

drop_audit_logs

Data type: Boolean

When set to false, auditd records will be forwarded to remote servers and/or written to local syslog files, as directed by the site rsyslog configuration.

Default value: true

priority

Data type: Auditd::LogPriority

The syslog priority for all audit record messages. This value is used in the /etc/audisp/plugins.d/syslog.conf file.

Default value: 'LOG_INFO'

facility

Data type: Auditd::LogFacility

The syslog facility for all audit record messages. This value is used in the /etc/audisp/plugins.d/syslog.conf file. For the older auditd versions used by CentOS6 and CentOS7, must be an empty string, LOG_LOCAL0, LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4, LOG_LOCAL5, LOG_LOCAL6, or LOG_LOCAL7. An empty string results in LOG_USER and is the ONLY mechanism to specify that facility. No other facilities are allowed.

Default value: 'LOG_LOCAL5'

rsyslog

Data type: Boolean

If set, enable the SIMP rsyslog module and set up the appropriate rules for the auditd services.

• Set to false if you are using some other syslog utility.

Default value: simplib::lookup('simp_options::syslog', { 'default_value' => false })

auditd::config::audisp_service

NOTE: THIS IS A PRIVATE CLASS**

Should only be called from audisp processing services.

auditd::config::audit_profiles

NOTE: THIS IS A PRIVATE CLASS**

The configuration generated is contained in a set of files in /etc/audit/rules.d, which augenrules parses for auditd in natural sort order, to create a single /etc/audit/auditd.rules file. The generated files are as follows:

• 00_head.rules: Contains auditctl general configuration to remove existing rules when the rules are reloaded, ignore rule load errors/failures, and set the buffer size, failure mode, and rate limiting
• 05_default_drop.rules: Contains filtering rules for efficiency
  • Rules to drop prolific events of low-utility
  • Rules to restrict events based on auid constraints that would normally be applied to all rules
• 50_*base.rules:
  • Nominal base rules for one or more built-in profiles.
  • One file will exist for each desired, built-in profile
  • Files are named so that the ordering of profiles listed in $auditd::default_audit_profiles is preserved
  • The corresponding class for each profile is auditd::config::audit_profiles::<profile name>
• 60_custom.rules: Custom rules as defined by the auditd::custom_rules parameter if appending
• 75.init.d_auditd.rules:
  • A watch rule for /etc/rc.d/init.d/auditd permissions changes
  • A watch rule for permissions changes to the auditd log file
• 75.rotated_audit_logs.rules
  • Watch rules for permissions changes to the rotated auditd log files
• 99_tail.rules
  • auditctl immutable option, when $auditd::immutable is 'true'

auditd::config::audit_profiles::custom

NO SANITY CHECKING IS PERFORMED ON THE RESULTING RULES

Examples

Passing an Array of Rules

---
auditd::config::audit_profiles::user_specified:
  - "-a always,exit -F arch=b64 -S creat -F exit=-EACCES -k unsuccessful_file_operations"
  - "-w /etc/passwd -p wa -k passwd_changes"

Passing an EPP Template

---
auditd::config::audit_profiles::user_specified:
  - "my_templates_module/auditd/my_audit_rules.epp"
  - "This will be ignored"

Passing an ERB Template

---
auditd::config::audit_profiles::user_specified:
  - "my_templates_module/auditd/my_audit_rules.erb"
  - "This will be ignored"

Parameters

The following parameters are available in the auditd::config::audit_profiles::custom class.

rules

Data type: Optional[Array[String[1]]]

An Array of rules that will be joined with a \n and inserted as the complete audit rule set to be applied to the system.

Default value: undef

template

Data type: Optional[String[1]]

A template specification as you would pass to either the epp or erb function

• Specifying both rules and template will result in an error

Default value: undef

auditd::config::audit_profiles::simp

The defaults for this profile generate a set of audit rules that are both usable on most systems and conformant with standard auditing requirements. A few key usage/implementation details about this profile should be noted:

• This profile uses optimized audit rules. Specifically, it
  • Combines system call rules as much as possible
  • By default, uses initial drop rules for the auid filters that would be otherwise applied to all system call rules
  • By default, uses an initial drop rule for cron events that are prolific, but whose audit records are of very limited utility
• Although all security requirements allow optimization of audit rules, most of the automated security scanners do not yet understand audit rule optimizations. So, use of this profile may require explanation of these simple, yet effective, optimizations.
• You may overload your system and/or log server, if you enable the highly-prolific, but limited-utility audit capabilities that have been intentionally disabled, here, despite being required by specific security standards. 'chmod' auditing for all non-service users is an example of such a capability.
• In some cases, the more targeted set of rules for non-service users that have su'd to root may provide a viable subset of required auditing. This targeting filtering is enabled by $audit_su_root_activity and customized by $root_audit_level, $basic_root_audit_syscalls, $aggressive_root_audit_syscalls, and $insane_root_audit_syscalls`.

Parameters

The following parameters are available in the auditd::config::audit_profiles::simp class.

root_audit_level

Data type: Auditd::RootAuditLevel

What level of auditing should be used for su-root activity. Be aware that setting this to anything besides 'basic' may overwhelm your system and/or log server. Options can be, 'basic', 'aggressive', 'insane'

• Basic: Safe syscall rules, should not follow program execution outside of the base app
• Aggressive: Adds syscall rules for execve, rmdir and variants of rename and unlink
• Insane: Adds syscall rules for write, creat and variants of chown, fork, link and mkdir

Default value: $::auditd::root_audit_level

basic_root_audit_syscalls

Data type: Array[String[1]]

Basic syscalls to audit for su-root activity

aggressive_root_audit_syscalls

Data type: Array[String[1]]

Aggressive syscalls to audit for su-root activity

insane_root_audit_syscalls

Data type: Array[String[1]]

Insane syscalls to audit for su-root activity

audit_unsuccessful_file_operations

Data type: Boolean

Whether to audit unsuccessful file operations. These are file operations that fail with EACCES or EPERM error codes

Default value: true

audit_unsuccessful_file_operations_tag

Data type: String[1]

The tag to identify the unsuccessful file operations in an audit record

Default value: 'access'

audit_chown

Data type: Boolean

Whether to audit chown operations for all non-service users. These operations are provided by chown, fchown, fchownat, and lchown system calls.

Default value: true

audit_chown_tag

Data type: String[1]

The tag to identify chown operations in an audit record. You should change this to 'perm_mod' to match automated DISA STIG compliance checks for RHEL7.

Default value: 'chown'

audit_chmod

Data type: Boolean

Whether to audit chmod operations for all non-service users. These operations are provided by chmod, fchmod, and fchmodat system calls.

Default value: false

audit_chmod_tag

Data type: String[1]

The tag to identify chmod operations in an audit record. You should change this to 'perm_mod' to match automated DISA STIG compliance checks for RHEL7.

Default value: 'chmod'

audit_attr

Data type: Boolean

Whether to audit xattr operations for all non-service users. These operations are provided by setxattr, lsetxattr, fsetxattr, removexattr, lremovexattr and fremovexattr system calls.

Default value: true

audit_attr_tag

Data type: String[1]

The tag to identify xattr operations in an audit record. You should change this to 'perm_mod' to match automated DISA STIG compliance checks for RHEL7.

Default value: 'attr'

audit_rename_remove

Data type: Boolean

Whether to audit rename/remove operations for all non-service users. These operations are provided by rename, renameat, rmdir, unlink, and unlinkat system calls.

Default value: false

audit_rename_remove_tag

Data type: String[1]

The tag to identify rename/remove operations in an audit record

Default value: 'delete'

audit_su_root_activity

Data type: Boolean

Whether to audit other useful actions someone does when su'ing to root. The list of system calls audited is controlled by $root_audit_level.

Default value: true

audit_su_root_activity_tag

Data type: String[1]

The tag to identify su operations in an audit record

Default value: 'su-root-activity'

audit_suid_sgid

Data type: Boolean

Whether to audit setuid/setgid commands. setuid/setgid command execution is audited by a single system call rule.

Default value: true

audit_suid_sgid_tag

Data type: String[1]

The tag to identify setuid/setgid command execution in an audit record. You should change this to 'setuid/setgid' to match automated DISA STIG compliance checks for RHEL7.

Default value: 'suid-root-exec'

audit_kernel_modules

Data type: Boolean

Whether to audit kernel module operations

Default value: true

audit_kernel_modules_tag

Data type: String[1]

The tag to identify kernel module operations in an audit record. You should change this to 'module-change' to match automated DISA STIG compliance checks for RHEL7.

Default value: 'modules'

audit_time

Data type: Boolean

Whether to audit operations that affect system time

Default value: true

audit_time_tag

Data type: String[1]

The tag to identify system time operations in an audit record

Default value: 'audit_time_rules'

audit_locale

Data type: Boolean

Whether to audit operations that affect system locale

Default value: true

audit_locale_tag

Data type: String[1]

The tag to identify system locale operations in an audit record

Default value: 'audit_network_modifications'

audit_mount

Data type: Boolean

Whether to audit mount operations

Default value: true

audit_mount_tag

Data type: String[1]

The tag to identify mount operations in an audit record. You should change this to 'privileged-mount' to match automated DISA STIG compliance checks for RHEL7.

Default value: 'mount'

audit_umask

Data type: Boolean

Whether to audit umask changes

Default value: false

audit_umask_tag

Data type: String[1]

The tag to identify umask changes in an audit record

Default value: 'umask'

audit_local_account

Data type: Boolean

Whether to audit local account changes

Default value: true

audit_local_account_tag

Data type: String[1]

The tag to identify local account changes in an audit record. You should change this to 'identity' to match the automated DISA STIG compliance checks for RHEL7.

Default value: 'audit_account_changes'

audit_selinux_policy

Data type: Boolean

Whether to audit selinux policy changes

Default value: true

audit_selinux_policy_tag

Data type: String[1]

The tag to identify selinux policy changes in an audit record

Default value: 'MAC-policy'

audit_selinux_cmds

Data type: Boolean

Whether to audit chcon, semanage, setsebool, and setfiles commands

Default value: false

audit_selinux_cmds_tag

Data type: String[1]

The tag to identify selinux command execution in an audit record

Default value: 'privileged-priv_change'

audit_login_files

Data type: Boolean

Whether to audit changes to login files

Default value: true

audit_login_files_tag

Data type: String[1]

The tag to identify login file changes in an audit record

Default value: 'logins'

audit_session_files

Data type: Boolean

Whether to audit changes to session files

Default value: true

audit_session_files_tag

Data type: String[1]

The tag to identify session file changes in an audit record

Default value: 'session'

audit_sudoers

Data type: Optional[Boolean]

Deprecated by $audit_cfg_sudoers

Default value: undef

audit_sudoers_tag

Data type: Optional[String[1]]

Deprecated by $audit_cfg_sudoers_tag

Default value: undef

audit_cfg_sudoers

Data type: Boolean

Whether to audit changes to sudoers configuration files

Default value: true

audit_cfg_sudoers_tag

Data type: String[1]

The tag to identify sudoers configuration file changes in an audit record. You should change this to 'privileged-actions' to match the automated DISA STIG compliance checks for RHEL7.

Default value: 'CFG_sys'

audit_grub

Data type: Optional[Boolean]

Deprecated by $audit_cfg_grub

Default value: undef

audit_grub_tag

Data type: Optional[String[1]]

Deprecated by $audit_cfg_grub_tag

Default value: undef

audit_cfg_grub

Data type: Boolean

Whether to audit changes to grub configuration files

Default value: true

audit_cfg_grub_tag

Data type: String[1]

The tag to identify grub configuration file changes in an audit record

Default value: 'CFG_grub'

audit_cfg_sys

Data type: Boolean

Whether to audit changes to key system configuration files not otherwise audited

Default value: true

audit_cfg_sys_tag

Data type: String[1]

The tag to identify changes to key system configuration files not otherwise audited

Default value: 'CFG_sys'

audit_cfg_cron

Data type: Boolean

Whether to audit changes to cron configuration files

Default value: true

audit_cfg_cron_tag

Data type: String[1]

The tag to identify cron configuration file changes in an audit record

Default value: 'CFG_cron'

audit_cfg_shell

Data type: Boolean

Whether to audit changes to global shell configuration files

Default value: true

audit_cfg_shell_tag

Data type: String[1]

The tag to identify global shell configuration file changes in an audit record

Default value: 'CFG_shell'

audit_cfg_pam

Data type: Boolean

Whether to audit changes to pam configuration files

Default value: true

audit_cfg_pam_tag

Data type: String[1]

The tag to identify pam configuration file changes in an audit record

Default value: 'CFG_pam'

audit_cfg_security

Data type: Boolean

Whether to audit changes to /etc/security

Default value: true

audit_cfg_security_tag

Data type: String[1]

The tag to identify /etc/security file changes in an audit record

Default value: 'CFG_security'

audit_cfg_services

Data type: Boolean

Whether to audit changes to /etc/services

Default value: true

audit_cfg_services_tag

Data type: String[1]

The tag to identify /etc/services file changes in an audit record

Default value: 'CFG_services'

audit_cfg_xinetd

Data type: Boolean

Whether to audit changes to xinetd configuration files

Default value: true

audit_cfg_xinetd_tag

Data type: String[1]

The tag to identify xinetd configuration file changes in an audit record

Default value: 'CFG_xinetd'

audit_yum

Data type: Optional[Boolean]

Deprecated by $audit_cfg_yum

Default value: undef

audit_yum_tag

Data type: Optional[String[1]]

Deprecated by $audit_cfg_yum_tag

Default value: undef

audit_cfg_yum

Data type: Boolean

Whether to audit changes to yum configuration files

Default value: true

audit_cfg_yum_tag

Data type: String[1]

The tag to identify yum configuration file changes in an audit record

Default value: 'yum-config'

audit_yum_cmd

Data type: Boolean

Whether to audit yum command execution

Default value: false

audit_yum_cmd_tag

Data type: String[1]

The tag to identify yum command execution in an audit record

Default value: 'package_changes'

audit_rpm_cmd

Data type: Boolean

Whether to audit rpm command execution

Default value: false

audit_rpm_cmd_tag

Data type: String[1]

The tag to identify rpm command execution in an audit record

Default value: 'package_changes'

audit_ptrace

Data type: Boolean

Whether to audit ptrace system calls

Default value: true

audit_ptrace_tag

Data type: String[1]

The tag to identify ptrace system calls in an audit record

Default value: 'paranoid'

audit_personality

Data type: Boolean

Whether to audit personality system calls

Default value: true

audit_personality_tag

Data type: String[1]

The tag to identify personality system calls in an audit record

Default value: 'paranoid'

audit_passwd_cmds

Data type: Boolean

Whether to audit the execution of password commands, i.e., passwd, unix_chkpwd, gpasswd, chage, userhelper

Default value: true

audit_passwd_cmds_tag

Data type: String[1]

The tag to identify password command execution in an audit record

Default value: 'privileged-passwd'

audit_priv_cmds

Data type: Boolean

Whether to audit the execution of privilege-related commands, i.e., su, sudo, newgrp, chsh, and sudoedit

Default value: true

audit_priv_cmds_tag

Data type: String[1]

The tag to identify privilege-related command execution in an audit record

Default value: 'privileged-priv_change'

audit_postfix_cmds

Data type: Boolean

Whether to audit the execution of postfix-related commands, i.e. postdrop and postqueue

Default value: true

audit_postfix_cmds_tag

Data type: String[1]

The tag to identify postfix-related command execution in an audit record

Default value: 'privileged-postfix'

audit_ssh_keysign_cmd

Data type: Boolean

Whether to audit the execution of the ssh-keysign command

Default value: true

audit_ssh_keysign_cmd_tag

Data type: String[1]

The tag to identify ssh-keysign command execution in an audit record

Default value: 'privileged-ssh'

audit_crontab_cmd

Data type: Boolean

Whether to audit the execution of the crontab command

Default value: true

audit_crontab_cmd_tag

Data type: String[1]

The tag to identify crontab command execution in an audit record

Default value: 'privileged-cron'

audit_pam_timestamp_check_cmd

Data type: Boolean

Whether to audit the execution of the pam_timestamp_check command

Default value: true

audit_pam_timestamp_check_cmd_tag

Data type: String[1]

The tag to identify pam_timestamp_check command execution in an audit record

Default value: 'privileged-pam'

auditd::config::audit_profiles::stig

The defaults for this profile generate a set of audit rules that conform to automated DISA STIG compliance checks for RHEL7. Satisfying the checks, instead of the intent of the security requirements, necessitates unoptimized rules. These unoptimized rules, in turn, negatively impact system performance.

WARNING: These rules may overload your system and/or log server!

When auditd performance is an issue, you may wish to

• Disable capabilities that, despite being required by DISA STIG for RHEL7, produce large amounts audit records of limited utility. chmod auditing for all non-service users falls in this category.

• Use the optimized 'auditd::config::audit_profiles::simp' profile, instead. That profile is more comprehensive and performant.

Parameters

The following parameters are available in the auditd::config::audit_profiles::stig class.

uid_min

Data type: Integer[0]

The minimum UID for human users on the system. Any audit events generated by users below this number will be ignored unless a corresponding rule is inserted before the UID-limiting rule in the rules list. When using auditd::rule, you can create such a rule by setting the absolute parameter to be 'first'.

Default value: $::auditd::uid_min

audit_unsuccessful_file_operations

Data type: Boolean

Whether to audit unsuccessful file operations. These are file operations that fail with EACCES or EPERM error codes

Default value: true

audit_unsuccessful_file_operations_tag

Data type: String[1]

The tag to identify the unsuccessful file operations in an audit record

Default value: 'access'

audit_chown

Data type: Boolean

Whether to audit chown operations for all non-service users. These operations are provided by chown, fchown, fchownat, and lchown system calls.

Default value: true

audit_chown_tag

Data type: String[1]

The tag to identify chown operations in an audit record

Default value: 'perm_mod'

audit_chmod

Data type: Boolean

Whether to audit chmod operations for all non-service users. These operations are provided by chmod, fchmod, and fchmodat system calls.

Default value: true

audit_chmod_tag

Data type: String[1]

The tag to identify chmod operations in an audit record

Default value: 'perm_mod'

audit_attr

Data type: Boolean

Whether to audit xattr operations for all non-service users. These operations are provided by setxattr, lsetxattr, fsetxattr, removexattr, lremovexattr and fremovexattr system calls.

Default value: true

audit_attr_tag

Data type: String[1]

The tag to identify xattr operations in an audit record

Default value: 'perm_mod'

audit_rename_remove

Data type: Boolean

Whether to audit rename/remove operations for all non-service users. These operations are provided by rename, renameat, rmdir, unlink, and unlinkat system calls.

Default value: true

audit_rename_remove_tag

Data type: String[1]

The tag to identify rename/remove operations in an audit record

Default value: 'delete'

audit_suid_sgid

Data type: Boolean

Whether to audit setuid/setgid commands

Default value: true

default_suid_sgid_cmds

Data type: Array[String[1]]

The default list of setuid/setgid commands to be audited.

• Should not include commands audited by other rules.

suid_sgid_cmds

Data type: Array[String[1]]

Additional list of setuid/setgid commands to be audited. You can use this to augment the $default_suid_sgid_cmds per your site's needs.

Default value: []

audit_suid_sgid_tag

Data type: String[1]

The tag to identify setuid/setgid command execution in an audit record

Default value: 'setuid/setgid'

audit_kernel_modules

Data type: Boolean

Whether to audit kernel module operations

Default value: true

audit_kernel_modules_tag

Data type: String[1]

The tag to identify kernel module operations in an audit record

Default value: 'module-change'

audit_mount

Data type: Boolean

Whether to audit mount operations

Default value: true

audit_mount_tag

Data type: String[1]

The tag to identify mount operations in an audit record

Default value: 'privileged-mount'

audit_local_account

Data type: Boolean

Whether to audit local account changes

Default value: true

audit_local_account_tag

Data type: String[1]

The tag to identify local account changes in an audit record

Default value: 'identity'

audit_selinux_cmds

Data type: Boolean

Whether to audit chcon, semanage, setsebool, and setfiles commands

Default value: true

audit_selinux_cmds_tag

Data type: String[1]

The tag to identify selinux command execution in an audit record

Default value: 'privileged-priv_change'

audit_login_files

Data type: Boolean

Whether to audit changes to login files

Default value: true

audit_login_files_tag

Data type: String[1]

The tag to identify login file changes in an audit record

Default value: 'logins'

audit_cfg_sudoers

Data type: Boolean

Whether to audit changes to sudoers configuration files

Default value: true

audit_cfg_sudoers_tag

Data type: String[1]

The tag to identify sudoers configuration file changes in an audit record

Default value: 'privileged-actions'

audit_passwd_cmds

Data type: Boolean

Whether to audit the execution of password commands, i.e., passwd, unix_chkpwd, gpasswd, chage, userhelper

Default value: true

audit_passwd_cmds_tag

Data type: String[1]

The tag to identify password command execution in an audit record

Default value: 'privileged-passwd'

audit_priv_cmds

Data type: Boolean

Whether to audit the execution of privilege-related commands, i.e., su, sudo, newgrp, chsh, and sudoedit

Default value: true

audit_priv_cmds_tag

Data type: String[1]

The tag to identify privilege-related command execution in an audit record

Default value: 'privileged-priv_change'

audit_postfix_cmds

Data type: Boolean

Whether to audit the execution of postfix-related commands, i.e. postdrop and postqueue

Default value: true

audit_postfix_cmds_tag

Data type: String[1]

The tag to identify postfix-related command execution in an audit record

Default value: 'privileged-postfix'

audit_ssh_keysign_cmd

Data type: Boolean

Whether to audit the execution of the ssh-keysign command

Default value: true

audit_ssh_keysign_cmd_tag

Data type: String[1]

The tag to identify ssh-keysign command execution in an audit record

Default value: 'privileged-ssh'

audit_crontab_cmd

Data type: Boolean

Whether to audit the execution of the crontab command

Default value: true

audit_crontab_cmd_tag

Data type: String[1]

The tag to identify crontab command execution in an audit record

Default value: 'privileged-cron'

audit_pam_timestamp_check_cmd

Data type: Boolean

Whether to audit the execution of the pam_timestamp_check command

Default value: true

audit_pam_timestamp_check_cmd_tag

Data type: String[1]

The tag to identify pam_timestamp_check command execution in an audit record

Default value: 'privileged-pam'

auditd::config::grub

Enables/disables auditing at boot time.

Parameters

The following parameters are available in the auditd::config::grub class.

enable

Data type: Boolean

Enable auditing in the kernel at boot time.

Default value: true

auditd::config::logging

NOTE: THIS IS A PRIVATE CLASS**

auditd::install

NOTE: THIS IS A PRIVATE CLASS**

auditd::service

NOTE: THIS IS A PRIVATE CLASS**

Parameters

The following parameters are available in the auditd::service class.

ensure

Data type: Any

ensure state from the service resource

Default value: 'running'

enable

Data type: Any

enable state from the service resource

Default value: true

Defined types

auditd::rule

All rules must be uniquely named. See auditctl(8) for more information on how to write the content for these rules.

• Overrides all other ordering parameters

Parameters

The following parameters are available in the auditd::rule defined type.

name

A unique identifier for the audit rules.

content

Data type: Variant[Array[String[1]],String[1]]

The content of the rules that should be added.

• Arrays will be joined with a newline

order

Data type: Optional[String[1]]

An alphanumeric (file system ordering) order string

Default value: undef

first

Data type: Boolean

Set this to 'true' if you want to prepend your custom rules (numeric 10)

Default value: false

absolute

Data type: Boolean

Set this to true if you want the added rules to be absolutely first or last depending on the setting of $first.

Default value: false

prepend

Data type: Boolean

Prepend this rule to all other rules (numeric 00).

Default value: false

Functions

auditd::get_array_index

Type: Ruby 4.x API

Terminates catalog compilation if the element is not found within the array.

auditd::get_array_index(String $element, Array $array, Optional[Integer] $min_digits)

Terminates catalog compilation if the element is not found within the array.

Returns: String Index of element in array represented as a string

Raises:

• RuntimeError if element is not found within array

element

Data type: String

The element

array

Data type: Array

The array

min_digits

Data type: Optional[Integer]

The minimum number of digits the index should be. It will be '0'-padded to meet this number.

• Thu May 02 2019 Liz Nemsick lnemsick.simp@gmail.com - 8.3.1-0

• Fix a breaking change inadvertantly introduced into auditd::rule in which the auditd class was no longer included when an auditd::rule was defined in a manifest.

• Thu Apr 25 2019 Trevor Vaughan tvaughan@onyxpoint.com - 8.3.0-0

• Added a custom audit profile that accepts either an Array of rules or a template path for ease of setting full rulesets via Hiera.
• Updated all module components for puppet strings
• Fixed the README
• Added a REFERENCE.md
• Refactored the filename logic in the base profiles to be simpler
• Converted the rule template to EPP
• Converted the rotated_audit_logs template to EPP
• Converted STIG audit profile template to EPP
• Converted SIMP audit profile template to EPP

• Wed Apr 10 2019 Joseph Sharkey shark.bruhaha@gmail.com - 8.2.1-0

• Ensure that space_left is always larger than admin_space_left
• Updated tests in support of puppet6, and removed puppet4 support
• Updated puppet template scope API from 3 to newer

• Sat Apr 06 2019 Jim Anderson thesemicolons@protonmail.com - 8.2.1-0

• config.pp now managed /etc/audit in addition to /etc/audit/rules.d. The permissions and ownership of the two directories should be the same. Both directories use purge and recurse.

• Tue Mar 19 2019 Liz Nemsick lnemsick.simp@gmail.com - 8.2.1-0

• Use Puppet Integer in lieu of simplib's deprecated Puppet 3 to_integer
• Expanded the upper limit of the stdlib Puppet module version
• Updated a URL in the README.md

• Tue Jan 15 2019 Trevor Vaughan tvaughan@onyxpoint.com - 8.2.0-0

• Allow users to optimize their audit processing by only collecting on specific SELinux types

• Fri Jan 11 2019 Adam Yohrling adam.yohrling@onyxpoint.com - 8.2.0-0

• Add restorecon audit for STIG profile

• Fri Nov 16 2018 Trevor Vaughan tvaughan@onyxpoint.com - 8.2.0-0

• Update to remove potentially redundant test code and use the updated simp-beaker-helpers

• Thu Nov 15 2018 Mark Leary leary.mark@gmail.com - 8.1.1-0

• Revert back to using the native service provider for the auditd service since puppet fixed the service handling.

• Wed Oct 31 2018 Trevor Vaughan tvaughan@onyxpoint.com - 8.1.0-0

• Allow users to opt-out of hooking the audit dispatchers into the SIMP rsyslog module using auditd::config::audisp::syslog::rsyslog = false or, alternatively, setting simp_options::syslog = false.
• Add a write_logs opttion to the auditd_class and multiplex between the log_format = NOLOG setting and write_logs = false since there were breaking changes in these settings after auditd version 2.6.0.
• Add support for log_format = ENHANCED for auditd version >= 2.6.0. Older versions will simply fall back to RAW.

• Tue Oct 16 2018 Nick Markowski nicholas.markowski@onyxpoint.com - 8.1.0-0

• Removed unnecessary dependencies from metadata.json. Now, when users install auditd stand-alone i.e. puppet module install, they will not have extraneous modules clutter their environment.
  • herculesteam/augeasproviders_grub
  • simp/rsyslog

• Fri Oct 12 2018 Nick Miller nick.miller@onyxpoint.com - 8.1.0-0

• Changed the $package_ensure parameter from 'latest' to 'installed'
• It will also respect simp_options::package_ensure

• Fri Sep 07 2018 Liz Nemsick lnemsick.simp@gmail.com - 8.1.0-0

• Update Hiera 4 to Hiera 5

• Fri Jul 27 2018 Brandon Ess brandon.ess@gmail.com - 8.1.0-0

• Align group ownership of the auditd log directories with the setting for auditd itself so that the designated group can access the log files.

• Fri Jul 13 2018 Trevor Vaughan tvaughan@onyxpoint.com - 8.1.0-0

• Updated to work with Puppet 5 and OEL

• Fri Jul 06 2018 Trey Dockendorf tdockendorf@osc.edu - 8.0.1-0

• Allow lowercase values for several parameters in accordance with the man pages and SCAP expectations.

• Thu Jun 21 2018 Liz Nemsick lnemsick.simp@gmail.com - 8.0.0-0

• Added ability to select one or more audit profiles. When multiple profiles are selected, their rules are effectively concatenated in the order in which the profiles are listed in auditd::default_audit_profiles.
• The following API Changes were made in support of multiple audit profiles:
  • $::auditd::$default_audit_profile has been deprecated by $::auditd::$default_audit_profiles
  • auditd::config and auditd::config::audit_profiles::simp classes are now private. In the unlikely event that you included just these classes in your manifest, you must now include auditd instead.
  • The following auditctl global configuration options that were in auditd::config::audit_profiles::simp are now in the auditd class, instead: $ignore_errors, $ignore_anonymous, $ignore_system_services, and $ignore_crond. They were moved because they are now applied to the set of audit profiles selected, not just the 'simp' audit profile.
  • The following auditd::config::audit_profiles::simp class parameters have been deprecated for clarity:
    • $audit_sudoers has been deprecated by $audit_cfg_sudoers
    • $audit_sudoers_tag has been deprecated by $audit_cfg_sudoers
    • $audit_grub has been deprecated by $audit_cfg_grub
    • $audit_grub_tag has been deprecated by $audit_cfg_grub_tag
    • $audit_yum has been deprecated by $audit_cfg_yum
    • $audit_yum_tag has been deprecated by $audit_cfg_yum_tag
  • Some previously hard-coded, internal configuration is now exposed as data-in-modules.
• Added 'stig' audit profile which manages rules that match DISA STIG checks, exactly.
  • For executables explicitly listed in the RHEL7 STIG, includes watchs for binaries in the real paths (/usr/bin, /usr/sbin) and linked paths (/bin, /sbin). This is to address inconsistencies among the STIG and the Inspec and OSCAP scans. (All should use the real paths, but don't.)
• Fixed bugs in 'simp' audit profile
  • Fixed umask syscall rules. These rules require arch filters.
  • Fixed clock_settime syscall rules. Per the sample STIG audit rules packaged in the auditd RPM, these rules require an 'a0' filter.
  • Fixed bug in which /var/log/tallylog was grouped with session instead of logins.
  • Fixed bug in which the /etc/pam.d watch rule had the wrong tag
• Updated 'simp' audit profile settings for DISA STIG.
  • Expanded the list of successful syscall operations audited.
  • Expanded the list of module syscall operations audited
  • Added an option to monitor selinux commands, (i.e., chcon, semanage, setfiles, setsebool)
  • Added an option to audit the execution of password commands ('passwd', 'unix_chkpwd', 'gpasswd', 'chage', 'userhelper')
  • Added an option to audit the execution of privilege-related commands ('su', 'sudo', 'newgrp', 'chsh', 'sudoedit')
  • Added an option to audit the execution of postfix-related commands ('postdrop', 'postqueue')
  • Added an option to audit the execution of the 'ssh-keysign' command
  • Added an option to audit the execution of the 'crontab' command
  • Added an option to audit the execution of the 'pam_timestamp_check' command
  • Added an option to audit the execution of rename/remove operations for non-service users (rename', 'renameat', rmdir', 'unlink', and 'unlinkat')
  • Added watch rules for /etc/hostname and /etc/NetworkManager (for centos7) pulled from the sample STIG audit rules packaged in the auditd RPM.
  • For executables explicitly listed in the RHEL7 STIG, includes watchs for binaries in the real paths (/usr/bin, /usr/sbin) and linked paths (/bin, /sbin). This is to address inconsistencies among the STIG and the Inspec and OSCAP scans. (All should use the real paths, but don't.)

• Mon Mar 26 2018 Liz Nemsick lnemsick.simp@gmail.com - 7.1.3-0

• Work around RPM upgrade issue with nodeset link in compliance acceptance test suite.

• Tue Jan 09 2018 Nick Markowski nicholas.markowski@onyxpoint.com - 7.1.3-0

• Updated compliance suite to use new inspec profile, https://github.com/simp/inspec-profile-disa_stig-el7
• Removed the el6 nodeset from the compliance suite; there are no simp-supported el6 inspec profiles at this time.
• Ensured git installed as it's a dependency of our inspec profiles

• Mon Nov 13 2017 Nick Miller nick.miller@onyxpoint.com - 7.1.2-0

• /var/run/faillock should be tagged under 'login'

• Thu Aug 31 2017 Trevor Vaughan tvaughan@onyxpoint.com - 7.1.1-0

• Adjust audit.rules mode per inspec testing

• Mon Aug 21 2017 Trevor Vaughan tvaughan@onyxpoint.com - 7.1.0-0

• Updated to use augeasproviders_grub 3
• Added the ability to log calls to the 'rpm' and 'yum' commands

• Mon May 22 2017 Liz Nemsick lnemsick.simp@gmail.com - 7.0.2-0

• Fix bug whereby audit.rules file was not being regenerated prior to auditd service start in CentOS/RedHat 6.
• Update puppet version in metadata.json

• Mon Mar 27 2017 Nicholas Hughes nicholasmhughes@github.com - 7.0.1-0

• Audit kernel module tools from /usr/bin as well as /bin and /sbin
• Correct auditing /var/log/tallylock, it should have been /var/log/tallylog

• Thu Feb 22 2017 Trevor Vaughan tvaughan@onyxpoint.com - 7.0.1-0

• Changed auditd::failure_mode to '1' by default since the compliant audit rules were causing routine system restarts. The new value will default to sending printk messages when the buffer is full.
• Changed all rules that were exit,always to be always,exit

• Tue Jan 12 2017 Trevor Vaughan tvaughan@onyxpoint.com - 7.0.0-0

• In response to the DISA STIG Requirements
  • Added 'open_by_handle_at' to the 'access' key
  • Added watches on /varlog/faillock and /var/log/tallylock
  • Added watches on /usr/sbin/insmod and /bin/kmod
  • Added permissions modification notification for 'chmod'
• Renamed auditd::add_rules to auditd::rule
• Split the audit permissions rules into separate lines
• Disabled chmod auditing by default

• Mon Dec 26 2016 Ralph Wright rwright@onyxpoint.com - 7.0.0-0
• Mon Dec 26 2016 Trevor Vaughan tvaughan@onyxpoint.com - 7.0.0-0

• Refactor to work in Puppet 4 Changes
• Updated acceptance tests

• Mon Dec 12 2016 Liz Nemsick lnemsick.simp@gmail.com - 7.0.0-0

• Update version to reflect SIMP6 dependencies

• Fri Dec 09 2016 Nick Markowski nmarkowski@keywcorp.com - 7.0.0-0

• Updated global catalysts
• Changed default log facility to local5.
• Added a drop rule for crond events

• Tue Nov 22 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 5.1.2-0

• Minor cleanup

• Mon Sep 26 2016 Jeanne Greulich, Liz Nemsick - 5.1.0-0

• Allow user to specify syslog facility and priority for audit record messages.
• Allow user to enable/disable audit record syslog messaging independent of the presence of forwarding logging servers.
• Added a file resource to detect and fix incorrect permissions on the /var/log/audit/audit.log file.

• Mon Aug 29 2016 Ralph Wright ralph.wright@onyxpoint.com - 5.0.4-0

• Added booleans to toggle sections of audit rules.

• Tue Jul 26 2016 Lucas Yamanishi lucas.yamanishi@onyxpoint.com - 5.0.3-0

• Fix for strict_variables failure

• Wed Jul 06 2016 Nick Markowski nmarkowski@keywcorp.com - 5.0.2-0

• Added a default audit rule for 'renameat', per CCE-26651-0.
• Added an auditd_version fact.
• Updated validation for *_action lists to differentiate between auditd versions.
• Updated module to use new rake helper to auto-gen .spec file.

• Thu May 19 2016 nicholasmhughes nicholasmhughes@gmail.com - 5.0.1-0

• Change btmp and wtmp locations to /var/log
• Support dynamic audit log locations

• Thu Feb 18 2016 Ralph Wright ralph.wright@onyxpoint.com - 5.0.0-4

• Added compliance function support

• Thu Dec 24 2015 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-3

• Ensure that the ::auditd::add_rules define does not run if $::auditd::enable_auditing is false.

• Thu Nov 19 2015 Chris Tessmer chris.tessmer@onyxpoint.com - 5.0.0-2

• Full migration to simplib, removed common and functions.

• Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 5.0.0-1

• migration to simplib and simpcat (lib/ only)

• Tue Oct 20 2015 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-0

• Module refactor to the new SIMP standard
• Fixes for the audit dispatcher and syslog connections

• Mon Sep 07 2015 Chris Tessmer chris.tessmer@onyxpoint.com - 4.1.0-13

• Updated facts from $::lsbmajdistrelease to $::operatingsystemmajrelease.

• Tue Jul 21 2015 Kendall Moore kmoore@keywcorp.com - 4.1.0-12

• Updated to use the new rsyslog module.

• Thu Feb 19 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-11

• Migrated to the new 'simp' environment.

• Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-10

• Changed puppet-server requirement to puppet

• Wed Nov 19 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-9

• Updated auditd::to_syslog to support multiple log servers and support for native TLS.

• Sat Sep 06 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-8

• Fixed a missing rule for RHEL<7 that did not properly drop all of the useless audit data.

• Sat Aug 23 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-7

• Updated to use the new reboot_notify native type.

• Sun Jul 13 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-6

• Updated to support both grub and grub2
• Fixed a bug in the audit ruleset where the initial drop rule was set to drop everything that was not anonymous.
• Added support for /etc/audit/rules.d for RHEL7 systems.

• Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-5

• Removed MD5 file checksums for FIPS compliance.

• Fri Jun 20 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-5

• Pointed concat fragment auditd+head at the correct template!
• Updated to support RHEL7

• Wed May 21 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-4

• Added the ability to put rules before the default rule body in audit.rules.
• Added validation to add_rules.pp.

• Fri Mar 28 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-3

• The template for auditing the rotated audit logs had a one-off error preventing the audit of the last rotated log.
• Spec tests were added.

• Fri Mar 14 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-2

• Added class for auditing grub.

• Thu Feb 13 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-1

• Converted all string booleans to native booleans.

• Mon Nov 04 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-0

• Added support for audispd based on patches provided by Raymond Page raymond.page@icat.us.
• Removed the old rsyslog file tap on audit.log.
• Folded the auditd::conf define into the auditd main class since parameterized classes eliminate the need for the define.
  • Breaking Change

• Mon Oct 28 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-11

• Updated the audit base rules to compress and reorder many of the rules to allow for greater processing efficiency.
• Added checks for kernel module manipulation in accordance with CCE-26610-6.
• Mapped all audit rules to their associated SSG rules in the file template.

• Thu Oct 03 2013 Nick Markowski nmarkowski@keywcorp.com - 4.0.0-11

• Updated templates to reference instance variables with @

• Wed Jul 17 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-10

• Removed the sgid binary check in the audit rules because it doesn't actually make any sense.

• Thu Jun 27 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-9

• Added audit rules to catch the execution of sgid and suid binaries.
• Added the ability to rate limit the auditd messages. If you use this, you probably want to change the failure mode to 1.
• Added the ability to ignore failures in the audit configuration and continue and set it to true by default. Since the rules are automatically managed, the likelihood of one being wrong is fairly high. Also, rules will fail if a file doesn't exist which isn't all that helpful.
• Removed the watch on /proc/kcore since it wasn't really helpful and was throwing SELinux AVC's on startup.
• Added default auditing to /etc/yum.conf and /etc/yum.repos.d

• Tue Apr 09 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-8

• Skip any rule that does not load properly so that we have as much of the configuration active as possible.

• Thu Dec 13 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-7

• Updated to require pupmod-common >= 2.1.1-2 so that upgrading an old system works properly.

• Fri Nov 30 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-6

• Added a cucumber test to ensure that the auditd daemon starts when including audit in the puppet server manifest.

• Tue Sep 18 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-5

• Updated all references of /etc/modprobe.conf to /etc/modprobe.d/00_simp_blacklist.conf as modprobe.conf is now deprecated.

• Thu Jun 07 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-4

• Ensure that Arrays in templates are flattened.
• Call facts as instance variables.
• Moved mit-tests to /usr/share/simp...
• Moved rsyslog module inclusion from init.pp to to_syslog.pp where it is used.
• Updated pp files to better meet Puppet's recommended style guide.

• Fri Mar 02 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-3

• Improved test stubs.

• Mon Jan 30 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-2

• Removed all references to 'entry' rules since they are deprecated.
• Removed the watch rule for /etc/firmware since it was removed in RHEL6 and pretty much useless anyway.
• Added test stubs

• Mon Dec 26 2011 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-1

• Scoped all of the top level variables.

• Fri Oct 28 2011 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-0

• Removed the base audit of /etc/ldap.conf since it was redundant.

• Mon Oct 10 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-3

• Updated to put quotes around everything that need it in a comparison statement so that puppet > 2.5 doesn't explode with an undef error.

• Thu Mar 17 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-2

• Modified several audit rules to be a bit more complete and to conform to some of the Red Hat syntax standards.

• Fri Feb 11 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-1

• Updated to use concat_build and concat_fragment types.

• Tue Jan 11 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-0

• Refactored for SIMP-2.0.0-alpha release

• Tue Oct 26 2010 Trevor Vaughan tvaughan@onyxpoint.com - 1-2

• Converting all spec files to check for directories prior to copy.

• Wed Jul 28 2010 Trevor Vaughan tvaughan@onyxpoint.com - 1.0-1

• More code refactoring
• Made log_file configurable in to_syslog define.

• Wed May 19 2010 Trevor Vaughan tvaughan@onyxpoint.com - 1.0-0

• Code + doc refactor

• Wed May 12 2010 Trevor Vaughan tvaughan@onyxpoint.com - 0.1-12

• Added the option $root_audit_level to auditd::conf
  • The allowed strings are basic(default), aggressive, insane
    • Basic(default): Safe, should not follow program execution outside of the base app
    • Aggressive: Adds execve
    • Insane: Adds fork, vfork, write, chown, creat, link, mkdir, rmdir

• Fri Feb 19 2010 Trevor Vaughan tvaughan@onyxpoint.com - 0.1-11

• Removed watch on /etc. That was a very bad rule.

• Tue Dec 15 2009 Trevor Vaughan tvaughan@onyxpoint.com - 0.1-10

• Audit rules now properly handle 64 and 32 bit architectures (for now). Previously, the 64 bit calls were not handled properly.