306 lines
9.3 KiB
Markdown
306 lines
9.3 KiB
Markdown
|
---
|
||
|
title: auditd
|
||
|
type: docs
|
||
|
---
|
||
|
|
||
|
[![Source Code](https://img.shields.io/badge/gitea-source%20code-blue?logo=gitea&logoColor=white)](https://gitea.rknet.org/ansible/xoxys.auditd) [![Build Status](https://img.shields.io/drone/build/ansible/xoxys.auditd?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.auditd) [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.auditd/src/branch/main/LICENSE)
|
||
|
|
||
|
Setup the Linux Auditing System.
|
||
|
|
||
|
<!--more-->
|
||
|
|
||
|
- [Default Variables](#default-variables)
|
||
|
- [auditd_action_mail_acct](#auditd_action_mail_acct)
|
||
|
- [auditd_admin_space_left_action](#auditd_admin_space_left_action)
|
||
|
- [auditd_buffer_size](#auditd_buffer_size)
|
||
|
- [auditd_config_immutable](#auditd_config_immutable)
|
||
|
- [auditd_exclude_rule_stages](#auditd_exclude_rule_stages)
|
||
|
- [auditd_failure_mode](#auditd_failure_mode)
|
||
|
- [auditd_filter_rules_default](#auditd_filter_rules_default)
|
||
|
- [auditd_filter_rules_extra](#auditd_filter_rules_extra)
|
||
|
- [auditd_main_rules_default](#auditd_main_rules_default)
|
||
|
- [auditd_main_rules_extra](#auditd_main_rules_extra)
|
||
|
- [auditd_max_log_file](#auditd_max_log_file)
|
||
|
- [auditd_max_log_file_action](#auditd_max_log_file_action)
|
||
|
- [auditd_num_logs](#auditd_num_logs)
|
||
|
- [auditd_optional_rules_default](#auditd_optional_rules_default)
|
||
|
- [auditd_optional_rules_extra](#auditd_optional_rules_extra)
|
||
|
- [auditd_refuse_manual_stop](#auditd_refuse_manual_stop)
|
||
|
- [auditd_space_left_action](#auditd_space_left_action)
|
||
|
- [Dependencies](#dependencies)
|
||
|
|
||
|
---
|
||
|
|
||
|
## Default Variables
|
||
|
|
||
|
### auditd_action_mail_acct
|
||
|
|
||
|
#### Default value
|
||
|
|
||
|
```YAML
|
||
|
auditd_action_mail_acct: root
|
||
|
```
|
||
|
|
||
|
### auditd_admin_space_left_action
|
||
|
|
||
|
#### Default value
|
||
|
|
||
|
```YAML
|
||
|
auditd_admin_space_left_action: SUSPEND
|
||
|
```
|
||
|
|
||
|
### auditd_buffer_size
|
||
|
|
||
|
#### Default value
|
||
|
|
||
|
```YAML
|
||
|
auditd_buffer_size: 8192
|
||
|
```
|
||
|
|
||
|
### auditd_config_immutable
|
||
|
|
||
|
The auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), use this option to make the auditd configuration immutable.
|
||
|
|
||
|
#### Default value
|
||
|
|
||
|
```YAML
|
||
|
auditd_config_immutable: false
|
||
|
```
|
||
|
|
||
|
### auditd_exclude_rule_stages
|
||
|
|
||
|
There is a set of pre-defined rule stages you can exclude if needed. Availabe stages: 10-start.rules, 11-self-audit.rules, 12-filter.rules, 30-main.rules, 50-optional.rules, 90-finalize
|
||
|
|
||
|
#### Default value
|
||
|
|
||
|
```YAML
|
||
|
auditd_exclude_rule_stages: []
|
||
|
```
|
||
|
|
||
|
#### Example usage
|
||
|
|
||
|
```YAML
|
||
|
auditd_exclude_rule_stages:
|
||
|
- 10-start.rules
|
||
|
- 90-finalize
|
||
|
```
|
||
|
|
||
|
### auditd_failure_mode
|
||
|
|
||
|
Possible values: 0 (silent) | 1 (printk, print a failure message) | 2 (panic, halt the system)
|
||
|
|
||
|
#### Default value
|
||
|
|
||
|
```YAML
|
||
|
auditd_failure_mode: 1
|
||
|
```
|
||
|
|
||
|
### auditd_filter_rules_default
|
||
|
|
||
|
#### Default value
|
||
|
|
||
|
```YAML
|
||
|
auditd_filter_rules_default:
|
||
|
- comment: Ignore current working directory records
|
||
|
rule: -a always,exclude -F msgtype=CWD
|
||
|
- comment: Ignore EOE records (End Of Event, not needed)
|
||
|
rule: -a always,exclude -F msgtype=EOE
|
||
|
- comment: Cron jobs fill the logs with stuff we normally don't want
|
||
|
rule:
|
||
|
- -a never,user -F subj_type=crond_t
|
||
|
- -a exit,never -F subj_type=crond_t
|
||
|
- comment: This is not very interesting and wastes a lot of space if the server
|
||
|
is public facing
|
||
|
rule: -a always,exclude -F msgtype=CRYPTO_KEY_USER
|
||
|
- comment: High Volume Event Filter
|
||
|
rule:
|
||
|
- -a exit,never -F arch=b32 -F dir=/dev/shm -k sharedmemaccess
|
||
|
- -a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess
|
||
|
- -a exit,never -F arch=b32 -F dir=/var/lock/lvm -k locklvm
|
||
|
- -a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm
|
||
|
```
|
||
|
|
||
|
### auditd_filter_rules_extra
|
||
|
|
||
|
#### Default value
|
||
|
|
||
|
```YAML
|
||
|
auditd_filter_rules_extra: []
|
||
|
```
|
||
|
|
||
|
#### Example usage
|
||
|
|
||
|
```YAML
|
||
|
auditd_filter_rules_extra:
|
||
|
- comment: Ignore current working directory records # defaults to not set
|
||
|
rule: '-a always,exclude -F msgtype=CWD' # can be list or string
|
||
|
state: present # defaults to present
|
||
|
```
|
||
|
|
||
|
### auditd_main_rules_default
|
||
|
|
||
|
#### Default value
|
||
|
|
||
|
```YAML
|
||
|
auditd_main_rules_default:
|
||
|
- comment: CIS 4.1.4 - Changes to the time
|
||
|
rule:
|
||
|
- -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
|
||
|
- -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
|
||
|
- -a always,exit -F arch=b64 -S clock_settime -k time-change
|
||
|
- -a always,exit -F arch=b32 -S clock_settime -k time-change
|
||
|
- -w /etc/localtime -p wa -k time-change
|
||
|
- comment: CIS 4.1.5 - Changes to user/group information
|
||
|
rule:
|
||
|
- -w /etc/group -p wa -k identity
|
||
|
- -w /etc/passwd -p wa -k identity
|
||
|
- -w /etc/gshadow -p wa -k identity
|
||
|
- -w /etc/shadow -p wa -k identity
|
||
|
- -w /etc/security/opasswd -p wa -k identity
|
||
|
- comment: CIS 4.1.6 - Changes to the network environment
|
||
|
rule:
|
||
|
- -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
|
||
|
- -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
|
||
|
- -w /etc/issue -p wa -k system-locale
|
||
|
- -w /etc/issue.net -p wa -k system-locale
|
||
|
- -w /etc/hosts -p wa -k system-locale
|
||
|
- -w /etc/network -p wa -k system-locale
|
||
|
- comment: CIS 4.1.7 - Changes to system's Mandatory Access Controls
|
||
|
rule:
|
||
|
- -w /etc/apparmor/ -p wa -k MAC-policy
|
||
|
- -w /etc/apparmor.d/ -p wa -k MAC-policy
|
||
|
- comment: CIS 4.1.8 - Log login/logout events
|
||
|
rule:
|
||
|
- -w /var/log/faillog -p wa -k logins
|
||
|
- -w /var/log/lastlog -p wa -k logins
|
||
|
- -w /var/log/tallylog -p wa -k logins
|
||
|
- comment: CIS 4.1.9 - Log session initiation information
|
||
|
rule:
|
||
|
- -w /var/run/utmp -p wa -k session
|
||
|
- -w /var/log/wtmp -p wa -k logins
|
||
|
- -w /var/log/btmp -p wa -k logins
|
||
|
- comment: CIS 4.1.10 - Log Discretionary Access Control modifications
|
||
|
rule:
|
||
|
- -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F
|
||
|
auid!=4294967295 -k perm_mod
|
||
|
- -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F
|
||
|
auid!=4294967295 -k perm_mod
|
||
|
- -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000
|
||
|
-F auid!=4294967295 -k perm_mod
|
||
|
- -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000
|
||
|
-F auid!=4294967295 -k perm_mod
|
||
|
- -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr
|
||
|
-S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
||
|
- -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr
|
||
|
-S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
||
|
- comment: CIS 4.1.11 - Log unsuccessful unauthorized file access attempts
|
||
|
rule:
|
||
|
- -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
|
||
|
-F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
|
||
|
- -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate
|
||
|
-F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
|
||
|
- -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
|
||
|
-F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
|
||
|
- -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate
|
||
|
-F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
|
||
|
- comment: CIS 4.1.13 - Log successful file system mounts
|
||
|
rule:
|
||
|
- -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
|
||
|
- -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
|
||
|
- comment: CIS 4.1.14 - Log file deletion Events by User
|
||
|
rule:
|
||
|
- -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F
|
||
|
auid>=1000 -F auid!=4294967295 -k delete
|
||
|
- -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F
|
||
|
auid>=1000 -F auid!=4294967295 -k delete
|
||
|
- comment: CIS 4.1.15 - Log changes to sudoers
|
||
|
rule:
|
||
|
- -w /etc/sudoers -p wa -k scope
|
||
|
- -w /etc/sudoers.d/ -p wa -k scope
|
||
|
- comment: CIS 4.1.16 - Log sudolog
|
||
|
rule:
|
||
|
- -w /var/log/sudo.log -p wa -k actions
|
||
|
- comment: CIS 4.1.17 - Log kernel module actions
|
||
|
rule:
|
||
|
- -w /sbin/insmod -p x -k modules
|
||
|
- -w /sbin/rmmod -p x -k modules
|
||
|
- -w /sbin/modprobe -p x -k modules
|
||
|
- -a always,exit -F arch=b64 -S init_module -S delete_module -k modules
|
||
|
```
|
||
|
|
||
|
### auditd_main_rules_extra
|
||
|
|
||
|
#### Default value
|
||
|
|
||
|
```YAML
|
||
|
auditd_main_rules_extra: []
|
||
|
```
|
||
|
|
||
|
### auditd_max_log_file
|
||
|
|
||
|
Maximum size of a single logfile (MB)
|
||
|
|
||
|
#### Default value
|
||
|
|
||
|
```YAML
|
||
|
auditd_max_log_file: 10
|
||
|
```
|
||
|
|
||
|
### auditd_max_log_file_action
|
||
|
|
||
|
#### Default value
|
||
|
|
||
|
```YAML
|
||
|
auditd_max_log_file_action: ROTATE
|
||
|
```
|
||
|
|
||
|
### auditd_num_logs
|
||
|
|
||
|
Number of logs to keep
|
||
|
|
||
|
#### Default value
|
||
|
|
||
|
```YAML
|
||
|
auditd_num_logs: 5
|
||
|
```
|
||
|
|
||
|
### auditd_optional_rules_default
|
||
|
|
||
|
#### Default value
|
||
|
|
||
|
```YAML
|
||
|
auditd_optional_rules_default: []
|
||
|
```
|
||
|
|
||
|
### auditd_optional_rules_extra
|
||
|
|
||
|
#### Default value
|
||
|
|
||
|
```YAML
|
||
|
auditd_optional_rules_extra: []
|
||
|
```
|
||
|
|
||
|
### auditd_refuse_manual_stop
|
||
|
|
||
|
This option prevents auditd from performing change/restart actions at runtime and requires a reboot instead. For security reasons, this option should only be disabled for testing purposes.
|
||
|
|
||
|
#### Default value
|
||
|
|
||
|
```YAML
|
||
|
auditd_refuse_manual_stop: true
|
||
|
```
|
||
|
|
||
|
### auditd_space_left_action
|
||
|
|
||
|
#### Default value
|
||
|
|
||
|
```YAML
|
||
|
auditd_space_left_action: SYSLOG
|
||
|
```
|
||
|
|
||
|
|
||
|
|
||
|
## Dependencies
|
||
|
|
||
|
None.
|