auditd

A SIMP puppet module for managing auditd and audispd

Project URL RSS Feed Report issues

Module Stats

55,760 downloads

1,291 latest version

4.5 quality score

Version information

released Nov 16th 2018

This version is compatible with:

Puppet Enterprise 2018.1.x, 2017.3.x, 2017.2.x, 2016.4.x
Puppet >= 4.10.4 < 6.0.0
, ,

Start using this module

Installation method

Add this module to your Puppetfile:

mod 'simp-auditd', '8.1.1'

Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add simp-auditd

Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install simp-auditd --version 8.1.1

Tags: auditd, simp, audispd

Documentation

simp/auditd — version 8.1.1 Nov 16th 2018

Overview
This is a SIMP module
Module Description
Setup
- Setup Requirements
- What Auditd Affects
Usage
- Basic Usage
- Disabling Auditd
  - Changing Key Values
Limitations
- Development
  - Acceptance tests

Overview

This module manages the Audit daemon, kernel parameters, and related subsystems.

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance management framework built on Puppet.

If you find any issues, they can be submitted to our JIRA.

This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:

When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
If used independently, all SIMP-managed security subsystems will be disabled by default and must be explicitly opted into by administrators. Please review simp_options for details.

Module Description

You can use this module for the management of all components of auditd including configuration, service management, kernel parameters, and custom rule sets.

By default, a rule set is provided that should meet a reasonable set of operational goals for most environments.

The audit kernel parameter may optionally be managed independently of the rest of the module using the ::auditd::config::grub class.

Setup

Setup Requirements

If auditd::syslog is true, you will need to install simp/rsyslog as a dependency.

What Auditd Affects

The audit kernel parameter
- NOTE: This will be applied to all kernels in your standard grub configuration
The auditd service
The audid configuration in /etc/auditd.conf
The auditd rules in /etc/audit/rules.d
The audispd configuration in /etc/audisp/audispd.conf
The audispd syslog configuration in /etc/audisp/plugins.d/syslog.conf

Usage

Basic Usage

# Set up auditd with the default settings
# A message will be printed indicating that you need to reboot for this option
# to take full effect at each Puppet run until you reboot your system.

include '::auditd'

Disabling Auditd

To disable auditd at boot, set the following in hieradata:

auditd::at_boot : false

Changing Key Values

To override the default values included in the module, you can either include new values for the keys at the time that the classes are declared, or set the values in hieradata:


class { '::auditd':
  ignore_failures => true,
  log_group       => 'root',
  flush           => 'INCREMENTAL'
}

auditd::ignore_failures: true
auditd::log_group: 'root'
auditd::flush: 'INCREMENTAL'

Limitations

SIMP Puppet modules are generally intended to be used on a Redhat Enterprise Linux-compatible distribution such as EL6 and EL7.

Development

Please read our Contribution Guide

Acceptance tests

This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:

bundle exec rake beaker:suites

Some environment variables may be useful:

BEAKER_debug=true
BEAKER_provision=no
BEAKER_destroy=no
BEAKER_use_fixtures_dir_for_modules=yes
BEAKER_fips=yes

BEAKER_debug: show the commands being run on the STU and their output.
BEAKER_destroy=no: prevent the machine destruction after the tests finish so you can inspect the state.
BEAKER_provision=no: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.
BEAKER_use_fixtures_dir_for_modules=yes: cause all module dependencies to be loaded from the spec/fixtures/modules directory, based on the contents of .fixtures.yml. The contents of this directory are usually populated by bundle exec rake spec_prep. This can be used to run acceptance tests to run on isolated networks.
BEAKER_fips=yes: enable FIPS-mode on the virtual instances. This can take a very long time, because it must enable FIPS in the kernel command-line, rebuild the initramfs, then reboot.

Please refer to the SIMP Beaker Helpers documentation for more information.

Thu Nov 15 2018 Mark Leary leary.mark@gmail.com - 8.1.1-0

Revert back to using the native service provider for the auditd service since puppet fixed the service handling.

Wed Oct 31 2018 Trevor Vaughan tvaughan@onyxpoint.com - 8.1.0-0

Allow users to opt-out of hooking the audit dispatchers into the SIMP rsyslog module using auditd::config::audisp::syslog::rsyslog = false or, alternatively, setting simp_options::syslog = false.
Add a write_logs opttion to the auditd_class and multiplex between the log_format = NOLOG setting and write_logs = false since there were breaking changes in these settings after auditd version 2.6.0.
Add support for log_format = ENHANCED for auditd version >= 2.6.0. Older versions will simply fall back to RAW.

Tue Oct 16 2018 Nick Markowski nicholas.markowski@onyxpoint.com - 8.1.0-0

Removed unnecessary dependencies from metadata.json. Now, when users install auditd stand-alone i.e. puppet module install, they will not have extraneous modules clutter their environment.
- herculesteam/augeasproviders_grub
- simp/rsyslog

Fri Oct 12 2018 Nick Miller nick.miller@onyxpoint.com - 8.1.0-0

Changed the $package_ensure parameter from 'latest' to 'installed'
It will also respect simp_options::package_ensure

Fri Sep 07 2018 Liz Nemsick lnemsick.simp@gmail.com - 8.1.0-0

Update Hiera 4 to Hiera 5

Fri Jul 27 2018 Brandon Ess brandon.ess@gmail.com - 8.1.0-0

Align group ownership of the auditd log directories with the setting for auditd itself so that the designated group can access the log files.

Fri Jul 13 2018 Trevor Vaughan tvaughan@onyxpoint.com - 8.1.0-0

Updated to work with Puppet 5 and OEL

Fri Jul 06 2018 Trey Dockendorf tdockendorf@osc.edu - 8.0.1-0

Allow lowercase values for several parameters in accordance with the man pages and SCAP expectations.

Thu Jun 21 2018 Liz Nemsick lnemsick.simp@gmail.com - 8.0.0-0

Added ability to select one or more audit profiles. When multiple profiles are selected, their rules are effectively concatenated in the order in which the profiles are listed in auditd::default_audit_profiles.
The following API Changes were made in support of multiple audit profiles:
- $::auditd::$default_audit_profile has been deprecated by $::auditd::$default_audit_profiles
- auditd::config and auditd::config::audit_profiles::simp classes are now private. In the unlikely event that you included just these classes in your manifest, you must now include auditd instead.
- The following auditctl global configuration options that were in auditd::config::audit_profiles::simp are now in the auditd class, instead: $ignore_errors, $ignore_anonymous, $ignore_system_services, and $ignore_crond. They were moved because they are now applied to the set of audit profiles selected, not just the 'simp' audit profile.
- The following auditd::config::audit_profiles::simp class parameters have been deprecated for clarity:
  - $audit_sudoers has been deprecated by $audit_cfg_sudoers
  - $audit_sudoers_tag has been deprecated by $audit_cfg_sudoers
  - $audit_grub has been deprecated by $audit_cfg_grub
  - $audit_grub_tag has been deprecated by $audit_cfg_grub_tag
  - $audit_yum has been deprecated by $audit_cfg_yum
  - $audit_yum_tag has been deprecated by $audit_cfg_yum_tag
- Some previously hard-coded, internal configuration is now exposed as data-in-modules.
Added 'stig' audit profile which manages rules that match DISA STIG checks, exactly.
- For executables explicitly listed in the RHEL7 STIG, includes watchs for binaries in the real paths (/usr/bin, /usr/sbin) and linked paths (/bin, /sbin). This is to address inconsistencies among the STIG and the Inspec and OSCAP scans. (All should use the real paths, but don't.)
Fixed bugs in 'simp' audit profile
- Fixed umask syscall rules. These rules require arch filters.
- Fixed clock_settime syscall rules. Per the sample STIG audit rules packaged in the auditd RPM, these rules require an 'a0' filter.
- Fixed bug in which /var/log/tallylog was grouped with session instead of logins.
- Fixed bug in which the /etc/pam.d watch rule had the wrong tag
Updated 'simp' audit profile settings for DISA STIG.
- Expanded the list of successful syscall operations audited.
- Expanded the list of module syscall operations audited
- Added an option to monitor selinux commands, (i.e., chcon, semanage, setfiles, setsebool)
- Added an option to audit the execution of password commands ('passwd', 'unix_chkpwd', 'gpasswd', 'chage', 'userhelper')
- Added an option to audit the execution of privilege-related commands ('su', 'sudo', 'newgrp', 'chsh', 'sudoedit')
- Added an option to audit the execution of postfix-related commands ('postdrop', 'postqueue')
- Added an option to audit the execution of the 'ssh-keysign' command
- Added an option to audit the execution of the 'crontab' command
- Added an option to audit the execution of the 'pam_timestamp_check' command
- Added an option to audit the execution of rename/remove operations for non-service users (rename', 'renameat', rmdir', 'unlink', and 'unlinkat')
- Added watch rules for /etc/hostname and /etc/NetworkManager (for centos7) pulled from the sample STIG audit rules packaged in the auditd RPM.
- For executables explicitly listed in the RHEL7 STIG, includes watchs for binaries in the real paths (/usr/bin, /usr/sbin) and linked paths (/bin, /sbin). This is to address inconsistencies among the STIG and the Inspec and OSCAP scans. (All should use the real paths, but don't.)

Mon Mar 26 2018 Liz Nemsick lnemsick.simp@gmail.com - 7.1.3-0

Work around RPM upgrade issue with nodeset link in compliance acceptance test suite.

Tue Jan 09 2018 Nick Markowski nicholas.markowski@onyxpoint.com - 7.1.3-0

Updated compliance suite to use new inspec profile, https://github.com/simp/inspec-profile-disa_stig-el7
Removed the el6 nodeset from the compliance suite; there are no simp-supported el6 inspec profiles at this time.
Ensured git installed as it's a dependency of our inspec profiles

Mon Nov 13 2017 Nick Miller nick.miller@onyxpoint.com - 7.1.2-0

/var/run/faillock should be tagged under 'login'

Thu Aug 31 2017 Trevor Vaughan tvaughan@onyxpoint.com - 7.1.1-0

Adjust audit.rules mode per inspec testing

Mon Aug 21 2017 Trevor Vaughan tvaughan@onyxpoint.com - 7.1.0-0

Updated to use augeasproviders_grub 3
Added the ability to log calls to the 'rpm' and 'yum' commands

Mon May 22 2017 Liz Nemsick lnemsick.simp@gmail.com - 7.0.2-0

Fix bug whereby audit.rules file was not being regenerated prior to auditd service start in CentOS/RedHat 6.
Update puppet version in metadata.json

Mon Mar 27 2017 Nicholas Hughes nicholasmhughes@github.com - 7.0.1-0

Audit kernel module tools from /usr/bin as well as /bin and /sbin
Correct auditing /var/log/tallylock, it should have been /var/log/tallylog

Thu Feb 22 2017 Trevor Vaughan tvaughan@onyxpoint.com - 7.0.1-0

Changed auditd::failure_mode to '1' by default since the compliant audit rules were causing routine system restarts. The new value will default to sending printk messages when the buffer is full.
Changed all rules that were exit,always to be always,exit

Tue Jan 12 2017 Trevor Vaughan tvaughan@onyxpoint.com - 7.0.0-0

In response to the DISA STIG Requirements
- Added 'open_by_handle_at' to the 'access' key
- Added watches on /varlog/faillock and /var/log/tallylock
- Added watches on /usr/sbin/insmod and /bin/kmod
- Added permissions modification notification for 'chmod'
Renamed auditd::add_rules to auditd::rule
Split the audit permissions rules into separate lines
Disabled chmod auditing by default

Mon Dec 26 2016 Ralph Wright rwright@onyxpoint.com - 7.0.0-0
Mon Dec 26 2016 Trevor Vaughan tvaughan@onyxpoint.com - 7.0.0-0

Refactor to work in Puppet 4 Changes
Updated acceptance tests

Mon Dec 12 2016 Liz Nemsick lnemsick.simp@gmail.com - 7.0.0-0

Update version to reflect SIMP6 dependencies

Fri Dec 09 2016 Nick Markowski nmarkowski@keywcorp.com - 7.0.0-0

Updated global catalysts
Changed default log facility to local5.
Added a drop rule for crond events

Tue Nov 22 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 5.1.2-0

Minor cleanup

Mon Sep 26 2016 Jeanne Greulich, Liz Nemsick - 5.1.0-0

Allow user to specify syslog facility and priority for audit record messages.
Allow user to enable/disable audit record syslog messaging independent of the presence of forwarding logging servers.
Added a file resource to detect and fix incorrect permissions on the /var/log/audit/audit.log file.

Mon Aug 29 2016 Ralph Wright ralph.wright@onyxpoint.com - 5.0.4-0

Added booleans to toggle sections of audit rules.

Tue Jul 26 2016 Lucas Yamanishi lucas.yamanishi@onyxpoint.com - 5.0.3-0

Fix for strict_variables failure

Wed Jul 06 2016 Nick Markowski nmarkowski@keywcorp.com - 5.0.2-0

Added a default audit rule for 'renameat', per CCE-26651-0.
Added an auditd_version fact.
Updated validation for *_action lists to differentiate between auditd versions.
Updated module to use new rake helper to auto-gen .spec file.

Thu May 19 2016 nicholasmhughes nicholasmhughes@gmail.com - 5.0.1-0

Change btmp and wtmp locations to /var/log
Support dynamic audit log locations

Thu Feb 18 2016 Ralph Wright ralph.wright@onyxpoint.com - 5.0.0-4

Added compliance function support

Thu Dec 24 2015 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-3

Ensure that the ::auditd::add_rules define does not run if $::auditd::enable_auditing is false.

Thu Nov 19 2015 Chris Tessmer chris.tessmer@onyxpoint.com - 5.0.0-2

Full migration to simplib, removed common and functions.

Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 5.0.0-1

migration to simplib and simpcat (lib/ only)

Tue Oct 20 2015 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-0

Module refactor to the new SIMP standard
Fixes for the audit dispatcher and syslog connections

Mon Sep 07 2015 Chris Tessmer chris.tessmer@onyxpoint.com - 4.1.0-13

Updated facts from $::lsbmajdistrelease to $::operatingsystemmajrelease.

Tue Jul 21 2015 Kendall Moore kmoore@keywcorp.com - 4.1.0-12

Updated to use the new rsyslog module.

Thu Feb 19 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-11

Migrated to the new 'simp' environment.

Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-10

Changed puppet-server requirement to puppet

Wed Nov 19 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-9

Updated auditd::to_syslog to support multiple log servers and support for native TLS.

Sat Sep 06 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-8

Fixed a missing rule for RHEL<7 that did not properly drop all of the useless audit data.

Sat Aug 23 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-7

Updated to use the new reboot_notify native type.

Sun Jul 13 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-6

Updated to support both grub and grub2
Fixed a bug in the audit ruleset where the initial drop rule was set to drop everything that was not anonymous.
Added support for /etc/audit/rules.d for RHEL7 systems.

Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-5

Removed MD5 file checksums for FIPS compliance.

Fri Jun 20 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-5

Pointed concat fragment auditd+head at the correct template!
Updated to support RHEL7

Wed May 21 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-4

Added the ability to put rules before the default rule body in audit.rules.
Added validation to add_rules.pp.

Fri Mar 28 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-3

The template for auditing the rotated audit logs had a one-off error preventing the audit of the last rotated log.
Spec tests were added.

Fri Mar 14 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-2

Added class for auditing grub.

Thu Feb 13 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-1

Converted all string booleans to native booleans.

Mon Nov 04 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-0

Added support for audispd based on patches provided by Raymond Page raymond.page@icat.us.
Removed the old rsyslog file tap on audit.log.
Folded the auditd::conf define into the auditd main class since parameterized classes eliminate the need for the define.
- Breaking Change

Mon Oct 28 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-11

Updated the audit base rules to compress and reorder many of the rules to allow for greater processing efficiency.
Added checks for kernel module manipulation in accordance with CCE-26610-6.
Mapped all audit rules to their associated SSG rules in the file template.

Thu Oct 03 2013 Nick Markowski nmarkowski@keywcorp.com - 4.0.0-11

Updated templates to reference instance variables with @

Wed Jul 17 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-10

Removed the sgid binary check in the audit rules because it doesn't actually make any sense.

Thu Jun 27 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-9

Added audit rules to catch the execution of sgid and suid binaries.
Added the ability to rate limit the auditd messages. If you use this, you probably want to change the failure mode to 1.
Added the ability to ignore failures in the audit configuration and continue and set it to true by default. Since the rules are automatically managed, the likelihood of one being wrong is fairly high. Also, rules will fail if a file doesn't exist which isn't all that helpful.
Removed the watch on /proc/kcore since it wasn't really helpful and was throwing SELinux AVC's on startup.
Added default auditing to /etc/yum.conf and /etc/yum.repos.d

Tue Apr 09 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-8

Skip any rule that does not load properly so that we have as much of the configuration active as possible.

Thu Dec 13 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-7

Updated to require pupmod-common >= 2.1.1-2 so that upgrading an old system works properly.

Fri Nov 30 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-6

Added a cucumber test to ensure that the auditd daemon starts when including audit in the puppet server manifest.

Tue Sep 18 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-5

Updated all references of /etc/modprobe.conf to /etc/modprobe.d/00_simp_blacklist.conf as modprobe.conf is now deprecated.

Thu Jun 07 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-4

Ensure that Arrays in templates are flattened.
Call facts as instance variables.
Moved mit-tests to /usr/share/simp...
Moved rsyslog module inclusion from init.pp to to_syslog.pp where it is used.
Updated pp files to better meet Puppet's recommended style guide.

Fri Mar 02 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-3

Improved test stubs.

Mon Jan 30 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-2

Removed all references to 'entry' rules since they are deprecated.
Removed the watch rule for /etc/firmware since it was removed in RHEL6 and pretty much useless anyway.
Added test stubs

Mon Dec 26 2011 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-1

Scoped all of the top level variables.

Fri Oct 28 2011 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-0

Removed the base audit of /etc/ldap.conf since it was redundant.

Mon Oct 10 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-3

Updated to put quotes around everything that need it in a comparison statement so that puppet > 2.5 doesn't explode with an undef error.

Thu Mar 17 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-2

Modified several audit rules to be a bit more complete and to conform to some of the Red Hat syntax standards.

Fri Feb 11 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-1

Updated to use concat_build and concat_fragment types.

Tue Jan 11 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-0

Refactored for SIMP-2.0.0-alpha release

Tue Oct 26 2010 Trevor Vaughan tvaughan@onyxpoint.com - 1-2

Converting all spec files to check for directories prior to copy.

Wed Jul 28 2010 Trevor Vaughan tvaughan@onyxpoint.com - 1.0-1

More code refactoring
Made log_file configurable in to_syslog define.

Wed May 19 2010 Trevor Vaughan tvaughan@onyxpoint.com - 1.0-0

Code + doc refactor

Wed May 12 2010 Trevor Vaughan tvaughan@onyxpoint.com - 0.1-12

Added the option $root_audit_level to auditd::conf
- The allowed strings are basic(default), aggressive, insane
  - Basic(default): Safe, should not follow program execution outside of the base app
  - Aggressive: Adds execve
  - Insane: Adds fork, vfork, write, chown, creat, link, mkdir, rmdir

Fri Feb 19 2010 Trevor Vaughan tvaughan@onyxpoint.com - 0.1-11

Removed watch on /etc. That was a very bad rule.

Tue Dec 15 2009 Trevor Vaughan tvaughan@onyxpoint.com - 0.1-10

Audit rules now properly handle 64 and 32 bit architectures (for now). Previously, the 64 bit calls were not handled properly.

auditd - A module to manage the Audit Daemon, Kernel Parameters, and related
subsystems.

Per Section 105 of the Copyright Act of 1976, these works are not entitled to
domestic copyright protection under US Federal law.

The US Government retains the right to pursue copyright protections outside of
the United States.

The United States Government has unlimited rights in this software and all
derivatives thereof, pursuant to the contracts under which it was developed and
the License under which it falls.

---

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.

Modules

Discover

Contribute

Resources

About Forge

Getting Started