xoxys.auditd/README.md

# xoxys.auditd

[![Build Status](https://ci.rknet.org/api/badges/ansible/xoxys.auditd/status.svg)](https://ci.rknet.org/repos/ansible/xoxys.auditd)
[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.auditd/src/branch/main/LICENSE)

Setup the Linux Auditing System.

## Table of content

- [Requirements](#requirements)
- [Default Variables](#default-variables)
  - [auditd_action_mail_acct](#auditd_action_mail_acct)
  - [auditd_admin_space_left_action](#auditd_admin_space_left_action)
  - [auditd_buffer_size](#auditd_buffer_size)
  - [auditd_config_immutable](#auditd_config_immutable)
  - [auditd_exclude_rule_stages](#auditd_exclude_rule_stages)
  - [auditd_failure_mode](#auditd_failure_mode)
  - [auditd_filter_rules_default](#auditd_filter_rules_default)
  - [auditd_filter_rules_extra](#auditd_filter_rules_extra)
  - [auditd_main_rules_default](#auditd_main_rules_default)
  - [auditd_main_rules_extra](#auditd_main_rules_extra)
  - [auditd_max_log_file](#auditd_max_log_file)
  - [auditd_max_log_file_action](#auditd_max_log_file_action)
  - [auditd_num_logs](#auditd_num_logs)
  - [auditd_optional_rules_default](#auditd_optional_rules_default)
  - [auditd_optional_rules_extra](#auditd_optional_rules_extra)
  - [auditd_reboot_on_change](#auditd_reboot_on_change)
  - [auditd_refuse_manual_stop](#auditd_refuse_manual_stop)
  - [auditd_space_left_action](#auditd_space_left_action)
- [Dependencies](#dependencies)
- [License](#license)
- [Author](#author)

---

## Requirements

- Minimum Ansible version: `2.10`

## Default Variables

### auditd_action_mail_acct

#### Default value

```YAML
auditd_action_mail_acct: root
```

### auditd_admin_space_left_action

#### Default value

```YAML
auditd_admin_space_left_action: halt
```

### auditd_buffer_size

#### Default value

```YAML
auditd_buffer_size: 8192
```

### auditd_config_immutable

The auditd daemon is configured to use the augenrules program to read audit rules during
daemon startup (the default), use this option to make the auditd configuration immutable.

#### Default value

```YAML
auditd_config_immutable: false
```

### auditd_exclude_rule_stages

There is a set of pre-defined rule stages you can exclude if needed. Availabe stages:
10-start.rules, 11-self-audit.rules, 12-filter.rules, 30-main.rules, 50-optional.rules, 90-finalize

#### Default value

```YAML
auditd_exclude_rule_stages: []
```

#### Example usage

```YAML
auditd_exclude_rule_stages:
  - 10-start.rules
  - 90-finalize
```

### auditd_failure_mode

Possible values: 0 (silent) | 1 (printk, print a failure message) | 2 (panic, halt the system)

#### Default value

```YAML
auditd_failure_mode: 1
```

### auditd_filter_rules_default

#### Default value

```YAML
auditd_filter_rules_default:
  - comment: Ignore current working directory records
    rule: -a always,exclude -F msgtype=CWD
  - comment: Ignore EOE records (End Of Event, not needed)
    rule: -a always,exclude -F msgtype=EOE
  - comment: Cron jobs fill the logs with stuff we normally don't want
    rule:
      - -a never,user -F subj_type=crond_t
      - -a exit,never -F subj_type=crond_t
  - comment: This is not very interesting and wastes a lot of space if the server
      is public facing
    rule: -a always,exclude -F msgtype=CRYPTO_KEY_USER
  - comment: High Volume Event Filter
    rule:
      - -a exit,never -F arch=b32 -F dir=/dev/shm -k sharedmemaccess
      - -a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess
      - -a exit,never -F arch=b32 -F dir=/var/lock/lvm -k locklvm
      - -a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm
```

### auditd_filter_rules_extra

#### Default value

```YAML
auditd_filter_rules_extra: []
```

#### Example usage

```YAML
auditd_filter_rules_extra:
  - comment: Ignore current working directory records # defaults to not set
    rule: '-a always,exclude -F msgtype=CWD' # can be list or string
    state: present # defaults to present
```

### auditd_main_rules_default

#### Default value

```YAML
auditd_main_rules_default:
  - comment: CIS 4.1.3.1 - Changes to system administration scope
    rule:
      - -w /etc/sudoers -p wa -k actions
      - -w /etc/sudoers.d/ -p wa -k actions
  - comment: CIS 4.1.3.4 - Events that modify date and time information
    rule:
      - -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time_change
      - -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k
        time_change
      - -w /etc/localtime -p wa -k time-change
  - comment: CIS 4.1.3.5 - Changes to the network environment
    rule:
      - -a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
      - -a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale
      - -w /etc/issue -p wa -k system-locale
      - -w /etc/issue.net -p wa -k system-locale
      - -w /etc/hosts -p wa -k system-locale
      - -w /etc/sysconfig/network -p wa -k system-locale
      - -w /etc/sysconfig/network-scripts/ -p wa -k system-locale
  - comment: CIS 4.1.3.7 - Unsuccessful file access attempts
    rule:
      - -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES
        -F auid>=1000 -F auid!=unset -k access
      - -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM
        -F auid>=1000 -F auid!=unset -k access
      - -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES
        -F auid>=1000 -F auid!=unset -k access
      - -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM
        -F auid>=1000 -F auid!=unset -k access
  - comment: CIS 4.1.3.8 - Modify user/group information
    rule:
      - -w /etc/group -p wa -k identity
      - -w /etc/passwd -p wa -k identity
      - -w /etc/gshadow -p wa -k identity
      - -w /etc/shadow -p wa -k identity
      - -w /etc/security/opasswd -p wa -k identity
  - comment: CIS 4.1.3.9 - Discretionary access control permission modifications
    rule:
      - -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset
        -F key=perm_mod
      - -a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F
        auid!=unset -F key=perm_mod
      - -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset
        -F key=perm_mod
      - -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F
        auid!=unset -F key=perm_mod
      - -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
        -F auid>=1000 -F auid!=unset -F key=perm_mod
      - -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr
        -F auid>=1000 -F auid!=unset -F key=perm_mod
  - comment: CIS 4.1.3.10 - Successful file system mounts
    rule:
      - -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
      - -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
  - comment: CIS 4.1.3.11 - Session initiation information
    rule:
      - -w /var/run/utmp -p wa -k session
      - -w /var/log/wtmp -p wa -k logins
      - -w /var/log/btmp -p wa -k logins
  - comment: CIS 4.1.3.12 - Login and logout events
    rule:
      - -w /var/log/lastlog -p wa -k logins
      - -w /var/log/tallylog -p wa -k logins
      - -w /var/run/faillock -p wa -k logins
  - comment: CIS 4.1.3.13 - File deletion events by users
    rule:
      - -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000
        -F auid!=unset -k delete
      - -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000
        -F auid!=unset -k delete
  - comment: CIS 4.1.3.14 - Changes to the Mandatory Access Controls
    rule:
      - -w /etc/selinux/ -p wa -k MAC-policy
      - -w /usr/share/selinux/ -p wa -k MAC-policy
  - comment: CIS 4.1.3.19 - Kernel module loading unloading and modification
    rule:
      - -a always,exit -F arch=b64 -S finit_module,create_module,query_module -F auid>=1000
        -F auid!=unset -k kernel_modules
      - -a always,exit -F arch=b32 -S finit_module,create_module,query_module -F auid>=1000
        -F auid!=unset -k kernel_modules
      - -a always,exit -F arch=b64 -S init_module,delete_module -k kernel_modules
      - -a always,exit -F arch=b32 -S init_module,delete_module -k kernel_modules
      - -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset
        -k kernel_modules
```

### auditd_main_rules_extra

#### Default value

```YAML
auditd_main_rules_extra: []
```

### auditd_max_log_file

Maximum size of a single logfile (MB)

#### Default value

```YAML
auditd_max_log_file: 10
```

### auditd_max_log_file_action

#### Default value

```YAML
auditd_max_log_file_action: rotate
```

### auditd_num_logs

Number of logs to keep

#### Default value

```YAML
auditd_num_logs: 5
```

### auditd_optional_rules_default

#### Default value

```YAML
auditd_optional_rules_default: []
```

### auditd_optional_rules_extra

#### Default value

```YAML
auditd_optional_rules_extra: []
```

### auditd_reboot_on_change

#### Default value

```YAML
auditd_reboot_on_change: false
```

### auditd_refuse_manual_stop

This option prevents auditd from performing change/restart actions at runtime and requires a reboot instead.
For security reasons, this option should only be disabled for testing purposes.

#### Default value

```YAML
auditd_refuse_manual_stop: true
```

### auditd_space_left_action

#### Default value

```YAML
auditd_space_left_action: email
```

## Dependencies

None.

## License

MIT

## Author

[Robert Kaussow](https://gitea.rknet.org/xoxys)
initial commit 2022-09-23 21:03:22 +00:00			`# xoxys.auditd`
[skip ci] automated docs update 2024-02-18 19:42:37 +00:00
			`[![Build Status](https://ci.rknet.org/api/badges/ansible/xoxys.auditd/status.svg)](https://ci.rknet.org/repos/ansible/xoxys.auditd)`
			`[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.auditd/src/branch/main/LICENSE)`

			`Setup the Linux Auditing System.`

			`## Table of content`

			`- [Requirements](#requirements)`
			`- [Default Variables](#default-variables)`
			`- [auditd_action_mail_acct](#auditd_action_mail_acct)`
			`- [auditd_admin_space_left_action](#auditd_admin_space_left_action)`
			`- [auditd_buffer_size](#auditd_buffer_size)`
			`- [auditd_config_immutable](#auditd_config_immutable)`
			`- [auditd_exclude_rule_stages](#auditd_exclude_rule_stages)`
			`- [auditd_failure_mode](#auditd_failure_mode)`
			`- [auditd_filter_rules_default](#auditd_filter_rules_default)`
			`- [auditd_filter_rules_extra](#auditd_filter_rules_extra)`
			`- [auditd_main_rules_default](#auditd_main_rules_default)`
			`- [auditd_main_rules_extra](#auditd_main_rules_extra)`
			`- [auditd_max_log_file](#auditd_max_log_file)`
			`- [auditd_max_log_file_action](#auditd_max_log_file_action)`
			`- [auditd_num_logs](#auditd_num_logs)`
			`- [auditd_optional_rules_default](#auditd_optional_rules_default)`
			`- [auditd_optional_rules_extra](#auditd_optional_rules_extra)`
			`- [auditd_reboot_on_change](#auditd_reboot_on_change)`
			`- [auditd_refuse_manual_stop](#auditd_refuse_manual_stop)`
			`- [auditd_space_left_action](#auditd_space_left_action)`
			`- [Dependencies](#dependencies)`
			`- [License](#license)`
			`- [Author](#author)`

			`---`

			`## Requirements`

			- Minimum Ansible version: `2.10`

			`## Default Variables`

			`### auditd_action_mail_acct`

			`#### Default value`

			```YAML
			`auditd_action_mail_acct: root`
			```

			`### auditd_admin_space_left_action`

			`#### Default value`

			```YAML
			`auditd_admin_space_left_action: halt`
			```

			`### auditd_buffer_size`

			`#### Default value`

			```YAML
			`auditd_buffer_size: 8192`
			```

			`### auditd_config_immutable`

			`The auditd daemon is configured to use the augenrules program to read audit rules during`
			`daemon startup (the default), use this option to make the auditd configuration immutable.`

			`#### Default value`

			```YAML
			`auditd_config_immutable: false`
			```

			`### auditd_exclude_rule_stages`

			`There is a set of pre-defined rule stages you can exclude if needed. Availabe stages:`
			`10-start.rules, 11-self-audit.rules, 12-filter.rules, 30-main.rules, 50-optional.rules, 90-finalize`

			`#### Default value`

			```YAML
			`auditd_exclude_rule_stages: []`
			```

			`#### Example usage`

			```YAML
			`auditd_exclude_rule_stages:`
			`- 10-start.rules`
			`- 90-finalize`
			```

			`### auditd_failure_mode`

			`Possible values: 0 (silent) \| 1 (printk, print a failure message) \| 2 (panic, halt the system)`

			`#### Default value`

			```YAML
			`auditd_failure_mode: 1`
			```

			`### auditd_filter_rules_default`

			`#### Default value`

			```YAML
			`auditd_filter_rules_default:`
			`- comment: Ignore current working directory records`
			`rule: -a always,exclude -F msgtype=CWD`
			`- comment: Ignore EOE records (End Of Event, not needed)`
			`rule: -a always,exclude -F msgtype=EOE`
			`- comment: Cron jobs fill the logs with stuff we normally don't want`
			`rule:`
			`- -a never,user -F subj_type=crond_t`
			`- -a exit,never -F subj_type=crond_t`
			`- comment: This is not very interesting and wastes a lot of space if the server`
			`is public facing`
			`rule: -a always,exclude -F msgtype=CRYPTO_KEY_USER`
			`- comment: High Volume Event Filter`
			`rule:`
			`- -a exit,never -F arch=b32 -F dir=/dev/shm -k sharedmemaccess`
			`- -a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess`
			`- -a exit,never -F arch=b32 -F dir=/var/lock/lvm -k locklvm`
			`- -a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm`
			```

			`### auditd_filter_rules_extra`

			`#### Default value`

			```YAML
			`auditd_filter_rules_extra: []`
			```

			`#### Example usage`

			```YAML
			`auditd_filter_rules_extra:`
			`- comment: Ignore current working directory records # defaults to not set`
			`rule: '-a always,exclude -F msgtype=CWD' # can be list or string`
			`state: present # defaults to present`
			```

			`### auditd_main_rules_default`

			`#### Default value`

			```YAML
			`auditd_main_rules_default:`
			`- comment: CIS 4.1.3.1 - Changes to system administration scope`
			`rule:`
			`- -w /etc/sudoers -p wa -k actions`
			`- -w /etc/sudoers.d/ -p wa -k actions`
			`- comment: CIS 4.1.3.4 - Events that modify date and time information`
			`rule:`
			`- -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time_change`
			`- -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k`
			`time_change`
			`- -w /etc/localtime -p wa -k time-change`
			`- comment: CIS 4.1.3.5 - Changes to the network environment`
			`rule:`
			`- -a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale`
			`- -a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale`
			`- -w /etc/issue -p wa -k system-locale`
			`- -w /etc/issue.net -p wa -k system-locale`
			`- -w /etc/hosts -p wa -k system-locale`
			`- -w /etc/sysconfig/network -p wa -k system-locale`
			`- -w /etc/sysconfig/network-scripts/ -p wa -k system-locale`
			`- comment: CIS 4.1.3.7 - Unsuccessful file access attempts`
			`rule:`
			`- -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES`
			`-F auid>=1000 -F auid!=unset -k access`
			`- -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM`
			`-F auid>=1000 -F auid!=unset -k access`
			`- -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES`
			`-F auid>=1000 -F auid!=unset -k access`
			`- -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM`
			`-F auid>=1000 -F auid!=unset -k access`
			`- comment: CIS 4.1.3.8 - Modify user/group information`
			`rule:`
			`- -w /etc/group -p wa -k identity`
			`- -w /etc/passwd -p wa -k identity`
			`- -w /etc/gshadow -p wa -k identity`
			`- -w /etc/shadow -p wa -k identity`
			`- -w /etc/security/opasswd -p wa -k identity`
			`- comment: CIS 4.1.3.9 - Discretionary access control permission modifications`
			`rule:`
			`- -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset`
			`-F key=perm_mod`
			`- -a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F`
			`auid!=unset -F key=perm_mod`
			`- -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset`
			`-F key=perm_mod`
			`- -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F`
			`auid!=unset -F key=perm_mod`
			`- -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr`
			`-F auid>=1000 -F auid!=unset -F key=perm_mod`
			`- -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr`
			`-F auid>=1000 -F auid!=unset -F key=perm_mod`
			`- comment: CIS 4.1.3.10 - Successful file system mounts`
			`rule:`
			`- -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts`
			`- -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts`
			`- comment: CIS 4.1.3.11 - Session initiation information`
			`rule:`
			`- -w /var/run/utmp -p wa -k session`
			`- -w /var/log/wtmp -p wa -k logins`
			`- -w /var/log/btmp -p wa -k logins`
			`- comment: CIS 4.1.3.12 - Login and logout events`
			`rule:`
			`- -w /var/log/lastlog -p wa -k logins`
			`- -w /var/log/tallylog -p wa -k logins`
			`- -w /var/run/faillock -p wa -k logins`
			`- comment: CIS 4.1.3.13 - File deletion events by users`
			`rule:`
			`- -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000`
			`-F auid!=unset -k delete`
			`- -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000`
			`-F auid!=unset -k delete`
			`- comment: CIS 4.1.3.14 - Changes to the Mandatory Access Controls`
			`rule:`
			`- -w /etc/selinux/ -p wa -k MAC-policy`
			`- -w /usr/share/selinux/ -p wa -k MAC-policy`
			`- comment: CIS 4.1.3.19 - Kernel module loading unloading and modification`
			`rule:`
			`- -a always,exit -F arch=b64 -S finit_module,create_module,query_module -F auid>=1000`
			`-F auid!=unset -k kernel_modules`
			`- -a always,exit -F arch=b32 -S finit_module,create_module,query_module -F auid>=1000`
			`-F auid!=unset -k kernel_modules`
			`- -a always,exit -F arch=b64 -S init_module,delete_module -k kernel_modules`
			`- -a always,exit -F arch=b32 -S init_module,delete_module -k kernel_modules`
			`- -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset`
			`-k kernel_modules`
			```

			`### auditd_main_rules_extra`

			`#### Default value`

			```YAML
			`auditd_main_rules_extra: []`
			```

			`### auditd_max_log_file`

			`Maximum size of a single logfile (MB)`

			`#### Default value`

			```YAML
			`auditd_max_log_file: 10`
			```

			`### auditd_max_log_file_action`

			`#### Default value`

			```YAML
			`auditd_max_log_file_action: rotate`
			```

			`### auditd_num_logs`

			`Number of logs to keep`

			`#### Default value`

			```YAML
			`auditd_num_logs: 5`
			```

			`### auditd_optional_rules_default`

			`#### Default value`

			```YAML
			`auditd_optional_rules_default: []`
			```

			`### auditd_optional_rules_extra`

			`#### Default value`

			```YAML
			`auditd_optional_rules_extra: []`
			```

			`### auditd_reboot_on_change`

			`#### Default value`

			```YAML
			`auditd_reboot_on_change: false`
			```

			`### auditd_refuse_manual_stop`

			`This option prevents auditd from performing change/restart actions at runtime and requires a reboot instead.`
			`For security reasons, this option should only be disabled for testing purposes.`

			`#### Default value`

			```YAML
			`auditd_refuse_manual_stop: true`
			```

			`### auditd_space_left_action`

			`#### Default value`

			```YAML
			`auditd_space_left_action: email`
			```

			`## Dependencies`

			`None.`

			`## License`

			`MIT`

			`## Author`

			`[Robert Kaussow](https://gitea.rknet.org/xoxys)`